PF Antispoof line in pf.conf kills networking?

arader

Member

Reaction score: 3
Messages: 23

Hi all,

I've set up a simple FreeBSD router for my network, and I'm seeing something rather confusing happen with pf(4). My network is essentially
Code:
{internet}--{FreeBSD igb0}-{FreeBSD igb1}--{switch}--{WiFi AP}
I have a pf.conf file that is very basic, the intent is allow everything "out", and drop everything "in" unless it is from igb1. However, if I switch the ordering of my 'block in' and 'antispoof' lines, anything on my internal igb1 network will lose internet access (and in fact can't even talk to the igb1 interface of the router).

Working pf.conf:
Code:
ext_if="igb0"
int_if="igb1"

set block-policy drop
set loginterface egress
set skip on lo

nat on $ext_if inet from !($ext_if) -> ($ext_if:0)

antispoof quick for $int_if
block in
pass out quick
pass in on $int_if
Working ruleset form pf.conf:
Code:
block drop in quick on ! igb1 inet from 10.6.66.0/24 to any
block drop in quick inet from 10.6.66.1 to any
block drop in all
pass out quick all flags S/SA keep state
pass in on igb1 all flags S/SA keep state
As you can see, the antispoof line comes before the 'block in' line. Now onto my broken pf.conf:
Code:
ext_if="igb0"
int_if="igb1"

set block-policy drop
set loginterface egress
set skip on lo

nat on $ext_if inet from !($ext_if) -> ($ext_if:0)

block in
antispoof quick for $int_if
pass out quick
pass in on $int_if
and the ruleset generated:
Code:
block drop in all
block drop in quick on ! igb1 inet from 10.6.66.0/24 to any
block drop in quick inet from 10.6.66.1 to any
pass out quick all flags S/SA keep state
pass in on igb1 all flags S/SA keep state
Using the second pf.conf with the 'bock in' line first, I can't even ping igb1 on this machine, let alone the internet. And sure enough, if I just turn off pf(4), I can immediately ping the interface. Is there some intrinsic PF-ism here that I'm missing? what's the difference between the two?

Oh, and uname output:
Code:
root@rtest:~ # uname -a
FreeBSD rtest.home.lan 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r290229: Sat Dec  5 17:57:31 PST 2015     root@rtest.home.lan:/usr/obj/usr/src/sys/IMP  amd64
 
Top