pf.conf and typical workstation settings aside, I am wondering about PF FAQ
and 'Some" examples.
Really a pf.conf for what I use DD-WRT for running on a linksys. (as compared
to default Linksys Firmware)
(outside world)<-->[OpenBSD box{PF, dhcpd, services}]<-->({NAT}wired/wireless
lan)<-->[PSP, PS3, WinCE, and/or computers]
A good pf.conf example ruleset just to do this, would meet most if not all
basic needs; Need to do more, read the man page...
Wired and Wireless dhcpd config's are straightforward, as are services like
CUPS, SSHd, and FTPd.
Mostly this saves on component count since I use the same OpenBSD box as a
Windows Netbook terminal, and I don't have to lug +5 pieces of gear to get a
network of my own.
For PSP's and PS3's and other devices Like Windows CE, running 802.11bgn
wireless, in my own WLAN space saves me re-running a setup for the wireless
connection every time I goto another hotel...
Further I can run a "Branch Office in a Box" If I added the requisite VPN
parts, but thats outside the scope of Basic NAT micronetting here.
Note: I did not want to send a DIFF since these are Examples for the PF FAQ,
and not updates for -release.
FWIW, these three examples are what I use for the outside world wired, and
WLAN NAT-Net behind PF.
bge0 is dhclient ext_if, ural0 is dhcpd int_if. This is not the latest
pf.conf from etc47, but updated for the Match Rule.
pf.conf____________________________
# $OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#set skip on lo
#ext_if="fxp0" #used on HP SFF Desktop in road-case, Lenovo PinkPad S10
uses bge0 for wired.
#ext_if="ural0" #for reversed wireless to wired NAT lan. Change
hostname.ural0 to a dhcp-client version.
ext_if="bge0"
#int_if="bge0" #for reversed wireless to wired NAT lan. Change
hostname.bge0 to the dhcpd wired version.
int_if="ural0"
# NAT/filter rules and anchors for ftp-proxy(8)
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021
#anchor "ftp-proxy/*"
#pass out proto tcp from $proxy to any port ftp
# NAT/filter rules and anchors for relayd(8)
#rdr-anchor "relayd/*"
#anchor "relayd/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0) ### 4.6 old, does not work in
4.7 see below ###
match out on $ext_if from !($ext_if) nat-to ($ext_if:0)
# NAT rules and anchors for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#no rdr on egress proto tcp from <nospamd> to any port smtp
#no rdr on egress proto tcp from <spamd-white> to any port smtp
#rdr pass on egress proto tcp from any to any port smtp -> 127.0.0.1 port
spamd
pass out # to establish keep-state
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
pass quick on $int_if no state
antispoof quick for { lo $int_if }
pass in on $ext_if proto icmp to ($ext_if)
pass in on $ext_if proto tcp to ($ext_if) port ssh
pf.conf____________________________
hostname.ural0 __________________
!ifconfig ural0 down
!ifconfig ural0 nwkey 0xC0FFEE0DEADBEEF0CAB1BADA55
!ifconfig ural0 mediaopt hostap nwid 1020wlanmyopenbsd3040 chan 6
!ifconfig ural0 10.16.1.1 netmask 255.255.255.0
#!ifconfig ural0 up
hostname.ural0 __________________
dhcpd.conf ____________________________
# $OpenBSD: dhcpd.conf,v 1.2 2008/10/03 11:41:21 sthen Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
# Network: 192.168.1.0/255.255.255.0
# Domain name: my.domain
# Name servers: 192.168.1.3 and 192.168.1.5
# Default router: 192.168.1.1
# Addresses: 192.168.1.32 - 192.168.1.127
#
option domain-name "dfg.org";
# DFG.ORG Office
option domain-name-servers 192.168.125.1;
# Marriot Hotel Internet
#option domain-name-servers 4.2.2.1;
subnet 10.16.1.0 netmask 255.255.255.0 {
option routers 10.16.1.1;
range 10.16.1.32 10.16.1.42;
host static-client {
# hardware ethernet 22:33:44:55:66:77;
# fixed-address 0.1.2.3;
}
host handheld-one {
hardware ethernet 00:a0:35:28:40:0f;
fixed-address 10.16.1.200;
option host-name "wince-hh-one";
}
host handheld-two {
hardware ethernet 00:a0:35:28:40:0b;
fixed-address 10.16.1.202;
option host-name "wince-hh-two";
}
host pxe-client {
hardware ethernet 02:03:04:05:06:07;
filename "pxeboot";
next-server 10.16.1.1;
}
}
dhcpd.conf ____________________________
These are just examples, but they work for me.
-------------------------------------------
> Subject: Re: PF FAQ example ruleset
> Bump!
> >> The more examples the better, as long as they all do individual tasks.
> >> Of course you guys decide.
> >match is a bit tricky when you're giving sample rules, because
> >it can be affected by rules either side of it - from that
> >perspective 'pass quick' rules are quite attractive.
> >I'll look at a diff later if noone beats me to it. :)
A computer without COBOL and FORTRAN is like a piece of
chocolate cake without ketchup or mustard." � unix fortune cookie.
_________________________________________________________________
Learn more ways to connect with your buddies now
http://go.microsoft.com/?linkid=9734388
