Hi,
I want to set up an OpenBSD 4.8 firewall to protect my home internal network and split my internet connection using NAT. Here is my working pf.conf:
Code:
ext_if="pppoe0"
int_if="xl1"
lan_ip1="192.168.0.2"
lan_ip2="192.168.0.3"
lan_ip3="192.168.0.12"
port1="50301"
port2="6885"
port3="48000"
set skip on lo
set block-policy return
match on pppoe0 scrub (max-mss 1440)
pass out on $ext_if from !($ext_if) to any nat-to ($ext_if)
#Rules for Vuze bittorent client (192.168.0.2):
pass in on $ext_if proto tcp from any to any port $port1 rdr-to $lan_ip1
pass in on $ext_if proto udp from any to any port $port1 rdr-to $lan_ip1
The NAT is working fine, I have access to the internet from the internal network but there is no protection for attacks from the internet. To secure it all I added the following rules:
Code:
ext_if="pppoe0"
int_if="xl1"
lan_ip1="192.168.0.2"
lan_ip2="192.168.0.3"
lan_ip3="192.168.0.12"
lan_net="192.168.0.0/24"
port1="50301"
port2="6885"
port3="48000"
set skip on lo
set block-policy return
match on pppoe0 scrub (max-mss 1440)
pass out on $ext_if from !($ext_if) to any nat-to ($ext_if)
block all
antispoof quick for $int_if inet
pass in on $int_if from $lan_net to any
pass out on $int_if from any to $lan_net
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
#Rules for Vuze bittorent client (192.168.0.2):
pass in on $ext_if proto tcp from any to any port $port1 rdr-to $lan_ip1
pass in on $ext_if proto udp from any to any port $port1 rdr-to $lan_ip1
With that I have access to the internet only on the OpenBSD firewall machine, not from the internal network
Everything seem ok, does anybody can spot the problem?
THanks in advance