# pf and owncloud-client



## nielsk (May 13, 2017)

Every time I enable pf the owncloud-client isn't able to find its servers anymore

Here is my pf.conf; what am I doing wrong?

```
# The name of our network interface as seen in `ifconfig`
ext_if="vlan11"
ext_vpn="tun0"

# Macros to define the set of TCP and UDP ports to open.
# Add additional ports or ranges separated by commas.
# UDP 60000-60010 is mosh control http://mosh.mit.edu/
tcp_services = "{ssh, https, openvpn}"
udp_services = "{60000:60010}"

# If you block all ICMP requests you will break things like path MTU
# discovery. These macros define allowed ICMP types. The additional
# ICMPv6 types are for neighbor discovery (RFC 4861)
icmp_types = "{echoreq, unreach}"
icmp6_types="{echoreq, unreach, 133, 134, 135, 136, 137}"

# Modulate the initial sequence number of TCP packets.
# Broken operating systems sometimes don't randomize this number,
# making it guessable.
tcp_state="flags S/SA keep state"
udp_state="keep state"

# Don't send rejections. Just drop.
set block-policy drop

# Exempt the loopback interface to prevent services utilizing the
# local loop from being blocked accidentally.
set skip on lo0

# all incoming traffic on external interface is normalized and fragmented
# packets are reassembled.
scrub in on $ext_if all fragment reassemble

# set a default deny policy.
block in log all

# This is a desktop so be permissive in allowing outgoing connections.
pass out quick modulate state

# Enable antispoofing on the external interface
antispoof for $ext_if inet
antispoof for $ext_if inet6

# block packets that fail a reverse path check. we look up the routing
# table, check to make sure that the outbound is the same as the source
# it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any

# drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255

# Allow the services defined in the macros at the top of the file
pass in on $ext_if inet proto tcp from any to any port $tcp_services $tcp_state
pass in on $ext_if inet6 proto tcp from any to any port $tcp_services $tcp_state

pass in on $ext_if inet proto udp from any to any port $udp_services $udp_state
pass in on $ext_if inet6 proto udp from any to any port $udp_services $udp_state

pass in on $ext_vpn inet proto tcp from any to any port $tcp_services $tcp_state
pass in on $ext_vpn inet6 proto tcp from any to any port $tcp_services $tcp_state

pass in on $ext_vpn inet proto udp from any to any port $udp_services $udp_state
pass in on $ext_vpn inet6 proto udp from any to any port $udp_services $udp_state
# Allow ICMP
pass inet proto icmp all icmp-type $icmp_types keep state
pass inet6 proto icmp6 all icmp6-type $icmp6_types keep state
```


----------



## SirDice (May 15, 2017)

nielsk said:


> Every time I enable pf the owncloud-client isn't able to find its servers anymore


This indicates a problem with name resolving. Does DNS still work if the firewall is loaded?


----------



## nielsk (Jun 12, 2017)

Yes it does. And it suddenly started to work a couple of days ago…


----------

