Comments inline.
On Feb 23, 2009, at 5:58 PM, Hilco Wijbenga wrote:
Hi all,
I've been trying to get a simple firewall system up-and-running in
OpenBSD. I have "The Book of PF" and "Secure Architectures
with OpenBSD" so I thought it would be very simple. Well, we're two
weeks later now and still no firewall. :-) The pf rules I found in
those books don't seem to work as I expected them to work.
The PF FAQ and the man page for pf.conf(5) should cover everything you
need. The books are a nice addition, though.
Before I list my current pf.conf, let me give a few more details. My
firewall will be running a few services for my network (DHCP, NTP, and
DNS). I need to use NAT to get my own network Internet access. DHCP
works. I seem to have managed to get DNS (maradns on lo0 and sk1) and
ICMP working.
So, you need to set net.inet.ip.forward to 1 to ensure packets go out.
/etc/pf.conf
01 ext_if = "sk0"
02 int_if = "sk1"
03 localnet = $int_if:network
04 internet = $ext_if:network
05 udp_services = "{ domain, ntp }"
06 icmp_types = "{ echoreq, unreach }"
07
08 nat log on $ext_if from $localnet to any -> ($ext_if)
09
10 block log all
11
12 pass quick inet proto { tcp, udp } from $internet to any port
$udp_services
13 pass quick inet proto { tcp, udp } from $localnet to any port
$udp_services
14 pass quick inet proto { tcp, udp } from $lo0:network to any port
$udp_services
15
16 pass inet proto icmp all icmp-type $icmp_types
17 pass from { lo0, $localnet } to any keep state
First, no traffic will go out with these rules as is. Unless states
and flows match perfectly, it won't happen.
a. Why do I need 12? I had expected 13 (which I don't seem to need).
Wouldn't 12 be for incoming requests from the Internet?
I'm not sure what you're trying to do with 12 or 13. The ports (domain
and ntp) will be the only traffic permitted to enter any interface on
the firewall.
b. Given that ping works from my network (so that presumably routing
is okay), why doesn't anything else work? HTTP seems blocked by the
firewall.
Don't presume. Think. You're passing ICMP types inward (req, unreach).
That's it. I suspect you're not passing that traffic outbound otherwise.
c. How can I get pflog to flush immediately? I noticed I have to wait
a minute or so before logged lines show up.
What syntax are you using to monitor it?
d. Any other pointers?
Start over.
I make no claims this works or will work for you. It's a simple
rewrite of what you claimed to want (NAT for outbound traffic, for
example).
ext_if="sk0"
int_if="sk1"
udp_services="{ domain, ntp}"
set skip on lo
set block-policy return
scrub in
nat on $ext_if from $int_if:network to any ->($ext_if)
block log
pass out quick from $int_if to $int_if:network
pass out quick from $ext_if to any
pass in quick on $ext_if proto {tcp, udp} from any to ($ext_if) port
$udp_services
pass in quick on $int_if from $int_if:network to any
