On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote:
> Hi all,
>
> For the first time I tested my new firewall with ping, and it is blocked. I
> don't know what the reason is, you can find the information below. I have a
> network with only regular clients, so no servers. I'm still using OpenBSD
> V7.4, and will upgrade once the firewall is up and running so I can test the
> upgrade process.
>
> /etc/pf.conf:
> ext_if = igc0???????????????????????????????? # Extern interface
> int_if = "{ igc1, igc2 }"???????? # Intern interfaces
> localnet = "192.168.2.0/24"
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> ?????? ?????? ?????? ?????? 446, cvspserver, 2628, 5999, 8000, 8080 }"
> Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> ?????? ?????? ?????? 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> ?????? ?????? ?????? 0.0.0.0/8, 240.0.0.0/4 }"
> set skip on lo
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
> block log all?????? ?????? ?????? ?????? # block stateless traffic
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
> # Allow out the default range for traceroute(*):
> # "base+nhops*nqueries-1" (3434+64*3-1)
> pass log out on ext_if inet proto udp to port 33433:33626 # for IPv4
> pass log out on ext_if inet6 proto udp to port 33433:33626 # for IPv6
> pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
> ?????? ?????? to port $udp_services
> pass log on $ext_if inet proto icmp all icmp-type $icmp_types
> pass log on $ext_if inet proto tcp from $localnet to port $client_out
> block log in quick on $ext_if from $martians to any
> block log out quick on $ext_if from any to $martians
> pass log out proto tcp to port $tcp_services???? # establish keep-stat
> pass log log proto udp to port $udp_services???? # Establish keep-state
>
> /var/log/pflog:
> tcpdump: WARNING: snaplen raised from 116 to 160
> Apr 09 08:16:45.009497 :: > ff02::16: HBH multicast listener report v2, 2
> group record(S) [hlim 1]
> apr 09 08:16:45.009500 :: > ff02::16: HBH multicast listener report v2, 2
> group record(S) [hlim 1]
Hi Karel,
Hope you're well! Here is what you should add to your IPv6 icmp_types:
pass log on $ext_if inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass log on $ext_if inet6 proto ipv6-icmp all icmp6-type neighbradv
This allows the NDP protocol to converse (it's similar to the IPv4 ARP).
I didn't see you had the problem with only IPv6, but the way I tested it, the
IPv4 worked fine. It was IPv6 that had the missing neighbour solicititation
and advertising.
Best Regards,
-pjp
--
my associated domains: callpeter.tel|centroid.eu|dtschland.eu|mainrechner.de
No comments:
Post a Comment