OpenBSD/pf: No route to host

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hey guys, I've been playing around reading a The Book of pf (http://oreilly.com/catalog/9781593271657/) and playing around with it.

I have a OpenBSD box with interface
em0 : 172.16.240.7 connected to my home network (dns/dg: 172.16.240.254)
em1: 192.168.0.1 (virtual home network that pf should protect)

Here is my ruleset (I know there is some rules in there that are pointless in my config due to the last line but it's for practice and learning purposes:

Code:

internalif = "em1"
externalif = "em0"

internal = $internalif:network
external = "{ 172.16.240.0/24 }"

websvc = "{ http, https, ftp, ftp-data, pop3, pop3s, smtp }"
remotesvc = "{ ssh, 3389, 5900}"
dnssvc = "{ domain }"

nat on $externalif from $internal to any -> ($externalif)

block all

pass proto tcp from $internal to any port $websvc
pass proto tcp from $internal to any port $dnssvc
pass proto udp from $internal to any port $dnssvc

pass proto tcp from $external to any port $remotesvc
pass proto udp from $external to any port $dnssvc

pass from { lo0, $internal } to any keep state

IP Forwarding is enabled. What am I doing wrong,

pinging from the firewall to google.be:

Code:

$ ping google.be
PING google.be (216.239.59.104): 56 data bytes
ping: sendto: No route to host
ping: wrote google.be 64 chars, ret=-1

Similar deal with slightly different error when trying to ping from a workstation behind the firewall with ip 192.168.0.2. It resolves the ip, but says destination host unreachable.

Thanks for the help already.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I don't know anything about pf as I haven't used it. But ping usually uses ICMP, and I don't see anything there that mentions it.

Harry.

 

First thing I would check is if you have a valid default route.

Spice_Weasel

 

Default route as in default gateway?
This is set properly (otherwise the resolving of the hostname wouldnt even work)

I figured my last rule:

pass from { lo0, $internal } to any

Would allow ANY traffic originating from internal or localhost traffic including ICMP?
Any help on checking my routes and possibly creating a route on openbsd would be greatly appreciated, I'm a openbsd noob and cant find a clear explanation on the topic of routes.

 

I was hoping it was a lack of a default gateway - I like easy solutions ;)

You can check your routing table with netstat -rn if you want to be sure you have a valid default route. From your original post it seems your dns server is 172.16.240.254, which is local to em0, so dns lookups should work properly even if you have no default route.

You can also try to ping the dns server 172.16.240.254 from the workstation behind the firewall - if you get a response that would imply your rules are good but there is a routing issue.

Spice_Weasel