In windows that file i sent you look ugly, her is another version edited in notepad for easier reading. I add it in plain text below too. Regarding the table of illegal addresses, I have no clue way they are, I just followed a guide to the best of my ability.
#Table of illegal adresses forbiden below
table
<martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
#General settings
set block-policy drop
set loginterface egress
set skip on lo0
#NAT settings
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
#General bloking rules
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
#Pass all out,
pass in on em1 and em2
pass out quick inet
pass in on em1 inet
pass in on em2 inet
#Isolate em1 and em2 from eachother, em2 is DMZ
block in on em1 to em2
block in on em2 to em1
#pass port 32400 in to DMZ for plex
pass in on egress proto tcp from any to any port 443 \
rdr-to 192.168.138.13 port 32400
2017-10-21 12:39 GMT+02:00 Magnus Andersson <[email protected]>:
> Hi,
> I think something must be wrong in my pf.conf file but I can't see where.
> I am using openBSD as a router with a LAN and a DMZ zone behind it.
> What is wrong is not something sad and simple i think like a wrong
> IP-address or something. The setup works in that i have internet i one
> network and both internet and remote access in the DMZ zone. But the
> setup is unreliable.
>
> Sometimes it take a long time before the router answers, sometimes
> nothing gets through what so ever and then it works again. If it helps I
> can tell you I even needed to reboot the router ones because it seamed
> my openBSD installation managed to choke it self up. I can't believe it,
> not even my old Linux Debian router use to do that.
>
> My problem is not hardware related, I regularly go through the systems
> and my internet connection is optical and reliable. My cables are double
> insulated cat7 with routers from Cisco. I can not see how the problems
> can be in any of that.
>
> My problem starts when i change from Linux and Shorewall to openBSD
> and PF. I wanted to learn PF this last 4 years but have not had time
> before.
>
> I think it is just something I can't understand in my pf.conf, please read it
> throw and see if you can find any problems in it. My hope is you will find
> something. In Shorewall I just say what I want and the program makes
> the IP-table rules for me. I thing the problem here is that I am an
> incompetent in writing good solid PF-rules. Please help.
>
> Regards
> Magnus Andersson
> Sweden
pf.conf
Description: Binary data
