Good day I have successfully installed comixwall 4.2 on my machine but
its default pf rules wil l not allow me to connect to internet but if
I'm going to disable it I can connect to the internet, here is my
pf.conf after installing comixwall.
This is my first time installing OpenBSD and using pf as a firewall can you
help me setting up my pf rules.
# $Id: pf.conf,v 1.5 2008/01/05 11:15:33 soner Exp $
# ComixWall pf rules
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
int_if = "dc0"
ext_if = "dc1"
int_net = "172.16.1.0/24"
proxy = "dc1"
# MSN, ICQ/AIM, Yahoo, IRC
im_ports = "{ 1863 5190 5050 6667 }"
table <RestrictedIPs> persist file
"/etc/pf.restrictedips"
table <spamd> persist
table <spamd-white> persist
table <snortips> persist
set loginterface $int_if
set skip on lo
scrub in all
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
# FTP-proxy
rdr on $int_if proto tcp from $int_net to any port ftp -> lo port 8021
# Reverse FTP-proxy (disabled)
# rdr log on $ext_if proto tcp from any to !$ext_if port ftp -> lo port 8022
# spamd spam deferral daemon
rdr pass on $ext_if proto tcp from <spamd> to any port smtp -> lo port spamd
rdr pass on $ext_if proto tcp from !<spamd-white> to any port smtp -> lo port
spamd
# Web filter
rdr on $int_if proto tcp from $int_net to !$int_if port www -> lo port 8080
# POP3 proxy
rdr on $int_if proto tcp from $int_net to !$int_if port pop3 -> lo port 8110
# SMTP
proxy
rdr on $int_if proto tcp from $int_net to !$int_if port smtp -> lo port 9199
# IM proxy
rdr on $int_if proto tcp from $int_net to !$int_if port $im_ports -> lo port
16667
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
# IPS
block in log quick from <snortips>
block out log quick to <snortips>
# BLOCK ALL TRAFFIC BY DEFAULT
block log all
# FTP-proxy
pass out log quick on $ext_if inet proto tcp from $proxy to any port 21 flags
any
# pass tcp, udp, and icmp out on the external (Internet) interface.
# ComixWall proxies need 'flags any' here
pass out log on $ext_if proto tcp all flags any
pass out log on $ext_if proto { udp icmp } all
# SSH connection to/from ComixWall
pass in log on $int_if inet proto tcp from $int_net to { $int_if $ext_if } port
ssh
pass in log on $ext_if inet proto tcp from any to $ext_if port ssh
pass out log on $int_if
inet proto tcp from $int_if to any port ssh
# ComixWall Web Administration Interface
pass in log on $int_if proto tcp from $int_net to $int_if port { www https }
# DNS queries to ComixWall
pass in log on $int_if proto { tcp udp } from $int_net to $int_if port { domain
bootps }
# ComixWall proxies
pass in log on $int_if inet proto tcp from $int_net to lo port { 8021 8080 8110
9199 16667 } flags any
pass out log on $ext_if inet proto tcp from $ext_if to any port $im_ports flags
any
pass in log on $ext_if inet proto tcp from any port $im_ports to $ext_if flags
any
# HTTPS port
pass in log on $int_if proto tcp from $int_net to any port https
# ping
pass in log on $int_if proto icmp from $int_net to any
# POP3s, IMAPs, SMTPs
pass in log on $int_if proto tcp from $int_net to !$int_if port { pop3s imaps
465 }
# VPN passthru
pass in log on $int_if proto esp from $int_net to any
pass
in log on $int_if proto { tcp udp } from $int_net to any port { isakmp 4500 }
# File sharing applications
pass in log on $int_if proto { tcp udp } from $int_net to any port socks
# Block RestrictedIPs
block in log on $int_if proto { tcp udp } from <RestrictedIPs> to any port {
16667 socks }
# Apply AfterHours rules
anchor "AfterHours"
# End of Ruleset
