View Single Post
  #1   (View Single Post)  
Old 7th December 2010
Monkey Monkey is offline
New User
 
Join Date: Dec 2009
Posts: 7
Unhappy Setting up an OpenBSD firewall

Hi,

I want to set up an OpenBSD 4.8 firewall to protect my home internal network and split my internet connection using NAT. Here is my working pf.conf:

Code:
ext_if="pppoe0"
int_if="xl1"

lan_ip1="192.168.0.2"
lan_ip2="192.168.0.3"
lan_ip3="192.168.0.12"
port1="50301"
port2="6885"
port3="48000"

set skip on lo
set block-policy return

match on pppoe0 scrub (max-mss 1440)

pass out on $ext_if from !($ext_if) to any nat-to ($ext_if)

#Rules for Vuze bittorent client (192.168.0.2):
pass in on $ext_if proto tcp from any to any port $port1 rdr-to $lan_ip1
pass in on $ext_if proto udp from any to any port $port1 rdr-to $lan_ip1
The NAT is working fine, I have access to the internet from the internal network but there is no protection for attacks from the internet. To secure it all I added the following rules:
Code:
ext_if="pppoe0"
int_if="xl1"

lan_ip1="192.168.0.2"
lan_ip2="192.168.0.3"
lan_ip3="192.168.0.12"
lan_net="192.168.0.0/24"
port1="50301"
port2="6885"
port3="48000"

set skip on lo
set block-policy return

match on pppoe0 scrub (max-mss 1440)

pass out on $ext_if from !($ext_if) to any nat-to ($ext_if)

block all

antispoof quick for $int_if inet

pass in on $int_if from $lan_net to any
pass out on $int_if from any to $lan_net

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

#Rules for Vuze bittorent client (192.168.0.2):
pass in on $ext_if proto tcp from any to any port $port1 rdr-to $lan_ip1
pass in on $ext_if proto udp from any to any port $port1 rdr-to $lan_ip1
With that I have access to the internet only on the OpenBSD firewall machine, not from the internal network
Everything seem ok, does anybody can spot the problem?

THanks in advance
Reply With Quote