Hi Peter, I am a newbie as well, but after some time banging my head against walls I came up with my own 'silly' pf.conf rules. I have included my rules at the end of this email. I Removed the extra rules (I think all of them) and all you have to do is change the variable names to whatever you are using.
I hope it is going to be helpful. It can be used to learn about macros as well. Some comments: - Don't use 'pass in all' as a default. You are totaly open - Check out the declaration of my network's macros. Compare to yours. - Opening ssh (oprt 22) directly in your firewall can be an invitation for an attacker. Try to redirect it to another machine other than to your firewall. For example: $ssh_ad = "192.168.1.22" rdr on $ext_if proto tcp from any to $ext_ad port ssh -> $ssh_ad port ssh Best of lucks, J. Rivero MTE Technology mtechno.net J. Rivero 3629 203rd Street Langley, B.C. V3A6A6 Tel. (604)-514-9092 Cell (778) 839-3395 --- R T <[EMAIL PROTECTED]> wrote: > Hello folks. Im trying to get my OpenBSD 3.5 machine > set up as a router. Heres the info so far: > xl0 network card getting dhcp address from my isp > ep1 network card hooked to my laptop 192.168.1.1 > netmask 255.255.255.0 > > The laptop is windows and has 192.168.1.2 as its ip. > I can ping the laptop, and the laptop can ping the > OpenBSD box, but so far I cant get the laptop onto > the internet at all. My pf.conf is quite simple > compared to some examples I've seen and I'm thinking > its too simple perhaps...# $OpenBSD: pf.conf,v > 1.21 2003/09/02 20:38:44 david Exp $ > # gatewolf rules (experimental) > # > ext_if="xl0" > int_if="ep1" > internal_net="10.1.1.1/8" > external_addr="192.168.1.1" > > # Filtering: the implicit first two rules are > pass in all > pass out all > > # block all incoming packets but allow ssh, pass all > outgoing tcp and udp > # connections and keep state, logging blocked > packets. > block in log all > pass in on $ext_if proto tcp from any to $ext_if > port 22 keep state > pass out on $ext_if proto { tcp, udp } all keep > state > > # pass incoming packets destined to the addresses > given in table <foo>. > pass in on $ext_if proto { tcp, udp } from any to > <foo> port 80 keep state > > # My silly rules > pass in on xl0 all > pass out on xl0 all > pass in on ep1 all > pass out on ep1 all > > any ideas as to what I have done wrong folks? > Thanks... > > > pf.conf ################################################################# # macro definitions ################################################################# # ext_if -- external interface, connects the firewall to the # outside world # prv_if -- private interface, connects to the private network # segment to the firewall ################################################################# ext_if = "rl0" prv_if = "rl1" ################################################################# # ext_ad -- the IPv4 address of the ext_if external interface # prv_ad -- the range of IPv4 addresses on the private network # int_net -- Internal subnets ################################################################# ext_ad = $ext_if "/32" prv_ad = "192.168.0.0/24" int_net = "{ 192.168.0.0/24, 10.0.0.0/24}" nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, \ 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 204.152.64.0/23, 224.0.0.0/3 }" ################################################################# # options: "set" ################################################################# set limit { frags 10000, states 10000 } set loginterface $ext_if set block-policy return # table containing all the IP addresses assigned to the firewall table <firewall> const { self } scrub in all fragment reassemble scrub out all fragment reassemble ################################################################# # NAT rules: "rdr", "nat", "binat" ################################################################# nat on $ext_if from $prv_ad to any -> $ext_ad ################################################################# # filtering ################################################################# block all antispoof quick for $prv_if inet # filter rules for ext_if pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto {udp icmp} all keep state # filter rules for prv_if pass in on $prv_if from $prv_ad to any keep state pass out on $prv_if from any to $prv_ad keep state ______________________________________________________________________ Post your free ad now! http://personals.yahoo.ca