|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Migrating from iptables to pf, a love story
Hello everybody, I'm a network admin in a small company. I'm in charge of modernizing the firewalls, two very old linux boxes with iptables.
Now, I could just go and install some CentOS with iptables and relax with a cup of coffee while my boss looks approvingly, or I could go with new (for me) and sexy powerfull pf on OpenBSD that i fell in love with. I'm going for the second option So, as part 1 of my plan I have been researching all I can on pf, as a practice installed OpenBSD on a small machine and tried to write my pf.conf. Once done i tried to swap this small firewall we have that has nat and forwards ldap and port 8080 to 2 different machines in preparation for the big changes. It doesn't work I humbly ask for some guidance as I kinda have a deadline for this of 2 weeks and I'm stuck. The network is like this: Isp router forwards all ports to rl0 interface (192.168.0.9, then the nfe0 iface (192.168.200.151) goes to the servers network. I'll paste my pf.conf down here: Code:
set skip on lo # filter rules and anchor for ftp-proxy(8) anchor "ftp-proxy/*" pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 # anchor for relayd(8) #anchor "relayd/*" pass # to establish keep-state # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 #######MACROS######## ext_if = "rl0" int_if = "nfe0" pub_ip = "6.6.6.6" IntNet = "{ 192.168.200.0/24, 192.168.122.0/24 }" server1 = "192.168.200.31" server2 = "192.168.122.103" ######PROTECTION#### #antispoof log quick on $ext_if ######RULES######## block all pass in on $int_if from $IntNet pass out on $int_if from $IntNet pass out on $ext_if from $int_if to any nat-to $ext_if pass in on $ext_if proto tcp from 6.6.6.6 port 389 rdr-to $server1 port 389 pass in on $ext_if proto tcp from 6.6.6.6 port 8080 rdr-to $server2 port 8080 Last edited by Popelicious; 13th March 2013 at 10:52 AM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD A Puffy in the corporate aquarium [success story] | vermaden | News | 2 | 22nd April 2011 01:08 AM |
spoofing with iptables | dk_netsvil | General software and network | 6 | 29th October 2008 08:22 PM |
iptables fw redundancy | revzalot | Other BSD and UNIX/UNIX-like | 3 | 17th June 2008 04:51 PM |
Problem after migrating the /var and its contents to another partition | harisman | FreeBSD General | 2 | 9th May 2008 04:59 PM |