[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: My firewall



Hi Peter,
I am a newbie as well, but after some time banging my
head against walls I came up with my own 'silly'
pf.conf rules. I have included my rules at the end of
this email. I Removed the extra rules (I think all of
them) and all you have to do is change the variable
names to whatever you are using.
I hope it is going to be helpful. It can be used to
learn about macros as well.
Some comments:
- Don't use 'pass in all' as a default. You are totaly
open
- Check out the declaration of my network's macros.
Compare to yours.
- Opening ssh (oprt 22) directly in your firewall can
be an invitation for an attacker. Try
to redirect it to another machine other than to your
firewall.
For example:
$ssh_ad = "192.168.1.22"
rdr on $ext_if proto tcp from any to $ext_ad port ssh
-> $ssh_ad port ssh
Best of lucks, J. Rivero
MTE Technology
mtechno.net
J. Rivero 
3629 203rd Street 
Langley, B.C. 
V3A6A6 
Tel. (604)-514-9092 
Cell (778) 839-3395
 --- R T <[email protected]> wrote: 
> Hello folks. Im trying to get my OpenBSD 3.5 machine
> set up as a router. Heres the info so far:
> xl0  network card getting dhcp address from my isp
> ep1  network card hooked to my laptop  192.168.1.1
> netmask 255.255.255.0
> 
> The laptop is windows and has 192.168.1.2 as its ip.
> I can ping the laptop, and the laptop can ping the
> OpenBSD box, but so far I cant get the laptop onto
> the internet at all. My pf.conf is quite simple
> compared to some examples I've seen and I'm thinking
> its too simple perhaps...#       $OpenBSD: pf.conf,v
> 1.21 2003/09/02 20:38:44 david Exp $
> #  gatewolf rules (experimental)
> #
> ext_if="xl0"
> int_if="ep1"
> internal_net="10.1.1.1/8"
> external_addr="192.168.1.1"
> 
> # Filtering: the implicit first two rules are
> pass in all
> pass out all
> 
> # block all incoming packets but allow ssh, pass all
> outgoing tcp and udp
> # connections and keep state, logging blocked
> packets.
> block in log all
> pass  in  on $ext_if proto tcp from any to $ext_if
> port 22 keep state
> pass  out on $ext_if proto { tcp, udp } all keep
> state
> 
> # pass incoming packets destined to the addresses
> given in table <foo>.
> pass in on $ext_if proto { tcp, udp } from any to
> <foo> port 80 keep state
> 
> # My silly rules
> pass in  on xl0 all
> pass out on xl0 all
> pass in  on ep1  all
> pass out on ep1  all
> 
> any ideas as to what I have done wrong folks?
> Thanks...
> 
> 
>  
pf.conf
#################################################################
# macro definitions
#################################################################
# ext_if -- external interface, connects the firewall
to the
#           outside world
# prv_if -- private interface, connects to the private
network 
#           segment to the firewall
#################################################################
ext_if = "rl0"
prv_if = "rl1"
#################################################################
# ext_ad -- the IPv4 address of the ext_if external
interface
# prv_ad -- the range of IPv4 addresses on the private
network
# int_net -- Internal subnets
#################################################################
ext_ad = $ext_if "/32"
prv_ad = "192.168.0.0/24"
int_net = "{ 192.168.0.0/24, 10.0.0.0/24}"
nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8,
172.16.0.0/12, \
10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16,
204.152.64.0/23, 224.0.0.0/3 }"
#################################################################
# options: "set"
#################################################################
set limit { frags 10000, states 10000 }
set loginterface $ext_if
set block-policy return
# table containing all the IP addresses assigned to
the firewall
table <firewall> const { self }
scrub in  all fragment reassemble
scrub out all fragment reassemble
#################################################################
# NAT rules: "rdr", "nat", "binat"
#################################################################
nat on $ext_if from $prv_ad to any -> $ext_ad
#################################################################
# filtering
#################################################################
block all
antispoof quick for $prv_if inet
# filter rules for ext_if
pass out on $ext_if proto tcp all modulate state flags
S/SA
pass out on $ext_if proto {udp icmp} all keep state
# filter rules for prv_if
pass in on $prv_if from $prv_ad to any keep state
pass out on $prv_if from any to $prv_ad keep state
______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca