View Single Post
  #1   (View Single Post)  
Old 12th March 2013
Popelicious Popelicious is offline
New User
 
Join Date: Mar 2013
Posts: 5
Default Migrating from iptables to pf, a love story

Hello everybody, I'm a network admin in a small company. I'm in charge of modernizing the firewalls, two very old linux boxes with iptables.

Now, I could just go and install some CentOS with iptables and relax with a cup of coffee while my boss looks approvingly, or I could go with new (for me) and sexy powerfull pf on OpenBSD that i fell in love with. I'm going for the second option

So, as part 1 of my plan I have been researching all I can on pf, as a practice installed OpenBSD on a small machine and tried to write my pf.conf. Once done i tried to swap this small firewall we have that has nat and forwards ldap and port 8080 to 2 different machines in preparation for the big changes. It doesn't work

I humbly ask for some guidance as I kinda have a deadline for this of 2 weeks and I'm stuck.

The network is like this:
Isp router forwards all ports to rl0 interface (192.168.0.9, then the nfe0 iface (192.168.200.151) goes to the servers network.

I'll paste my pf.conf down here:

Code:
set skip on lo

# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

# anchor for relayd(8)
#anchor "relayd/*"

pass        # to establish keep-state

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

#######MACROS########
ext_if = "rl0"
int_if = "nfe0"
pub_ip = "6.6.6.6"
IntNet = "{ 192.168.200.0/24, 192.168.122.0/24 }"
server1 = "192.168.200.31"
server2 = "192.168.122.103"

######PROTECTION####
#antispoof log quick on $ext_if
######RULES########
block all
pass in on $int_if from $IntNet
pass out on $int_if from $IntNet
pass out on $ext_if from $int_if to any nat-to $ext_if

pass in on $ext_if proto tcp from 6.6.6.6 port 389 rdr-to $server1 port 389
pass in on $ext_if proto tcp from 6.6.6.6 port 8080 rdr-to $server2 port 8080
Thanks a lot guys.

Last edited by Popelicious; 13th March 2013 at 10:52 AM.
Reply With Quote