|
|||
PF on OpenBSD54, VM
Greetings to all,
I am a complete newbie at OpenBSD and its my first time posting in this forum. I do read a lot of IT books and the one I am reading at the moment is on OpenBSD (Absolute OpenBSD Michael W Lucas). I did not study IT and do not have a job in IT. I am just passionate about technology (Networking, Security in particular) and try to get by, by documenting myself as much as I can. I am also very curious and like to know how things work (Can be cumbersome sometimes.) Anyways, I hesitated a while before posting on the forum as I do not have a technical issue (everything is working to my satisfaction) but more a comprehension of PF in a virtual environment. I do not wish to waste anyone's time; so feel free to tell me to bug off if you believe that my set up is just crap. The set up I have is not a production set up and it is just a personal project in order to be more secure on the internet. This set up is also intended for mobility realm; ie, laptops. I am using OpenBSD54 in VMWare 10. The host is Windows 8.1. I have two NIC installed in my Virtual Machine; em0 and em1 and I am doing NAT with static IP addresses for em0 and em1. I choose NAT for security and practicality. Outside access seems to be less likely to the VM. No need to deal with DHCP as NAT handles everything with static IP addresses. This project is intended for mobile computing such as laptops, so the NAT avoid to have to deal with all different router (exotic setup) out there. For my internal setup in the OpenBSD server, I have my own internal DNS server running. I am using unbound and NSD combined. So in short, the internal DNS server is, authoritative, validating, recursive caching. I have added squid proxy for security reasons. I am doing caching through Squid as well. This help a lot with the small bandwidth. Everything there is working great. Finally, I added PF in the internal server. em0: 192.168.126.134/24 (NAT) em1: 192.168.178.128/24 (Host Only) Code:
################ My Rules ####################### ## Variables ## ExtNic = "em0" ExtIp = "( " $ExtNic " )" IntIp = "em1" ## Gather Stats for main interface ## set loginterface em0 ## Ignore loopback" set skip on lo ## Normalisation ## # scrub in all ## Default is deny ## block log all ## Outgoing traffic ## pass out on $ExtNic proto { tcp, udp } from $ExtIp to any keep state ## Allow ICMP ## pass proto icmp all ## Allow DNS ## pass in on $ExtNic proto { tcp, udp } from any to $ExtIp port { 53, 4952 } keep state pass out on $ExtNic proto { tcp, udp } from $ExtIp to any port { 53, 4952 } keep state ## Allow SQUID ## pass in on $ExtNic proto { tcp, udp } from any to $ExtIp port 8080 keep state pass out on $ExtNic proto { tcp, udp } from $ExtIp to any port 8080 keep state ## Allow SSH ## pass in on $ExtNic proto tcp from any to $ExtIp port 22 keep state pass out on $ExtNic proto tcp from $ExtIp to any port 22 keep state ## Bridge em0 with em1 pass out on em0 from em1:network to any nat-to (em0) ################ End of My Rules ################# Code:
#anchor "relayd/*" block # block stateless traffic pass # establish keep-state # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 I have bridge em0 with em1 and its performing NAT so all traffic seems to be coming from em0. This setup is working well but the real question is ' is it really useful for the intended purpose ?'. When I monitor em0 for traffic '# tcpdump -netttti em0', I see traffic from the vm gateway (192.168.126.0/24) to em0 showing my connection through ssh putty from my host (192.168.188.20) and that is it. How could I have all network traffic diverted to PF (VM OpenBSD) from the host (Windows) ? Would it possible that PF handle traffic from DNS (unbound and nsd) and SQUID ? I doubt it but in case there is way that would be nice PS: I checked SQUID and Unbound and I have no issue with caching. I hope I did not lack of clarity as being a newbie, it is sometimes difficult to express my train of thoughts in clear and concise IT jargon. Kind Regards, zongo saiba Last edited by ocicat; 18th December 2013 at 01:11 PM. Reason: Please use [code] & [/code] tags when posting textfile output. |
|
||||
Hello, and welcome!
Quote:
It was not clear to me what you meant by this: Quote:
Quote:
|
|
||||
Quote:
Hope that helps
__________________
If 386BSD had been available when I started on Linux, Linux would probably never had happened." --Linus Torvald |
Tags |
opebsd54, pf, vm |
Thread Tools | |
Display Modes | |
|
|