On Mon, Feb 23, 2009 at 8:58 PM, Hilco Wijbenga <[email protected]> wrote: > Hi all, > > I've been trying to get a simple firewall system up-and-running in > OpenBSD. I have "The Book of PF" and "Secure Architectures > with OpenBSD" so I thought it would be very simple. Well, we're two > weeks later now and still no firewall. :-) The pf rules I found in > those books don't seem to work as I expected them to work. > > Before I list my current pf.conf, let me give a few more details. My > firewall will be running a few services for my network (DHCP, NTP, and > DNS). I need to use NAT to get my own network Internet access. DHCP > works. I seem to have managed to get DNS (maradns on lo0 and sk1) and > ICMP working. > > /etc/pf.conf > 01 ext_if = "sk0" > 02 int_if = "sk1" > 03 localnet = $int_if:network > 04 internet = $ext_if:network > 05 udp_services = "{ domain, ntp }" > 06 icmp_types = "{ echoreq, unreach }" > 07 > 08 nat log on $ext_if from $localnet to any -> ($ext_if) > 09 > 10 block log all > 11 > 12 pass quick inet proto { tcp, udp } from $internet to any port $udp_services > 13 pass quick inet proto { tcp, udp } from $localnet to any port $udp_services > 14 pass quick inet proto { tcp, udp } from $lo0:network to any port > $udp_services > 15 > 16 pass inet proto icmp all icmp-type $icmp_types > 17 pass from { lo0, $localnet } to any keep state > > a. Why do I need 12? I had expected 13 (which I don't seem to need). > Wouldn't 12 be for incoming requests from the Internet?
You need 12 because of 8. When you pass a DNS request out from your localnet, 13 pass it in on int_if, but then it's natted BEFORE traversing the egress PF rules. Jason Dixon's suggested rules bypass this by not blocking outbound traffic to begin with. > b. Given that ping works from my network (so that presumably routing > is okay), why doesn't anything else work? HTTP seems blocked by the > firewall. Same NAT/PF issue as above. Your ICMP rule ignores source/destination addresses, so it's not affected. > c. How can I get pflog to flush immediately? I noticed I have to wait > a minute or so before logged lines show up. I think it's already been suggested, but if you want a live view, tcpdump -i pflog0 rather than tailing pflog. > d. Any other pointers? Use Jason's suggested ruleset. Simpler is better. > > Cheers, > Hilco > > -HKS
