Hello,
I am having some issues trying to set up a 'simple' firewall using pf
and openbsd. My ultimate objective is to create a firewall with three
nics that will pass web traffic to the dmz box (solaris + apache) AND
NOT pass traffic from the DMZ to the internal network.
I've tried many different sample firewalls and doing the old
:%s/nic/mynic etc. etc. Here is a sample that sort of works.
The problem I am having with this is I can't ssh in to the sun box
(192.168.3.19) to administer it from my internal net (192.168.1.0/24)
Also, I would like to find out how to pass out more than just www
traffic from the DMZ. Say for instance I wanted to run some other
services or use lynx on the dmz box etc etc.
ext_if="xl0"
int_if="xl1"
dmz_if="rl0"
web_svr="192.168.3.19"
unroutable="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12,192.168.1.0/24 \
192.168.0.0/16, 255.255.255.255/32 }"
scrub in all
scrub out all
nat on $ext_if from {192.168.1.0/24,192.168.3.0/24} to any -> ($ext_if)
rdr on $ext_if proto tcp from any to $ext_if port www -> $web_svr port
www pass in quick on $ext_if proto tcp from any to $dmz_if port www
# These two lines break internet traffic from the lan and dmz. ie, if
# they are enabled I may as well go watch tv.
#block in all
#block out all
block out on $dmz_if all
pass out on $dmz_if inet proto tcp from any to $web_svr port www
pass out on $ext_if all keep state
pass in quick on lo0 all
pass out quick on lo0 all
---
If put in a 'block in all' 'block out all' then my whole lan is
blocked from the internet, please help as I am pretty confused at this
point. Why a block in all and block out all would prevent everything
forom going in or out when I have 'pass out on $ext_if all keep state'
after it, is beyond me.
Thanks,
-mb
