Hi all,
I've set up a simple FreeBSD router for my network, and I'm seeing something rather confusing happen with pf(4). My network is essentially
I have a pf.conf file that is very basic, the intent is allow everything "out", and drop everything "in" unless it is from igb1. However, if I switch the ordering of my 'block in' and 'antispoof' lines, anything on my internal igb1 network will lose internet access (and in fact can't even talk to the igb1 interface of the router).
Working pf.conf:
Working ruleset form pf.conf:
As you can see, the antispoof line comes before the 'block in' line. Now onto my broken pf.conf:
and the ruleset generated:
Using the second pf.conf with the 'bock in' line first, I can't even ping igb1 on this machine, let alone the internet. And sure enough, if I just turn off pf(4), I can immediately ping the interface. Is there some intrinsic PF-ism here that I'm missing? what's the difference between the two?
Oh, and
I've set up a simple FreeBSD router for my network, and I'm seeing something rather confusing happen with pf(4). My network is essentially
Code:
{internet}--{FreeBSD igb0}-{FreeBSD igb1}--{switch}--{WiFi AP}Working pf.conf:
Code:
ext_if="igb0"
int_if="igb1"
set block-policy drop
set loginterface egress
set skip on lo
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
antispoof quick for $int_if
block in
pass out quick
pass in on $int_if
Code:
block drop in quick on ! igb1 inet from 10.6.66.0/24 to any
block drop in quick inet from 10.6.66.1 to any
block drop in all
pass out quick all flags S/SA keep state
pass in on igb1 all flags S/SA keep state
Code:
ext_if="igb0"
int_if="igb1"
set block-policy drop
set loginterface egress
set skip on lo
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
block in
antispoof quick for $int_if
pass out quick
pass in on $int_if
Code:
block drop in all
block drop in quick on ! igb1 inet from 10.6.66.0/24 to any
block drop in quick inet from 10.6.66.1 to any
pass out quick all flags S/SA keep state
pass in on igb1 all flags S/SA keep stateOh, and
uname output:
Code:
root@rtest:~ # uname -a
FreeBSD rtest.home.lan 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r290229: Sat Dec 5 17:57:31 PST 2015 root@rtest.home.lan:/usr/obj/usr/src/sys/IMP amd64