Eu tenho o pf - em execução no meu Mac Mini 2012, no OSX 10.12.2. Exceto por algumas esquisitices. Eu posso falar com a impressora de rede sem fio, mas eu não posso falar com a HP 2015 na ethernet. Internet está bem. Apenas parece ser a rede local.
Eu posso falar com o outro laptop Windows do escritório via Microsoft Remote Desktop, se eu acessá-lo via endereço da interface da Internet, porta encaminhada para ele. MAS .. Eu não posso falar sobre isso através da rede ethernet local. Eu obviamente estou faltando alguma coisa no conjunto de regras pf, mas o que.
Eu sei que é PF porque se eu desabilitar pf com sufdo pfctl -d , de repente eu posso falar com todos eles novamente. Ou esses dois serviços são UDP?
Este é o conjunto de regras pf.conf # # com.apple anchor point # pule pular em lo0
#not sure about these two
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
#
antispoof for en0 inet
antispoof for en0 inet6
antispoof for en1 inet
antispoof for en1 inet6
anchor "emerging-threats"
load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats"
table <badhosts> persist file "/etc/badguys1" file "/etc/badguys2"
block return in log quick on en0 from <badhosts> to any
block return in log quick on en1 from <badhosts> to any
block return in log quick proto tcp from 174.46.142.137 to any port {25,465,587}
block return in log quick proto tcp from 115.160.167.46 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.80 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.99 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.99 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.87 to any port {25,465,587}
block return in log quick proto tcp from 69.165.77.42 to any port {25,465,587}
# Open port 465 for TCP on all interfaces
pass in proto tcp from any to any port 21
pass in proto tcp from any to any port 22
pass in proto tcp from any to any port 23
pass in proto tcp from any to any port 25
pass in proto tcp from any to any port 53
pass in proto udp from any to any port 53
pass in proto tcp from any to any port 110
pass in proto tcp from any to any port 143
pass in proto tcp from any to any port 194
pass in proto tcp from any to any port 389
pass in proto tcp from any to any port 443
pass in proto tcp from any to any port 445
pass in proto tcp from any to any port 465
pass in proto tcp from any to any port 587
pass in proto tcp from any to any port 993
#
pass in proto tcp from any to any port 3389
pass in proto tcp from any to any port 5900
pass in proto tcp from any to any port 6112
#
pass in proto tcp from any to any port 8000
pass in proto udp from any to any port 6277
pass in proto udp from any to any port 1023
table <bruteforce> persist
block quick from <bruteforce>
pass in inet proto tcp to any port ssh \
flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 5/5, \
overload <bruteforce> flush global)
Eu encontrei a resposta. eu acho que Eu adicionei
pass in on en0 from 192.168.0.0/24 to 192.168.0.1
pass out on en0 from 192.168.0.1 to 192.168.0.0/24
pass in on en1 from 192.168.0.0/24 to 192.168.0.1
pass out on en1 from 192.168.0.1 to 192.168.0.0/24
# pass all traffic to and from the local network.
# these rules will create state entries due to the default
# "keep state" option which will automatically be applied.
pass in on $int_if from $lan_net
pass out on $int_if to $lan_net
Meu último arquivo pf.conf é o seguinte. Há um par de opções comentadas que eu vou voltar. Os primeiros, antispoof, se configurados, me impedem de se conectar à interface web do roteador? Os últimos são os conjuntos int_if, e eu só tenho que defini-los. Um dia.
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
set loginterface en1
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
#Only set antispoof on interfaces with an IP address. Otherwise
# you will block all traffic.
set skip on lo0
#antispoof for en1 inet
#antispoof for en1 inet6
#antispoof for en0 inet
#antispoof for en0 inet6
#
# com.apple anchor point
#
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
anchor "emerging-threats"
load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats"
table <badhosts> persist file "/etc/badguys1" file "/etc/badguys2"
block on en1 from <badhosts> to any
block on en0 from <badhosts> to any
block return in log quick on en1 from <badhosts> to any
block return in log quick proto tcp from 174.46.142.137 to any port {25,465,587}
block return in log quick proto tcp from 115.160.167.46 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.80 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.99 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.99 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.87 to any port {25,465,587}
block return in log quick proto tcp from 69.165.77.42 to any port {25,465,587}
block return in log quick proto tcp from 191.96.249.61 to any port {25,465,587}
block return in log quick proto tcp from 191.96.249.26 to any port {25,465,587}
block return in log quick proto tcp from 191.96.0.0/24 to any
# Open port 465 for TCP on all interfaces
pass in proto tcp from any to any port 21
pass in proto tcp from any to any port 22
pass in proto tcp from any to any port 23
pass in proto tcp from any to any port 25
pass in proto tcp from any to any port 53
pass in proto udp from any to any port 53
pass in proto tcp from any to any port 110
pass in proto tcp from any to any port 143
pass in proto tcp from any to any port 194
pass in proto tcp from any to any port 389
pass in proto tcp from any to any port 443
pass in proto tcp from any to any port 445
pass in proto tcp from any to any port 465
pass in proto tcp from any to any port 587
pass in proto tcp from any to any port 993
pass in proto tcp from any to any port 5900
pass in proto tcp from any to any port 6112
pass in proto udp from any to any port 6277
pass in proto udp from any to any port 1023
#
pass in proto tcp from any to any port 8000
table <bruteforce> persist
block quick from <bruteforce>
pass in inet proto tcp to any port ssh \
flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 5/5, \
overload <bruteforce> flush global)
pass in on en0 from 192.168.0.0/24 to 192.168.0.1
pass out on en0 from 192.168.0.1 to 192.168.0.0/24
pass in on en1 from 192.168.0.0/24 to 192.168.0.1
pass out on en1 from 192.168.0.1 to 192.168.0.0/24
# pass all traffic to and from the local network.
# these rules will create state entries due to the default
# "keep state" option which will automatically be applied.
Tags networking pf macos