On Mon, Feb 23, 2009 at 11:47 PM, johan beisser <[email protected]> wrote:
> Comments inline.
>
> On Feb 23, 2009, at 5:58 PM, Hilco Wijbenga wrote:
>
>> Hi all,
>>
>> I've been trying to get a simple firewall system up-and-running in
>> OpenBSD. I have "The Book of PF" and "Secure Architectures
>> with OpenBSD" so I thought it would be very simple. Well, we're two
>> weeks later now and still no firewall. :-) The pf rules I found in
>> those books don't seem to work as I expected them to work.
>
> The PF FAQ and the man page for pf.conf(5) should cover everything you need.
> The books are a nice addition, though.
>
>> Before I list my current pf.conf, let me give a few more details. My
>> firewall will be running a few services for my network (DHCP, NTP, and
>> DNS). I need to use NAT to get my own network Internet access. DHCP
>> works. I seem to have managed to get DNS (maradns on lo0 and sk1) and
>> ICMP working.
>
> So, you need to set net.inet.ip.forward to 1 to ensure packets go out.
>
>> /etc/pf.conf
>> 01 ext_if = "sk0"
>> 02 int_if = "sk1"
>> 03 localnet = $int_if:network
>> 04 internet = $ext_if:network
>> 05 udp_services = "{ domain, ntp }"
>> 06 icmp_types = "{ echoreq, unreach }"
>> 07
>> 08 nat log on $ext_if from $localnet to any -> ($ext_if)
>> 09
>> 10 block log all
>> 11
>> 12 pass quick inet proto { tcp, udp } from $internet to any port
>> $udp_services
>> 13 pass quick inet proto { tcp, udp } from $localnet to any port
>> $udp_services
>> 14 pass quick inet proto { tcp, udp } from $lo0:network to any port
>> $udp_services
>> 15
>> 16 pass inet proto icmp all icmp-type $icmp_types
>> 17 pass from { lo0, $localnet } to any keep state
>
> First, no traffic will go out with these rules as is. Unless states and
> flows match perfectly, it won't happen.
Wrong.
>> a. Why do I need 12? I had expected 13 (which I don't seem to need).
>> Wouldn't 12 be for incoming requests from the Internet?
>
> I'm not sure what you're trying to do with 12 or 13. The ports (domain and
> ntp) will be the only traffic permitted to enter any interface on the
> firewall.
Wrong. ICMP echoreq and unreachable are passed (16), as is all traffic
of any kind from the localnet (17).
>> b. Given that ping works from my network (so that presumably routing
>> is okay), why doesn't anything else work? HTTP seems blocked by the
>> firewall.
>
> Don't presume. Think. You're passing ICMP types inward (req, unreach).
> That's it. I suspect you're not passing that traffic outbound otherwise.
Wrong. ICMP types are passed any direction. Traffic from localnet is
unrestricted.
>> c. How can I get pflog to flush immediately? I noticed I have to wait
>> a minute or so before logged lines show up.
>
> What syntax are you using to monitor it?
>
>> d. Any other pointers?
>
> Start over.
>
> I make no claims this works or will work for you. It's a simple rewrite of
> what you claimed to want (NAT for outbound traffic, for example).
>
> ext_if="sk0"
> int_if="sk1"
> udp_services="{ domain, ntp}"
>
> set skip on lo
> set block-policy return
> scrub in
>
> nat on $ext_if from $int_if:network to any ->($ext_if)
> block log
>
> pass out quick from $int_if to $int_if:network
> pass out quick from $ext_if to any
>
> pass in quick on $ext_if proto {tcp, udp} from any to ($ext_if) port
> $udp_services
> pass in quick on $int_if from $int_if:network to any
>
>
Go with Jason Dixon's ruleset unless you need to expose DNS and NTP on
your gateway to the world.
-HKS
