Re: PF: antispoof vs URPF

2010-04-06 Thread N. Arley Dealey 

Many thanks to all who have replied.

For my needs (which are pretty simple), Occam dictates using antispoof.

But I've learned much about URPF from the discussion. It's been very 
interesting.

PF: antispoof vs URPF

2010-03-31 Thread N. Arley Dealey 
It would appear to me that antispoof and URPF achieve similar results. 
Is there a reason to prefer one over the other?

help with pf redirection (openbsd 4.6)

2010-03-17 Thread N. Arley Dealey 
Help! I'm obviously overlooking something really obvious but I just 
can't see it.


I'm building my first PF-based router/firewall using OpenBSD 4.6. For 
now, what I

need it to do is pretty simple:

1. Allow all outbound traffic via NAT and allow all inbound responses.
2. Allow only ssh and auth to the external interface.
3. Redirect to ports (2000 & 4200) to two different hosts on the 
internal net.


I've created a minimal pf.conf file that I thought would accomplish 
this. Goals
1 & 2 are working fine (I can connect outbound from hosts on the 
internal net
and I can connect to the firewall inbound via ssh) but the redirections 
are not

going anywhere.

I don't know what to do next other than enable logging, fire up tcpdump 
and try
to see what is actually happening. But I thought I'd ask first if 
anybody more

familiar with pf can see something fundamentally flawed with my config.

Here is the pf.conf (slightly edited to obscure the actual IPs)
# pf.conf: agilulf.det2.gw00

#
# MACROS
#

# interfaces
ifExt = "fxp0"# 66.b.c.118
ifInt = "fxp1"# 192.x.y.2


# OPTIONS
#

set block-policy return
set loginterface $ifExt
set skip on lo


# NAT & Redirection
#

nat on $ifExt from !$ifExt -> $ifExt:0

rdr pass on $ifExt proto tcp from any to any port 4200 -> 192.x.y.40 
port 4200
rdr pass on $ifExt proto tcp from any to any port 2000 -> 192.x.y.21 
port 2000


#
# FILTER RULES
#

block in
pass out keep state

# internal clients
pass in quick on $ifInt

# external
pass in inet proto icmp all icmp-type echoreq
pass in on $ifExt inet proto tcp from any to $ifExt port { ssh, auth }

###EoF###


And here is the result of loading pf.conf
# pfctl -vf /etc/pf.conf
ifExt = "fxp0"
ifInt = "fxp1"
set block-policy return
set loginterface fxp0
set skip on { lo }
nat on fxp0 inet from ! 66.b.c.118 to any -> 66.b.c.118
rdr pass on fxp0 inet proto tcp from any to any port = 4200 -> 
192.x.y.40 port 4200
rdr pass on fxp0 inet proto tcp from any to any port = 2000 -> 
192.x.y.21 port 2000

block return in all
pass out all flags S/SA keep state
pass in quick on fxp1 all flags S/SA keep state
pass in on fxp0 inet proto tcp from any to 66.b.c.118 port = ssh 
flags S/SA keep state
pass in on fxp0 inet proto tcp from any to 66.b.c.118 port = auth 
flags S/SA keep state

pass in inet proto icmp all icmp-type echoreq keep state
#

From the firewall box, I can ping and traceroute successfully to the 
two destination
hosts for the redirections and I can connect to the destination ports of 
the redirections.
I just can't make the redirected connections via the external interface 
of the firewall.


Any help would be greatly appreciated.