Hello misc!
My OpenBSD file server just became a router too (after getting a new
internet connection where the provider does not include a router in the
subscription).
This led to my first experieces with pf. After some work I came up with
whats below. It works as I want it to work, but I wonder if there is a way
to create a rule where incomming traffic to the internal NIC (re0) is
passed if it is targeted for em0 (external, internet NIC)? The current
solution would require an update of the "pass in on re0 to
!re0:network"-rule if another NIC is added (lets say a DMZ).
set skip on lo0
# Block everything everywhere by default
block log all
# NAT local network to external
match out on em0 inet from re0:network nat-to (em0)
# Allow all outgoing traffic
pass out on {em0, re0}
# Allow only specific services on this machine to be accessed from
# local network
pass in on re0 inet proto tcp to port ssh # ssh
pass in on re0 inet proto icmp # icmp
pass in on re0 inet proto tcp to port 445 # samba
#pass in on re0 inet to em0:network # This does not work, since the
#mask for this IF will only let traffic through to the limitied set of
#IPs on the same C-segment as em0. That would probably be a set of
#other customers at the nework operator...
# This works, but will require an update if any furter NIC is involved
# later
pass in on re0 to !re0:network
# I would like something like this to work, so that future added NICs
# wont open new unwanted paths
#pass in on re0 to em0
# Allow only incomming SSH to external NIC
pass in on em0 inet proto tcp to port ssh
--
<-------------------------------------------->
Jon Sjöstedt
jonsjost...@gmail.com
