Monday, April 08, 2024

Ping blocked by firewall

Hi all,

For the first time I tested my new firewall with ping, and it is
blocked. I don't know what the reason is, you can find the information
below. I have a network with only regular clients, so no servers. I'm
still using OpenBSD V7.4, and will upgrade once the firewall is up and
running so I can test the upgrade process.

/etc/pf.conf:
ext_if = igc0                 # Extern interface
int_if = "{ igc1, igc2 }"     # Intern interfaces
localnet = "192.168.2.0/24"
tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
udp_services = "{ domain, ntp }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach }"
nameservers = "{ 195.121.1.34, 195.121.1.66 }"
client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
                446, cvspserver, 2628, 5999, 8000, 8080 }"
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
            10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
            0.0.0.0/8, 240.0.0.0/4 }"
set skip on lo
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
block log all                # block stateless traffic
# Letting ping through:
pass log on inet proto icmp icmp-type $icmp_types
pass log on inet6 proto icmp6 icmp6-type $icmp6_types
# Allow out the default range for traceroute(*):
# "base+nhops*nqueries-1" (3434+64*3-1)
pass log out on ext_if inet proto udp to port 33433:33626 # for IPv4
pass log out on ext_if inet6 proto udp to port 33433:33626 # for IPv6
pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
        to port $udp_services
pass log on $ext_if inet proto icmp all icmp-type $icmp_types
pass log on $ext_if inet proto tcp from $localnet to port $client_out
block log in quick on $ext_if from $martians to any
block log out quick on $ext_if from any to $martians
pass log out proto tcp to port $tcp_services   # establish keep-stat
pass log log proto udp to port $udp_services   # Establish keep-state

/var/log/pflog:
tcpdump: WARNING: snaplen raised from 116 to 160
Apr 09 08:16:45.009497 :: > ff02::16: HBH multicast listener report v2,
2 group record(S) [hlim 1]
apr 09 08:16:45.009500 :: > ff02::16: HBH multicast listener report v2,
2 group record(S) [hlim 1]

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)