|
|
|||
Setting up an OpenBSD firewall
Hi,
I want to set up an OpenBSD 4.8 firewall to protect my home internal network and split my internet connection using NAT. Here is my working pf.conf: Code:
ext_if="pppoe0" int_if="xl1" lan_ip1="192.168.0.2" lan_ip2="192.168.0.3" lan_ip3="192.168.0.12" port1="50301" port2="6885" port3="48000" set skip on lo set block-policy return match on pppoe0 scrub (max-mss 1440) pass out on $ext_if from !($ext_if) to any nat-to ($ext_if) #Rules for Vuze bittorent client (192.168.0.2): pass in on $ext_if proto tcp from any to any port $port1 rdr-to $lan_ip1 pass in on $ext_if proto udp from any to any port $port1 rdr-to $lan_ip1 Code:
ext_if="pppoe0" int_if="xl1" lan_ip1="192.168.0.2" lan_ip2="192.168.0.3" lan_ip3="192.168.0.12" lan_net="192.168.0.0/24" port1="50301" port2="6885" port3="48000" set skip on lo set block-policy return match on pppoe0 scrub (max-mss 1440) pass out on $ext_if from !($ext_if) to any nat-to ($ext_if) block all antispoof quick for $int_if inet pass in on $int_if from $lan_net to any pass out on $int_if from any to $lan_net pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state #Rules for Vuze bittorent client (192.168.0.2): pass in on $ext_if proto tcp from any to any port $port1 rdr-to $lan_ip1 pass in on $ext_if proto udp from any to any port $port1 rdr-to $lan_ip1 Everything seem ok, does anybody can spot the problem? THanks in advance |
|
|||
Be sure you have ip.net.forwarding=1 in your /etc/sysctl.conf
Here a sample of a 4.7 ruleset : http://mouedine.net/ruleset47.aspx Compatible with 4.8 RELEASE |
|
|||
Use block log all to direct the blocked packets to the pflog0 interface.
Run tcpdump on pflog0 to view what is being blocked. Code:
# tcpdump -eni pflog0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD firewall with only one physical NIC | idosch | OpenBSD Security | 5 | 25th April 2010 12:11 AM |
DIY OpenBSD Firewall Appliance | mikesg | OpenBSD Security | 34 | 6th January 2010 06:17 AM |
issues with setting up symon on openbsd | badguy | OpenBSD Security | 12 | 22nd July 2009 02:21 AM |
OpenBSD firewall resources | J65nko | OpenBSD Security | 0 | 1st June 2008 02:28 AM |
setting up a proxy server in OpenBSD 4.3 | jrake | OpenBSD General | 1 | 14th May 2008 06:43 PM |