I am writing a static webpage on an OpenBSD vm (here called example.com), and when I access the server with it's domain name over http I get httpd's 403 page, when I use telnet example.com 80 I get
Date: Tue, 12 Jul 2022 01:07:01 GMT Server: OpenBSD httpd Connection: close Content-Type: text/html Content-Length: 498 followed by some html of the site, and curl -I example.com returns HTTP/1.0 403 Forbidden... Connection: close. I assume it has something to do with my pf.conf, so here it is:
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ # # See pf.conf(5) and /etc/examples/pf.conf IP4 = "10.0.0.1" IP6 = "2001:db8::/80" FlushUDP = "max-pkt-rate 10000/10 keep state (max 1000, source-track rule, max-src-nodes 200, max-src-states 200)" Flush = "keep state (max 100, source-track rule, max-src-nodes 20, max-src-conn-rate 50/10 overload <abuse> flush global)" block all set skip on lo set block-policy drop set loginterface vio0 set syncookies adaptive (start 25%, end 12%) table <abuse> persist file "/etc/pf/abuse" block in log quick from <abuse> pass in log quick proto udp to {$IP4 $IP6} port {domain, isakmp, ntp, ipsec-nat-t} $FlushUDP block in log quick proto udp to {$IP4 $IP6} block in log quick from urpf-failed pass in on vio0 inet proto icmp icmp-type 8 code 0 $FlushUDP # icmp packets pass in on vio0 inet proto icmp icmp-type 3 code 4 $FlushUDP # icmp needfrag (MTU) pass in log quick on vio0 proto ipv6-icmp $FlushUDP match in all scrub (no-df random-id max-mss 1440) #came with the server block return out log proto {tcp, udp} user _pbuild block return in on ! lo0 proto tcp to port 6000:6010 match out on agress inet from !(egress:network) to any nat-to (egress:0) #tcp rules pass in on vio0 log quick proto tcp to {$IP4 $IP6} port domain $Flush pass in on vio0 log quick proto tcp to {$IP4 $IP6} port auth $Flush pass in on vio0 log quick proto tcp to {$IP4 $IP6} port {gopher www http https} $Flush pass in on vio0 log quick proto tcp to {$IP4 $IP6} port { 6660:6669 6697} $Flush #consdier adding more ports pass in on vio0 log quick proto tcp to {$IP4 $IP6} port 1337 $Flush #bouncer #my own rules block in quick on vio0 proto tcp from any os {"Mac OS", NMAP} #pass in on egress proto tcp from any to egress port { www, https, 6667, 6697, git} synproxy state #block in quick on egress proto {tcp, udp, icmp} from any to any modulate state (if-bound) antispoof for vio0 inet antispoof for vio0 inet6 block return # block stateless traffic pass # establish keep-state , the contents of /etc/pf/abuse:
127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 , and here is /etc/httpd.conf:
types{ include "/usr/share/misc/mime.types"} server "example.com"{ alias "www.example.com" listen on * port 80 location "/.well-known/acme-challenge/*"{ root "/htdocs/example.com" request strip 2 } } hostname.vio0 contains inet autoconf & inet6 2a03:6000:6e64:618::221 64 on separate lines, mygate contains 2a03:6000:6e64:618::1 (so only the ipv6 address of a router), and resolv.conf contains nameserver [IP ADDRESS] # resolvd: vio0 & lookup file bind on separate lines, where [IP ADDRESS] is the ipv4 address of the server.
What I'm trying to get to is a telnet response of HTTP/1.0 302 Found or to reach index.htm, which right now is simple text.
curl -I example.com?pfctl -nf /etc/pf.confreport anything? You should haveset skip on loas the first configuration after macros and tables, though that won't show frompfctl.passmeans everything passes that doesn't usequick. Frompf.conf(5): "Each time a packet processed by the packet filter comes in on or goes out through an interface, the filter rules are evaluated in sequential order, from first to last. For block and pass, the last matching rule decides what action is taken..." Rules should generally get more specific as you go down the configuration.HTTP/1.0 403 Forbidden... Connection: close, pfctl returns that lines 30-34 result in syntax errors (I didn't know pf would load a faulty conf), and I should omit the finalpass.