Below are my current pf.conf and dhcpd.conf files that I'm using for my OpenBSD 4.9 router. Is there anything I can or should add or remove to make it more secure?
#######################################
# dhcpd.conf
authoritative;
option domain-name-servers 24.222.0.96;
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.1;
range 192.168.0.100 192.168.0.150;
}
#######################################
#######################################
# pf.conf
# macros
int_if="xl0"
whs="192.168.0.50"
comp1="192.168.0.20"
comp2="192.168.0.21"
# options
set block-policy drop
set loginterface xl1
set skip on lo
# match rules
match in all scrub (no-df)
match out on egress inet from !(egress) to any nat-to (egress:0)
# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp to (egress) port 443 rdr-to $whs synproxy state
pass in on egress inet proto tcp to (egress) port 5900 rdr-to $comp1 synproxy state
pass in on egress inet proto tcp to (egress) port 5901 rdr-to $comp2 synproxy state
pass in on $int_if
#######################################
Not having my internet connection dropped many, many, many times throughout the day since switching to my BSD router is pretty sweet and makes for a lot less cursing during the day while I'm working on remote systems. The almost 5Mbps speed increase is nice too!
|