Rich Kulawiec on 13 Feb 2017 19:09:12 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Can't access to Webserver Packet Filter OpenBSD. Need help please!

On Mon, Feb 13, 2017 at 08:31:26PM -0500, PaulNM wrote:
> I'm not familiar with PF at all, so it's possible I'm misunderstanding how
> the rules work. In particular "pass in on egress" implies outgoing packets
> to me, but I could be wrong.

The "egress" keyword in pf maps to whichever interface is used by the
default route.   In a setup like this, it's probably going to be the
outward-facing interface on the firewall.  I tend not to use it -- I prefer
to specify interfaces specifically by name.  But this means that a
fragment like this one (found in his pf.conf):

	pass in on egress proto tcp from any to any port 80 [blah blah blah]

translates to "if the packet is inbound on the interface that is used
for the default route, and it has a destination port of 80, then let
it through".  (Side note: the "to any" should be tightened up to
only allow packets explicitly addressed to the publicly-visible address
of the web server.)

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --