PF на macOS Sierra блокирует некоторый трафик локальной сети, позволяя другим

Question

У меня pf - работает на моем Mac Mini 2012, под OSX 10.12.2. За исключением некоторых странностей. Я могу разговаривать с беспроводным сетевым принтером, но я не могу разговаривать с HP 2015 по Ethernet. Интернет в порядке. Просто, кажется, локальная сеть.

Я могу общаться с другим офисным ноутбуком Windows через Microsoft Remote Desktop, если я получаю к нему доступ через его адрес интернет-интерфейса, порт перенаправляется на него. НО.. Я не могу говорить с ним по локальной сети Ethernet. Я явно что-то упускаю в наборе правил pf, но что.

Я знаю, что это PF, потому что если я отключу pf с помощью sudo pfctl -d, вдруг я снова смогу поговорить с ними. Или оба этих сервиса UDP?

Это набор правил pf.conf # # точка привязки com.apple # set skip on lo0

#not sure about these two
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"


scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
#


antispoof for en0 inet
antispoof for en0 inet6

antispoof for en1 inet
antispoof for en1 inet6

anchor "emerging-threats"
load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats"

table <badhosts> persist file "/etc/badguys1" file "/etc/badguys2"
block return in log quick on en0 from <badhosts> to any
block return in log quick on en1 from <badhosts> to any

block return in log quick proto tcp from 174.46.142.137 to any port {25,465,587}
block return in log quick proto tcp from 115.160.167.46 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.80 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.99 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.99 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.87 to any port {25,465,587}
block return in log quick proto tcp from 69.165.77.42 to any port {25,465,587}

# Open port 465 for TCP on all interfaces
pass in proto tcp from any to any port 21
pass in proto tcp from any to any port 22
pass in proto tcp from any to any port 23
pass in proto tcp from any to any port 25
pass in proto tcp from any to any port 53
pass in proto udp from any to any port 53
pass in proto tcp from any to any port 110
pass in proto tcp from any to any port 143
pass in proto tcp from any to any port 194
pass in proto tcp from any to any port 389
pass in proto tcp from any to any port 443
pass in proto tcp from any to any port 445
pass in proto tcp from any to any port 465
pass in proto tcp from any to any port 587
pass in proto tcp from any to any port 993
#
pass in proto tcp from any to any port 3389
pass in proto tcp from any to any port 5900
pass in proto tcp from any to any port 6112
#
pass in proto tcp from any to any port 8000
pass in proto udp from any to any port 6277
pass in proto udp from any to any port 1023

table <bruteforce> persist
block quick from <bruteforce>
pass in inet proto tcp to any port ssh \
    flags S/SA keep state \
    (max-src-conn 5, max-src-conn-rate 5/5, \
     overload <bruteforce> flush global)

Answer 1

Я нашел ответ. Я думаю, что я добавил

pass in  on en0 from 192.168.0.0/24 to 192.168.0.1
pass out on en0 from 192.168.0.1    to 192.168.0.0/24
pass in  on en1 from 192.168.0.0/24 to 192.168.0.1
pass out on en1 from 192.168.0.1    to 192.168.0.0/24
# pass all traffic to and from the local network.
# these rules will create state entries due to the default
# "keep state" option which will automatically be applied.
pass in  on $int_if from $lan_net
pass out on $int_if to   $lan_net

Answer 2

Мой последний файл pf.conf выглядит следующим образом. Есть пара комментариев, к которым я вернусь. Первые, антиспуф, если установлены, блокируют мне подключение к веб-интерфейсу роутера? Последние - наборы int_if, и я просто должен определить их. Когда-нибудь.

# This file contains the main ruleset, which gets automatically loaded
# at startup.  PF will not be automatically enabled, however.  Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
set loginterface en1
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
#Only set antispoof on interfaces with an IP address. Otherwise
# you will block all traffic.
set skip on lo0


#antispoof for en1 inet
#antispoof for en1 inet6

#antispoof for en0 inet
#antispoof for en0 inet6

#

# com.apple anchor point
#
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

anchor "emerging-threats"
load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats"

table <badhosts> persist file "/etc/badguys1" file "/etc/badguys2"
block on en1 from <badhosts> to any
block on en0 from <badhosts> to any
block return in log quick on en1 from <badhosts> to any

block return in log quick proto tcp from 174.46.142.137 to any port {25,465,587}
block return in log quick proto tcp from 115.160.167.46 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.80 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.99 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.99 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.87 to any port {25,465,587}
block return in log quick proto tcp from 69.165.77.42 to any port {25,465,587}
block return in log quick proto tcp from 191.96.249.61 to any port {25,465,587}
block return in log quick proto tcp from 191.96.249.26 to any port {25,465,587}
block return in log quick proto tcp from 191.96.0.0/24 to any

# Open port 465 for TCP on all interfaces
pass in proto tcp from any to any port 21
pass in proto tcp from any to any port 22
pass in proto tcp from any to any port 23
pass in proto tcp from any to any port 25
pass in proto tcp from any to any port 53
pass in proto udp from any to any port 53
pass in proto tcp from any to any port 110
pass in proto tcp from any to any port 143
pass in proto tcp from any to any port 194
pass in proto tcp from any to any port 389
pass in proto tcp from any to any port 443
pass in proto tcp from any to any port 445
pass in proto tcp from any to any port 465
pass in proto tcp from any to any port 587
pass in proto tcp from any to any port 993
pass in proto tcp from any to any port 5900
pass in proto tcp from any to any port 6112

pass in proto udp from any to any port 6277
pass in proto udp from any to any port 1023
#
pass in proto tcp from any to any port 8000


table <bruteforce> persist
block quick from <bruteforce>
pass in inet proto tcp to any port ssh \
    flags S/SA keep state \
    (max-src-conn 5, max-src-conn-rate 5/5, \
     overload <bruteforce> flush global)

pass in  on en0 from 192.168.0.0/24 to 192.168.0.1
pass out on en0 from 192.168.0.1    to 192.168.0.0/24
pass in  on en1 from 192.168.0.0/24 to 192.168.0.1
pass out on en1 from 192.168.0.1    to 192.168.0.0/24
# pass all traffic to and from the local network.
# these rules will create state entries due to the default
# "keep state" option which will automatically be applied.