I have disabled all rules in firewall, but still can tracert from LAN
I have disabled all positive rules in firewall, and I can't browse Web, but I still can
from LAN machine and receive 3 hops from my ISP.
How is this possible?
Post your LAN rules.
All were disabled (dimmed), except anti-lockout rule
Currently one additional rule enabled, which I use to browse Web
I can disable it and have situation again.
Stop messing around and show the rules in the state they are that you say they are misbehaving.
Show the states for the traceroutes.
Look at the states using pfctl -vvss to see what rule is passing the traffic.
Thank you, but I prefer rod over fish. Where/how to find undesired state in the ouput of
I found the follwing in output:
re2 icmp 10.10.0.62:1 <- 192.168.10.56:1 0:0
age 00:08:30, expires in 00:00:05, 192:7 pkts, 14400:584 bytes, rule 117
id: 010000005ab2fc3e creatorid: 6261d0b3
re0 icmp 22.214.171.124:47326 (192.168.10.56:1) -> 10.10.0.62:47326 0:0
age 00:08:30, expires in 00:00:05, 377:4 pkts, 28188:416 bytes, rule 94
id: 010000005ab2fc3f creatorid: 6261d0b3
10.10.0.62is new address behind VPN I wish to ping and which is pingable from
WANwhich is undesired.
For whatever reason that traffic is not interesting to the VPN.
You are policy routing the traffic out WAN by setting a gateway on a rule that matches. This overrides both the routing table and IPsec selectors.
The traffic does not match the traffic selector.
From that output, rule 117 passed the ping into LAN
You can match that rule in the rule set:
pfctl -vvsr | grep -A3 '^@117'