|
|||
Configuring PF for NAT
I'm trying to set up pf on OpenBSD 5.1 to act as a router, but am having some trouble.
I have two network interfaces: - urtw0 (internet) - em0 (trusted internal network) I want to route all traffic from the em0 network to the internet, and allow SSH connections from em0 to sshd on the OpenBSD box. All other ports should be closed. My pf.conf looks like this: block in pass out on egress from em0:network to any nat-to (egress) pass in on em0 proto tcp to self port 22 ... But with these rules, I can't get to the internet from em0. If I change the last rule in pf.conf to: pass in on em0 ...then it works fine. I don't know much about pf (I'm more of an iptables person), but it looks like I need to actually open the ports I want to route. I don't want to open all ports on em0 - I only want port 22 to be open. How can I do this? Thanks! |
|
|||
This is the pf.conf I am using on my OpenBSD firewall.Although it does not match your specifications exactly , it will give you a start.
Code:
# pf.conf for UPC services = "{ imaps, pop3, pop3s, domain, submission, www, cddb, 8080, https, \ whois, ssh, telnet, rsync, ftp, 5999, 6667, 1022, 5050 }" set skip on lo0 # ---- external/egress interface match out inet from ! egress to any nat-to (egress) # --- anchor for misc purposes, like temporarily allowing outgoing ftp from firewall itself anchor 'TMP' # --- allow outgoing TCP pass out quick on egress inet proto tcp from any to any port $services label "$nr:$proto:$dstport" pass out quick log on egress inet proto tcp from any to any port smtp label "$nr:$proto:SMTP" # --- ftp-proxy tags the ftp data connection packets. See /etc/rc.conf.local # pass out quick on egress inet tagged FTP_DATA label "$nr:$proto:FTP_DATA" # --- allow outgoing UDP pass out quick on egress inet proto udp from any to any port domain keep state label "$nr:$proto:DOMAIN" pass out quick on egress inet proto udp from any to any port ntp keep state label "$nr:$proto:NTP" # --- allow outgoing ICMP # ping and 'traceroute -P icmp' pass out quick on egress inet proto icmp from any to any icmp-type echoreq keep state label "$nr:$proto:ICMP" # ---- internal network interface anchor "ftp-proxy/*" pass in quick on internal inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass quick on internal inet # ---- default block block log all label BLOCKED Code:
# cat /etc/hostname.xl0 dhcp # cat /etc/hostname.xl1 inet 192.168.222.10 255.255.255.0 NONE group internal inet alias 192.168.222.11 255.255.255.255 Code:
# grep ftp /etc/rc.conf.local ftpproxy_flags="-T FTP_DATA" # grep forward /etc/sysctl.conf net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thanks for the replies.
Correct me if I'm wrong, but wouldn't this rule in your example file simply allow all traffic on the internal interface? pass quick on internal inet Quote:
|
|
||||
Quote:
|
|
|||
Sorry, I probably didn't use very clear terminology. By listening, I meant listening and potentially accepting connections on running services.
For example, if I were setting up a router using iptables, I would configure the INPUT chain to drop all incoming connections, then set the POSTROUTING chain to do NAT between the private and Internet interfaces. Thus, the router would not accept connections on any port, even if there was a service running (e.g. httpd). However, what I've gathered so far is that I can't do this with pf. If I want to use NAT to give Internet access to hosts on my internal network, I also need to expose any service that might be running on the router to the internal network. I'm more concerned about this from a security perspective (best practices - no need to potentially expose services that I'm not using), not performance. If this is the case and it's how pf works then that's fine - I just want to be clear that this is how it's intended to work, and there's not some setting that I'm missing. Thanks |
|
||||
Quote:
All traffic is inspected for rule matching -- to an extent. There is optimization, of course. If PF does not need to inspect, it does not. As when stateful traffic is passed, matching traffic is not inspected again while the state remains established. Yes, you can configure PF so that your em0 traffic is blocked from services on the router. Let's look at this example: Code:
pass in on em0 proto {tcp udp icmp} to any block in on em0 to self Quote:
While you may or may not be able to do exactly the same sorts of filtering with each tool ... if I understood this use case, yes, you can easily prevent em0 traffic from reaching any services on the gateway other than SSH, while still permitting unfettered access to the Internet. --- Unrelated to your question, but ... a thought on best practices: You do not trust the platforms on em0 to permit them access to services on your gateway. Are any of the machines on em0 Windows platforms? I ask, because you are granting em0 unfettered outbound access to the Internet. If this were my network, and there were Windows platforms on em0, I would want to control traffic to ports 25 and 587 to prevent spambots, and I would want control of unsolicited outbound TCP and UDP traffic on non-standard ports, in order to limit access to bot C&C servers. That won't stop C&C to bot servers that use standard ports, of course. Last edited by jggimi; 13th August 2012 at 01:00 PM. Reason: clarity |
|
|||
Quote:
Actually I intended change to filtering on the internal interface, label the allowed traffic with a tag, and only pass out the tagged traffic on the external interface. Just did not find the time to do it
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Configuring X with 9800gt fails. | Daffy | OpenBSD General | 8 | 27th February 2012 02:21 PM |
Problems configuring carp | nocturnal | OpenBSD General | 0 | 23rd October 2011 01:58 PM |
configuring second NIC | tomp | OpenBSD Installation and Upgrading | 19 | 15th August 2011 07:25 PM |
Help configuring pine | cssgalactic | FreeBSD General | 4 | 29th June 2008 11:50 PM |
Need Help Configuring Postfix | iainnitro | General software and network | 6 | 8th June 2008 04:55 AM |