Re: pf rules after crash

Sat, 10 Jul 2021 07:34:55 -0700 


> 10. jul. 2021 kl. 05:11 skrev Allan Streib <[email protected]>:
> 
> Hi,
> 
> I have a KVM host running OpenBSD 6.9 for a few days. It crashed today for 
> some reason, and when I logged in and realized the uptime had changed, I 
> checked the pf rules out of curiosity since I have been experimenting with 
> pf. These rules are very different from what is in /etc/pf.conf.
> 
> # pfctl -s rules
> block drop all
> pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
> pass out inet6 proto ipv6-icmp all icmp6-type routersol
> pass out inet6 proto udp from any port = 546 to any port = 547
> pass out inet proto icmp all icmp-type echoreq
> pass out inet proto udp from any port = 68 to any port = 67
> pass out proto tcp from any to any port = 53 flags S/SA
> pass out proto udp from any to any port = 53
> pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
> pass in inet6 proto ipv6-icmp all icmp6-type routeradv
> pass in inet6 proto udp from any port = 547 to any port = 546
> pass in proto tcp from any to any port = 22 flags S/SA
> pass in inet proto udp from any port = 67 to any port = 68
> pass on lo0 all flags S/SA
> pass in proto carp all keep state (no-sync)
> pass out proto carp all !received-on any keep state (no-sync)
> 

This matches the default rule set in /etc/rc.

For whatever reason your pf.conf did not parse to a valid config, so rc’s own 
default rules were kept in place.


> # cat /etc/pf.conf
> #       $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
> #
> # See pf.conf(5) and /etc/examples/pf.conf
> table <abusers> persist
> set skip on lo
> block in quick from <abusers>
> block return    # block stateless traffic
> pass out quick inet
> pass in quick on egress proto tcp from any to any port { www, https }
> pass in on egress proto tcp to vio0 port ssh keep state \
>        (max-src-conn-rate 3/10, overload <abusers> flush)
> 
> I reloaded my rules (pfctl -f /etc/pf.conf) which worked, and then rebooted 
> and checked (pfctl -s rules) which now matched the rules in /etc/pf.conf.
> 
> What could explain this?

With a config that simple it is hard to say what could possibly go wrong.
I’d investigate /var/log/messages for anything unusual around the time of the 
event.

—
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Attachment: signature.asc
Description: Message signed with OpenPGP

Reply via email to