Solved pf will not allow icmp traffic at all

hakova

hakova

Hi,
I cannot ping my server once pf is enabled even with the most permissive rule in /etc/pf.conf:
Code: 
pass quick inet proto icmp from any to any
Once pf is disabled, pinging is possible. What am I missing?
FreeBSD 14.3-RELEASE-p6
 
Thank you so much for your quick response.

Well, I am using quick as you see above, but here is the rest of my config:
Code: 
# allowed tcp ports
allowed_tcp_ports = "{ 22, 111, 139, 445, 873, 992 2049 30000 }"

# VLANs etc.
VLAN1 = "{192.168.1.0/24 }"

# skip loopback traffic
set skip on lo

# default deny
block all

# allow ping from VLAN1
pass quick inet proto icmp from any to any
# pass out proto inet proto udp from any to port 33433 >< 33626
# pass in quick log inet proto icmp from $VLAN1 to any icmp-type echorep
# pass out quick log inet proto icmp from any to $VLAN1 icmp-type echoreq

# allow SSH only from specific hosts
pass in log proto tcp from $VLAN1 to any port $allowed_tcp_ports keep state

# allow all outgoing traffic
pass out all keep state
 
in this case quick isn't doing you anything, so we'd remove it.

from any to any is synonymous with all iirc.

what does pfctl -vvsr say? we would add log to the block statement and see if the blocked packets show up in pflog.
 
I think I figured the problem. I was enabling pf by pfctl -e after updating the /etc/pf.conf but without service pf reload.

By running pfctl -vvsr as atax1a suggested, I realized that the rule to allow icmp traffic was never loaded as intended. After reloading the service and enabling it, I can now confirm that it is working as intended. Now I can replace it with one of the commented out versions that allow pinging only from $VLAN1, which probably is redundant, since the server is behind a firewall already.
Thank you all so very much!
 
You must log in or register to reply here.
Back
Top