DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th January 2009
TerranAce007 TerranAce007 is offline
New User
 
Join Date: Jan 2009
Posts: 2
Thanked 0 Times in 0 Posts
Default Help with pf rules

I'm using an old computer to build a home router and this is what I have come up with so far for the pf rules. The external interface is set to a static IP from my ISP and the internal in 192.168.2.0/24. I want to NAT everything through the one IP, block all incoming except ssh for now, and limit outbound connections to specific ports/protocols. I also want the firewall to just affect the external zone and not firewall communication between computers on the internal network. Is this a goo setup?

########
# Devices #
########
Loopback = "lo0"
IntIF = "sk0"
ExtIF = "xl0"

#############
# Macros & Lists #
#############
OB_ports = "{ 20 21 22 25 53 80 110 115 123 143 389 443 445 464 465 531 636 989 990 995 }"
OB_proto = "{ udp tcp icmp }"
IB_ports = "{ 22 }"
IB_proto = "{ tcp }"

##########
# NAT Rules #
##########
nat on $ExtIF from $IntIF/24 to any -> $ExtIF

############
# Firewall Rules #
############
set skip on $Loopback
block all
antispoof quick for $ExtIF
scrub in all on $ExtIF no-df random-id

# Allow all internal-internal traffic
pass quick on $IntIF from $IntIF/24 to $IntIF/24

# Allowed Outbound
pass out quick on $IntIF proto $OB_proto from $IntIF/24 to any port $OB_ports

# Allowed Inbound
pass in log quick on $ExtIF proto $IB_proto from any to $ExtIF port $IB_ports flags S/SA
Reply With Quote
  #2   (View Single Post)  
Old 15th January 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,147
Thanked 182 Times in 149 Posts
Default

You have your directions mixed up . To understand how pf sees the the in and out directions, place yourself (a little imagination is needed) inside this diagram at the place marked PF.
Code:
         IN        OUT
                   
          |        /|\
          |       / | \
          |         |
          |         |
        \ | /       |
         \|/        |
----------|---------|----------
          |         |
        external interface
          |        /|\
          |       / | \
          |         |
          |   PF    |
          |         |
        \ | /       |
         \|/        |
        internal interface
          |         |
----------|---------|----------
          |        /|\
          |       / | \
          |         |
        \ | /       |
         \|/        |
         OUT       IN
  • External interface
    Incoming traffic on the external interface is originates from the Internet.

    Outgoing packets on the external interface are either originated by the PF box itself, or by your local LAN (incoming on your internal NIC)
  • Internal interface
    Incoming packets on the internal interface are generated by your local LAN, and are destined either for the PF box itself, or have to go out from the external interface to the internet.

    Outgoing packets on the internal interface either originate locally from the PF box itself , or from the the Internet, where they were incoming on the external NIC.

So this rule has to be adjusted:
Quote:
# Allowed Outbound
pass out quick on $IntIF proto $OB_proto from $IntIF/24 to any port $OB_ports
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 15th January 2009
marcolino's Avatar
marcolino marcolino is offline
Real Name: Mark
Custom Title Maker
 
Join Date: May 2008
Location: At the Mountains of Madness
Posts: 113
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by TerranAce007 View Post
# Allow all internal-internal traffic
pass quick on $IntIF from $IntIF/24 to $IntIF/24
Since traffic from one machine to another on the same network does not go through your router, this line is unnecessary.
Quote:
Originally Posted by TerranAce007 View Post
# Allowed Outbound
pass out quick on $IntIF proto $OB_proto from $IntIF/24 to any port $OB_ports

# Allowed Inbound
pass in log quick on $ExtIF proto $IB_proto from any to $ExtIF port $IB_ports flags S/SA
Add keep state to the end of these lines, after adustment per J65nko's post above.
__________________
That's nothing a couple o' pints wouldn't fix.
Reply With Quote
  #4   (View Single Post)  
Old 15th January 2009
marcolino's Avatar
marcolino marcolino is offline
Real Name: Mark
Custom Title Maker
 
Join Date: May 2008
Location: At the Mountains of Madness
Posts: 113
Thanked 0 Times in 0 Posts
Default

Also, for future maintenance, I suggest replacing the port numbers with service names.

22 ==> ssh
25 ==> smtp
53 ==> domain

etc...
__________________
That's nothing a couple o' pints wouldn't fix.

Last edited by marcolino; 15th January 2009 at 06:15 PM. Reason: Spelling error
Reply With Quote
  #5   (View Single Post)  
Old 16th January 2009
TerranAce007 TerranAce007 is offline
New User
 
Join Date: Jan 2009
Posts: 2
Thanked 0 Times in 0 Posts
Default

Got it working now, thanks for the help!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PF Rules for DoS chazz FreeBSD Security 3 14th July 2009 09:35 PM
PF wont open port despite rules... Dain_L OpenBSD Security 3 12th September 2008 01:14 AM
ipfw rules not behaving Weaseal FreeBSD Security 5 13th August 2008 01:22 PM
PF/ALTQ rules not working as intended Weaseal FreeBSD Security 4 6th August 2008 12:41 PM
flush natd rules nenduvel FreeBSD Security 1 3rd May 2008 08:59 PM


All times are GMT. The time now is 01:46 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick