Quickly looking at it, you need to specify in your NAT rule that the external
interface is dynamically assigned an address. Although, maybe I am wrong, I am
assuming from your message that you are on a dynamic IP. Replace this:
> nat on $ext_if inet from 192.168.0.0/16 to any ->
> $ext_if
with:
> nat on $ext_if inet from 192.168.0.0/16 to any ->
> {$ext_if}
I can't find this in the manpage. It is either there or here,
http://www.openbsd.org/faq/pf/index.html
-c
On Tue, 21 Oct 2003 10:37:15 -0700 (PDT)
Ryan <[EMAIL PROTECTED]> specifically said:
> hi, i've created my first pf.conf file, and was
> wondering if it can be optimized more, this pf.conf
> was made by looking at other pf.conf file, i've also
> been having problems with dhcp leases
>
> here is what the needs of the internal machine are:
>
> ftp, ssh, smtp, dns, http, pop3, ntp, https,
> aim(5190), ability to traceroute and ping, but want to
> stop people from pinging and tracerouting me
> (firewall)
>
> here is my pf.conf
> -----------------------
> #
> # Interface:
> # sis0 - internal to private network
> # fxp0 - external to cable modem
> #
>
> # Macros
> #
> ext_if = "fxp0"
> unfiltered = "{ lo0, sis0 }"
> unroutable = "{ 0.0.0.0/32, 10.0.0.0/8, 127.0.0.0/8, \
> 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, \
> 255.255.255.255/32 }"
> services_tcp = "{ 21, 22, 25, 53, 80, 110, 123, 443, >
> 1024 }"
>
>
> # Tables
> #
>
> # Options
> #
> set loginterface $ext_if
> set limit { frags 500, states 10000 }
> set optimization aggressive
> set block-policy drop
> set require-order yes
>
> # Traffic Normalization
> #
> scrub in on $ext_if all
> scrub out on $ext_if all random-id
>
> # Queueing
> #
>
> # Translations
> #
> no nat on $unfiltered from any to any
> no rdr on $unfiltered from any to any
>
> # nat private network to single routable address
> nat on $ext_if inet from 192.168.0.0/16 to any ->
> $ext_if
>
> # ftp-proxy redirection
> rdr on $ext_if inet proto tcp from any to any port 21
> -> 127.0.0.1 port 8081
>
> # ==================================================
> ===========================
> # Packet Filtering Rules (default block/pass)
> # ==================================================
> ===========================
>
> # pass on unfiltered interfaces
> #
> pass quick on $unfiltered
>
> # silently drop TCP non-SYN packets, the remaining
> ruleset only deals with
> # TCP SYNs, which always create state when passed. the
> ruleset basically
> # deals with 'connections', not packets, beyond this
> point.
> #
> block return-rst quick proto tcp all flags /S
> block return-rst quick proto tcp all flags A/A
>
> # block and log everything by default
> #
> block log
> block return-rst log inet proto tcp
> block return-icmp log inet proto udp
>
> # ==================================================
> ===========================
> # external interface (all external IPv4 traffic)
> # ==================================================
> ===========================
>
> # silently drop broadcasts
> block in quick on $ext_if inet from any to {
> 255.255.255.255 }
>
> # block some known-bad ports without logging
> #
> block return-rst in quick on $ext_if proto tcp from
> any to any \
> port { 111, 445, 6000 }
> block return-icmp in quick on $ext_if proto udp from
> any to any \
> port { 135, 137, 138, 139, 1434 }
>
> # block and log incoming packets from reserved address
> space and invalid
> # addresses, they are either spoofed or misconfigured,
> we can't reply to
> # them anyway (hence, no return-rst).
> #
> block in log quick on $ext_if inet from $unroutable to
> any
>
> # block and log outgoing packets that don't have my
> address as source, they are
> # either spoofed or something is misconfigured (NAT
> disabled, for instance),
> # we want to be nice and not send out garbage.
> #
> block out log quick on $ext_if inet from !$ext_if to
> any
>
> # ICMP
> #
> pass out on $ext_if inet proto icmp from $ext_if to
> any \
> icmp-type 8 code 0 keep state
> pass in on $ext_if inet proto icmp from any to $ext_if
> \
> icmp-type 8 code 0 keep state
>
> # UDP
> #
> pass out on $ext_if inet proto udp from any to any \
> keep state
> pass in on $ext_if inet proto udp from any to $ext_if
> \
> port { 53, 68 } keep state
>
> # TCP
> #
> pass out on $ext_if inet proto tcp from $ext_if to any
> \
> flags S/SA keep state
> pass in on $ext_if inet proto tcp from any to $ext_if
> port $services_tcp \
> flags S/SA keep state (max 1024, tcp.first 10,
> tcp.opening 10)
> -----------------------
>
> let me know how I can improve this, thanks
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
