[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN client cannot connect through OpenBSD router/firewall

On Mon, Jan 17, 2005 at 02:48:07PM -0600, Rick Barter wrote:
> Michael Erdely wrote:
> >You're doing a "block all" and then aren't allowing esp traffic out.
> >Try adding the following with your tcp, udp and icmp pass out rules:
> >pass out $log_flg on $ext_if proto esp all keep state
> >
> >When troubleshooting something like this, it may be useful to to add
> >"log" to your default block rule so you'll at least see what's being
> >dropped.
> Thank you very much for the advice.  This worked like a charm.  How 
> did you know, or better yet, how could I have known that I needed to 
> pass out the esp protocol?  By seeing what was dropped?
  yup.  by seeing what was dropped.
  i _always always always_ keep "block return log all" as the first real
  rule in my pf.conf.  whether or not you want to return or drop is of
  course a matter of taste ( i do drop some things later in a more 
  specific rule ), and whether or not you want to block all ifaces or
  not is a matter of taste too... 
  for annoying things like crackwhores trying to hit my TCP:135 pipe
  and the like, i create specific non-log block rules for them so 
  my pflog0 and /var/log/pflog actually contain useful data when i 
  look at them.  
  just as long as you avoid the bitch-out temptation of setting some
  'pass quick all' rule right after that, you'll be on the quick way 
  to solving things for yourself.  
  as a sidebar, i succumbed to that very same bitch-out temptation
  just a bit ago and was completely confused why my pf was NOT blocking
  incoming UDP:500 from a friend of mine after he changed ISPs
  and thus had an IP which was not in my pf table of allowed VPN Gateways.
  my pass quick all log was shooting my entire rule logic in the face
  i won't claim to be captain pants of setting up pf in all cases,
  however i have no difficulty recalling many instances over the years
  of someone asking a question to [email protected] which they would *not* have had
  to ask had they been logging their blocks ( eg - they come back 2w
  later and say "oh, i'm dumbass, i was blocking that but didn't know ).
  log your blocks for chrissake all the time :P
[ openbsd 3.6 GENERIC ( dec 11 ) // i386 ]