[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: newbie advice question - pf in front of multiple comps...

Hello Bob,

a good place to start, imo, is https://solarflux.org/pf/
There you can find a lot of examples regarding pf. You can use them as a template and then customize it to your own needs.

Another good reference is the PF guide at: http://www.openbsd.org/faq/pf/index.html

There are a lot of ways to do that you are looking for but clearly, it is not needed to assign alias interfaces on your gateway or/and firewall to do that. You can use two nics to do it. You could bridge your interface as well.

Short example:

Internet -> fxp0 - OpenBSD - fxp1 -> YOUR_NETWORK


IP_RANGE = "xxx.xxx.xxx.0/16 ... ... ..."
WWW_SERVER = "xxx.xxx.xxx.xxx/32 ... .. ..."
BAD_HOSTS = '{ xxx.xxx.xxx.xxx/24 xxx.xxx.xxx.xxx/32 ... .... }'

scrub in all
scrub out all random-id

block in from $BADHOSTS to any

pass in quick from $IP_RANGE to any keep state
pass in proto tcp from any to $WWW_SERVER port = 80 synproxy state


I hope this gave you the idea.



I'm sorry for the newbie advice question.
I've ran OpenBSD for a couple years, and pf as well,
performing straight forward NAT, rdr, etc....  all
with the firewall having one public internet routable
address, and multiple machines behind with private

however, someone at my work wants me to install a
firewall at a colo site - in front of say, six
machines, all with public internet routable

so - I know this is likely a really stupid question,
but how do I manage this?  does the firewall have a
bunch of aliased IP addresses and rdr respectively to
private addresses behind?  is bgp (I know nothing
about yet) something that I need/should be using?

Another thing of note, some of these machines will be
running similar services, such as two different
machines running httpd...

sorry - please point me to the correct section I've
missed in the FAQ or something I can research more


__________________________________ Do you Yahoo!? All your favorites on one personal page – Try My Yahoo!