From owner-freebsd-questions@FreeBSD.ORG Thu Dec 13 20:17:11 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D060C16A468 for ; Thu, 13 Dec 2007 20:17:11 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from bifrost.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 7558213C468 for ; Thu, 13 Dec 2007 20:17:11 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from sleipner.local (unknown [192.168.0.37]) by bifrost.locolomo.org (Postfix) with ESMTP id 8378939824; Thu, 13 Dec 2007 21:17:09 +0100 (CET) Message-ID: <47619345.8000400@locolomo.org> Date: Thu, 13 Dec 2007 21:17:09 +0100 From: Erik Norgaard User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: Ghirai References: <2949641c0712130319p3da37aeci92987c64516dabef@mail.gmail.com> <20071213132535.194adf58.ghirai@ghirai.com> In-Reply-To: <20071213132535.194adf58.ghirai@ghirai.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org, Alaor Barroso de Carvalho Neto Subject: Re: PF blocking even if set to pass all X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2007 20:17:11 -0000 Ghirai wrote: > On Thu, 13 Dec 2007 09:19:03 -0200 > "Alaor Barroso de Carvalho Neto" wrote: > >> Hi guyz, like I've said in other topic, I'm building a BSD box that'll act >> as a gateway between three private networks and the internet. I want that >> each private network can ping to each other, and I can do that till I >> activate my pf firewall. When I do pfctl -e it stop working. >> >> The output of pfctl -sr is: >> pass in all >> pass out all >> >> So I guess it would pass anything, why it isn't happening? >> >> Hugs, >> Alaor >> _______________________________________________ > > You need to specify from/to what interface it should pass (if you have more > than one NIC, which i assume you do, since the box is acting as a router). You do not need to specify interface, if no interface is specified the rule is applied to all interfaces. In fact you could have just pass all but you may prefer pass quick all keep state I think it is possible to set a default rule, which for security should be block, which means that any packet that falls through your rule set will be blocked. Therefore, you should have "pass quick". The official guide is really good: http://www.openbsd.org/faq/pf/index.html Try using snort or tcpdump on each interface to see where the packet goes missing. Say you ping from a host on the network attached to em0 to a host on the network attached to em1, sniff on each interface and see if the packet comes through. Cheers, Erik -- Erik Nørgaard Ph: +34.666334818 http://www.locolomo.org