Hi Peter,
I am a newbie as well, but after some time banging my
head against walls I came up with my own 'silly'
pf.conf rules. I have included my rules at the end of
this email. I Removed the extra rules (I think all of
them) and all you have to do is change the variable
names to whatever you are using.
I hope it is going to be helpful. It can be used to
learn about macros as well.
Some comments:
- Don't use 'pass in all' as a default. You are totaly
open
- Check out the declaration of my network's macros.
Compare to yours.
- Opening ssh (oprt 22) directly in your firewall can
be an invitation for an attacker. Try
to redirect it to another machine other than to your
firewall.
For example:
$ssh_ad = 192.168.1.22
rdr on $ext_if proto tcp from any to $ext_ad port ssh
- $ssh_ad port ssh
Best of lucks, J. Rivero
MTE Technology
mtechno.net
J. Rivero
3629 203rd Street
Langley, B.C.
V3A6A6
Tel. (604)-514-9092
Cell (778) 839-3395
--- R T [EMAIL PROTECTED] wrote:
Hello folks. Im trying to get my OpenBSD 3.5 machine
set up as a router. Heres the info so far:
xl0 network card getting dhcp address from my isp
ep1 network card hooked to my laptop 192.168.1.1
netmask 255.255.255.0
The laptop is windows and has 192.168.1.2 as its ip.
I can ping the laptop, and the laptop can ping the
OpenBSD box, but so far I cant get the laptop onto
the internet at all. My pf.conf is quite simple
compared to some examples I've seen and I'm thinking
its too simple perhaps...# $OpenBSD: pf.conf,v
1.21 2003/09/02 20:38:44 david Exp $
# gatewolf rules (experimental)
#
ext_if=xl0
int_if=ep1
internal_net=10.1.1.1/8
external_addr=192.168.1.1
# Filtering: the implicit first two rules are
pass in all
pass out all
# block all incoming packets but allow ssh, pass all
outgoing tcp and udp
# connections and keep state, logging blocked
packets.
block in log all
pass in on $ext_if proto tcp from any to $ext_if
port 22 keep state
pass out on $ext_if proto { tcp, udp } all keep
state
# pass incoming packets destined to the addresses
given in table foo.
pass in on $ext_if proto { tcp, udp } from any to
foo port 80 keep state
# My silly rules
pass in on xl0 all
pass out on xl0 all
pass in on ep1 all
pass out on ep1 all
any ideas as to what I have done wrong folks?
Thanks...
pf.conf
#
# macro definitions
#
# ext_if -- external interface, connects the firewall
to the
# outside world
# prv_if -- private interface, connects to the private
network
# segment to the firewall
#
ext_if = rl0
prv_if = rl1
#
# ext_ad -- the IPv4 address of the ext_if external
interface
# prv_ad -- the range of IPv4 addresses on the private
network
# int_net -- Internal subnets
#
ext_ad = $ext_if /32
prv_ad = 192.168.0.0/24
int_net = { 192.168.0.0/24, 10.0.0.0/24}
nonroutable = { 192.168.0.0/16, 127.0.0.0/8,
172.16.0.0/12, \
10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16,
204.152.64.0/23, 224.0.0.0/3 }
#
# options: set
#
set limit { frags 1, states 1 }
set loginterface $ext_if
set block-policy return
# table containing all the IP addresses assigned to
the firewall
table firewall const { self }
scrub in all fragment reassemble
scrub out all fragment reassemble
#
# NAT rules: rdr, nat, binat
#
nat on $ext_if from $prv_ad to any - $ext_ad
#
# filtering
#
block all
antispoof quick for $prv_if inet
# filter rules for ext_if
pass out on $ext_if proto tcp all modulate state flags
S/SA
pass out on $ext_if proto {udp icmp} all keep state
# filter rules for prv_if
pass in on $prv_if from $prv_ad to any keep state
pass out on $prv_if from any to $prv_ad keep state
__
Post your free ad now! http://personals.yahoo.ca