DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th February 2022
iacbsd's Avatar
iacbsd iacbsd is offline
Port Guard
 
Join Date: Jul 2009
Posts: 16
Default pf.conf for a natted bridge.

Hello everyone its been a while since I have used openbsd so bare with me. I am trying to setup a router bridging two network interfaces em1 and em2 for lan, and em0 for uplink to cable modem.

Code:
hostname.em0:
dhcp

hostname.vether0:
inet 192.168.0.1 255.255.255.0 NONE

hostname.em1:
up

hostname.em2:
up

hostname.bridge0: 
add vether0
add em1
add em 2
up
my pf.conf is:
Code:
lan = "vether0"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
                   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
                   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
                   203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress $lan }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
pass out quick inet
pass in on { $lan } inet
my dhcpd.conf
Code:
subnet 192.168.0.0 netmask 255.255.255.0 {
        option routers 192.168.0.1;
        option domain-name-servers 192.168.0.1;
        range 192.168.0.2 192.168.0.100;
}
rc.conf.local
Code:
dhcpd_flags=vether0
smtpd_flags=NO
sndiod_flags=NO
unbound_flags=
sysctl.conf
Code:
net.inet.ip.forwarding=1
unbound.conf
Code:
server:
        interface: 192.168.0.1
        interface: 127.0.0.1
        access-control: 192.168.0.0/24 allow
        do-not-query-localhost: no
        hide-identity: yes
        hide-version: yes
        prefetch: yes

forward-zone:
        name: "."
forward-addr: 9.9.9.9  # IP of the preferred upstream resolver
forward-addr: 149.112.112.112  # IP of secondary upstream resolver
I can replace vether0 everywhere with em1 and my router will nat and pass traffic no problem but when I try to use vether0 it doesn't work. Can someone please have a gander and let me know what i am missing when they are not busy. Thanks in advance!

Last edited by J65nko; 6th February 2022 at 02:22 AM. Reason: Added [code] and [/code] tags ;-)
Reply With Quote
  #2   (View Single Post)  
Old 6th February 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Welcome back! It's been a long time.

I think that your antispoof rule is the problem, because it isn't designed for use with a bridge, it's designed for a single NIC per subnet. If you use # pfctl -sr you will see that the expansion of `antispoof for $lan` -- $lan = vether0 -- expands to something like this:
Code:
block drop in on ! vether0 inet from 192.168.0.1/24 to any
block drop in inet from 192.168.0.1 to any
The pf.conf(5) man page states:
Code:
     The antispoof directive expands to a set of filter rules which will block
     all traffic with a source IP from the network(s) directly connected to
     the specified interface(s) from entering the system through any other
     interface.
Reply With Quote
  #3   (View Single Post)  
Old 6th February 2022
iacbsd's Avatar
iacbsd iacbsd is offline
Port Guard
 
Join Date: Jul 2009
Posts: 16
Default

Thanks jggimi nice to hear from you again! Hope all is well with you! I am going back to the typing board preciate it!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Webpage caching on a bridge montie OpenBSD Packages and Ports 6 30th November 2014 02:48 PM
LAN-WAN Bridge is not routing martincho OpenBSD General 2 16th May 2014 03:47 AM
BSD and the Ivy Bridge chipsets: H77; Z77; Q77 alikzus General Hardware 3 4th January 2013 04:36 AM
bridge no such directory hehehehe OpenBSD General 1 15th December 2009 02:55 AM
ftp-proxy on transparent bridge mswall OpenBSD Security 4 7th July 2008 01:30 PM


All times are GMT. The time now is 05:54 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick