DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 5th February 2022
iacbsd's Avatar
iacbsd iacbsd is offline
Port Guard
 
Join Date: Jul 2009
Posts: 16
Default pf.conf for a natted bridge.

Hello everyone its been a while since I have used openbsd so bare with me. I am trying to setup a router bridging two network interfaces em1 and em2 for lan, and em0 for uplink to cable modem.

Code:
hostname.em0:
dhcp

hostname.vether0:
inet 192.168.0.1 255.255.255.0 NONE

hostname.em1:
up

hostname.em2:
up

hostname.bridge0: 
add vether0
add em1
add em 2
up
my pf.conf is:
Code:
lan = "vether0"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
                   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
                   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
                   203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress $lan }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
pass out quick inet
pass in on { $lan } inet
my dhcpd.conf
Code:
subnet 192.168.0.0 netmask 255.255.255.0 {
        option routers 192.168.0.1;
        option domain-name-servers 192.168.0.1;
        range 192.168.0.2 192.168.0.100;
}
rc.conf.local
Code:
dhcpd_flags=vether0
smtpd_flags=NO
sndiod_flags=NO
unbound_flags=
sysctl.conf
Code:
net.inet.ip.forwarding=1
unbound.conf
Code:
server:
        interface: 192.168.0.1
        interface: 127.0.0.1
        access-control: 192.168.0.0/24 allow
        do-not-query-localhost: no
        hide-identity: yes
        hide-version: yes
        prefetch: yes

forward-zone:
        name: "."
forward-addr: 9.9.9.9  # IP of the preferred upstream resolver
forward-addr: 149.112.112.112  # IP of secondary upstream resolver
I can replace vether0 everywhere with em1 and my router will nat and pass traffic no problem but when I try to use vether0 it doesn't work. Can someone please have a gander and let me know what i am missing when they are not busy. Thanks in advance!

Last edited by J65nko; 6th February 2022 at 02:22 AM. Reason: Added [code] and [/code] tags ;-)
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Webpage caching on a bridge montie OpenBSD Packages and Ports 6 30th November 2014 02:48 PM
LAN-WAN Bridge is not routing martincho OpenBSD General 2 16th May 2014 03:47 AM
BSD and the Ivy Bridge chipsets: H77; Z77; Q77 alikzus General Hardware 3 4th January 2013 04:36 AM
bridge no such directory hehehehe OpenBSD General 1 15th December 2009 02:55 AM
ftp-proxy on transparent bridge mswall OpenBSD Security 4 7th July 2008 01:30 PM


All times are GMT. The time now is 01:48 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick