|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Help with pf rules
I'm using an old computer to build a home router and this is what I have come up with so far for the pf rules. The external interface is set to a static IP from my ISP and the internal in 192.168.2.0/24. I want to NAT everything through the one IP, block all incoming except ssh for now, and limit outbound connections to specific ports/protocols. I also want the firewall to just affect the external zone and not firewall communication between computers on the internal network. Is this a goo setup?
######## # Devices # ######## Loopback = "lo0" IntIF = "sk0" ExtIF = "xl0" ############# # Macros & Lists # ############# OB_ports = "{ 20 21 22 25 53 80 110 115 123 143 389 443 445 464 465 531 636 989 990 995 }" OB_proto = "{ udp tcp icmp }" IB_ports = "{ 22 }" IB_proto = "{ tcp }" ########## # NAT Rules # ########## nat on $ExtIF from $IntIF/24 to any -> $ExtIF ############ # Firewall Rules # ############ set skip on $Loopback block all antispoof quick for $ExtIF scrub in all on $ExtIF no-df random-id # Allow all internal-internal traffic pass quick on $IntIF from $IntIF/24 to $IntIF/24 # Allowed Outbound pass out quick on $IntIF proto $OB_proto from $IntIF/24 to any port $OB_ports # Allowed Inbound pass in log quick on $ExtIF proto $IB_proto from any to $ExtIF port $IB_ports flags S/SA |
|
|||
You have your directions mixed up . To understand how pf sees the the in and out directions, place yourself (a little imagination is needed) inside this diagram at the place marked PF.
Code:
IN OUT | /|\ | / | \ | | | | \ | / | \|/ | ----------|---------|---------- | | external interface | /|\ | / | \ | | | PF | | | \ | / | \|/ | internal interface | | ----------|---------|---------- | /|\ | / | \ | | \ | / | \|/ | OUT IN
So this rule has to be adjusted: Quote:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Also, for future maintenance, I suggest replacing the port numbers with service names.
22 ==> ssh 25 ==> smtp 53 ==> domain etc...
__________________
That's nothing a couple o' pints wouldn't fix. Last edited by marcolino; 15th January 2009 at 06:15 PM. Reason: Spelling error |
|
|||
Got it working now, thanks for the help!
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PF Rules for DoS | chazz | FreeBSD Security | 3 | 14th July 2009 09:35 PM |
PF wont open port despite rules... | Dain_L | OpenBSD Security | 3 | 12th September 2008 01:14 AM |
ipfw rules not behaving | Weaseal | FreeBSD Security | 5 | 13th August 2008 01:22 PM |
PF/ALTQ rules not working as intended | Weaseal | FreeBSD Security | 4 | 6th August 2008 12:41 PM |
flush natd rules | nenduvel | FreeBSD Security | 1 | 3rd May 2008 08:59 PM |