DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 7th December 2010
Monkey Monkey is offline
New User
 
Join Date: Dec 2009
Posts: 7
Unhappy Setting up an OpenBSD firewall

Hi,

I want to set up an OpenBSD 4.8 firewall to protect my home internal network and split my internet connection using NAT. Here is my working pf.conf:

Code:
ext_if="pppoe0"
int_if="xl1"

lan_ip1="192.168.0.2"
lan_ip2="192.168.0.3"
lan_ip3="192.168.0.12"
port1="50301"
port2="6885"
port3="48000"

set skip on lo
set block-policy return

match on pppoe0 scrub (max-mss 1440)

pass out on $ext_if from !($ext_if) to any nat-to ($ext_if)

#Rules for Vuze bittorent client (192.168.0.2):
pass in on $ext_if proto tcp from any to any port $port1 rdr-to $lan_ip1
pass in on $ext_if proto udp from any to any port $port1 rdr-to $lan_ip1
The NAT is working fine, I have access to the internet from the internal network but there is no protection for attacks from the internet. To secure it all I added the following rules:
Code:
ext_if="pppoe0"
int_if="xl1"

lan_ip1="192.168.0.2"
lan_ip2="192.168.0.3"
lan_ip3="192.168.0.12"
lan_net="192.168.0.0/24"
port1="50301"
port2="6885"
port3="48000"

set skip on lo
set block-policy return

match on pppoe0 scrub (max-mss 1440)

pass out on $ext_if from !($ext_if) to any nat-to ($ext_if)

block all

antispoof quick for $int_if inet

pass in on $int_if from $lan_net to any
pass out on $int_if from any to $lan_net

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

#Rules for Vuze bittorent client (192.168.0.2):
pass in on $ext_if proto tcp from any to any port $port1 rdr-to $lan_ip1
pass in on $ext_if proto udp from any to any port $port1 rdr-to $lan_ip1
With that I have access to the internet only on the OpenBSD firewall machine, not from the internal network
Everything seem ok, does anybody can spot the problem?

THanks in advance
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD firewall with only one physical NIC idosch OpenBSD Security 5 25th April 2010 12:11 AM
DIY OpenBSD Firewall Appliance mikesg OpenBSD Security 34 6th January 2010 06:17 AM
issues with setting up symon on openbsd badguy OpenBSD Security 12 22nd July 2009 02:21 AM
OpenBSD firewall resources J65nko OpenBSD Security 0 1st June 2008 02:28 AM
setting up a proxy server in OpenBSD 4.3 jrake OpenBSD General 1 14th May 2008 06:43 PM


All times are GMT. The time now is 04:01 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick