Hi, these simple rules works for me !
Remember how good is the learning process !
I hope this can help !
ext_if="vr0"
dmz_if="sis1"
int_if="sis0"
ext_ip="123.45.67.89"
#Don't Filter on the loopback interface
set block-policy drop
set skip on lo
#NORMALIZACION DE PAQUETES
scrub in all
scrub out on $ext_if all random-id
nat on $ext_if from !($ext_if) -> $ext_ip
block in on { sis0 , vr0 } all
block out on { sis0 , vr0 } all
pass out keep state
antispoof quick for { lo $int_if }
pass in on $int_if inet proto tcp all flags S/SA keep state
pass in on $int_if inet proto udp all keep state
pass in on $int_if inet proto icmp all keep state
pass in on $int_if inet proto esp all keep state
pass out on $ext_if inet proto tcp all flags S/SA keep state
pass out on $ext_if inet proto udp all keep state
pass out on $ext_if inet proto icmp all keep state
pass out on $ext_if inet proto esp all keep state
On Wed, Feb 25, 2009 at 8:39 PM, patrick keshishian <[email protected]>wrote:
> On Wed, Feb 25, 2009 at 5:15 PM, Jason Dixon <[email protected]> wrote:
> > On Wed, Feb 25, 2009 at 04:39:08PM -0800, patrick keshishian wrote:
> >> On Wed, Feb 25, 2009 at 4:07 PM, ropers <[email protected]> wrote:
> >> > 2009/2/25 patrick keshishian <[email protected]>:
> >> >> On Tue, Feb 24, 2009 at 9:48 PM, Hilco Wijbenga
> >> >> <[email protected]> wrote:
> >> >>> 2009/2/23 Jason Dixon <[email protected]>:
> >> >>>> ##########################################################
> >> >>>> 00 ext_if = "sk0"
> >> >>>> 01 int_if = "sk1"
> >> >>>> 02
> >> >>>> 03 set skip on lo
> >> >>>> 04
> >> >>>> 05 scrub in
> >> >>>> 06
> >> >>>> 07 nat on $ext_if from $int_if:network to any -> ($ext_if:0)
> >> >>>> 08
> >> >>>> 09 block in log all
> >> >>>> 10 pass in on $int_if inet keep state
> >> >>
> >> >> # I think you are missing a pass out on $ext_if rule
> >> >> 11 pass out on $ext_if
> >> >>
> >> >> w/o 11 all inbound packets are blocked by 09.
> >> >
> >> > Please correct me it I'm wrong, but my understanding is that Jason's
> >> > line 09 is only blocking packets that traverse interfaces in the
> >> > *inward* direction (i.e. from the attached networks (WAN and LAN)
> >> > *in*to the OpenBSD box). And I think that's why a "pass out" rule
> >> > would be unnecessary, as the default is to pass packets. Again, take
> >> > this with truckloads of salt; I could be wrong, but I trust Jason.
> >>
> >> You need states created for traffic passing through the pf firewall,
> >> specifically through the $ext_if to allow packets flowing back in,
> >> otherwise line 09 blocks those packets. I don't see where states would
> >> get created for outbound traffic with Jason's rule-set.
> >
> > Using floating states (the default), line 10 should suffice. B But I
> > forgot to account for outbound DNS requests from the firewall itself.
> > Here is the same ruleset with the one extra rule. B It shouldn't be
> > necessary for outbound traffic originating from $int_if:network, but it
> > won't hurt either.
>
> The floating states based on line 10 would be for pre-NAT sources on
> $int_if and wouldn't match any inbound packets on $ext_if. Unless I'm
> misunderstanding how NAT works with pf, there are no pass out rules
> that would create states for these packets:
>
> from pf.conf(5):
>
> Since translation occurs before filtering the filter engine will see
> packets as they look after any addresses and ports have been
> translated.
> Filter rules will therefore have to filter based on the translated ad-
> dress and port number. Packets that match a translation rule are only
> automatically passed if the pass modifier is given, otherwise they are
> still subject to block and pass rules.
> ...
> Translation rules apply only to packets that pass through the specified
> interface, and if no interface is specified, translation is applied to
> packets on all interfaces.
>
> --patrick
