View Single Post
  #2   (View Single Post)  
Old 12th August 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,585
Default

This is the pf.conf I am using on my OpenBSD firewall.Although it does not match your specifications exactly , it will give you a start.

Code:
# pf.conf for UPC

services = "{ imaps, pop3, pop3s, domain, submission, www, cddb, 8080, https, \
              whois, ssh, telnet, rsync, ftp, 5999, 6667, 1022, 5050 }"

set skip on lo0

# ---- external/egress interface
match out inet from ! egress to any  nat-to (egress)

# --- anchor for misc purposes, like temporarily allowing outgoing ftp from firewall itself
anchor 'TMP'

# --- allow outgoing TCP 
pass out quick     on egress inet proto tcp from any to any port $services label "$nr:$proto:$dstport"
pass out quick log on egress inet proto tcp from any to any port smtp      label "$nr:$proto:SMTP"

# --- ftp-proxy tags the ftp data connection packets. See /etc/rc.conf.local
# 
pass out quick     on egress inet tagged FTP_DATA                          label "$nr:$proto:FTP_DATA"

# --- allow outgoing UDP 
pass out quick on egress inet proto udp from any to any port domain keep state label "$nr:$proto:DOMAIN"
pass out quick on egress inet proto udp from any to any port ntp    keep state label "$nr:$proto:NTP"

# --- allow outgoing ICMP
#  ping and 'traceroute -P icmp' 
pass out quick on egress inet proto icmp from any to any icmp-type echoreq keep state label "$nr:$proto:ICMP"

# ---- internal network interface
anchor "ftp-proxy/*"
pass in quick on internal inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
pass    quick on internal inet

# ---- default block
block log all label BLOCKED
The /etc/hostname.* files:

Code:
# cat /etc/hostname.xl0
dhcp
# cat /etc/hostname.xl1
 
inet       192.168.222.10 255.255.255.0 NONE group internal
inet alias 192.168.222.11 255.255.255.255
The ftp proxy stuff and the enabling of forwarding/routing of IPv4:

Code:
# grep ftp /etc/rc.conf.local

ftpproxy_flags="-T FTP_DATA" 

# grep forward /etc/sysctl.conf

net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
net.inet.ip.mforwarding=1       # 1=Permit forwarding (routing) of IPv4 multicast packets
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote