tarballed
August 14th, 2002, 01:52
Hello everyone. Back again, with a question.
I'm about to make my OpenBSD Firewall/Gateway go live and I want to make sure I have all the bases covered before I turn it on. I wanted to post some information and let me know if im missing anything or if something is wrong.
Going to post my PF.CONF and NAT.CONF rules. Also going to post my /etc/hostname files as well, make sure I have everything correct.
Without further adue:
----------------------PF.CONF-------------------------------------
# Define useful variables
ext_if="dc0" # External Interface
int_if="dc1" # Our internal network range 192.168.1.0/24
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255 }"
# Clean up fragmented and abnormal packets
scrub in all
# don't allow anyone to spoof non-routeable addresses
block in quick on $ext_if from $NoRouteIPs to any
block out quick on $ext_if from any to $NoRouteIPs
# by default, block all incoming packets, except those explicitly
# allowed by further rules
block in on $ext_if all
# and let out-going traffic out and maintain state on established connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
block out on $ext_if all
pass out on $Ext_if inet proto tcp all flags S/SA keep state
pass out on $Ext_if inet proto udp all keep state
pass out on $Ext_if inet proto icmp all keep state
--------------------NAT.CONF--------------------------------
ext_if = "dc0"
nat on $ext_if inet from 192.168.1.0/24 to any -> $Ext_if
-------------------hostname files----------------
/etc/hostname.dc0
dhcp NONE NONE NONE
/etc/hostname.dc1
inet 192.168.1.1 255.255.255.0 NONE media autoselect
Look good? Missing anything? Suggestions?
I appreciate everyones input. Please feel free to make comments or suggestions. I do appreciate it very much.
Thanks everyone.
Tarballed
I'm about to make my OpenBSD Firewall/Gateway go live and I want to make sure I have all the bases covered before I turn it on. I wanted to post some information and let me know if im missing anything or if something is wrong.
Going to post my PF.CONF and NAT.CONF rules. Also going to post my /etc/hostname files as well, make sure I have everything correct.
Without further adue:
----------------------PF.CONF-------------------------------------
# Define useful variables
ext_if="dc0" # External Interface
int_if="dc1" # Our internal network range 192.168.1.0/24
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255 }"
# Clean up fragmented and abnormal packets
scrub in all
# don't allow anyone to spoof non-routeable addresses
block in quick on $ext_if from $NoRouteIPs to any
block out quick on $ext_if from any to $NoRouteIPs
# by default, block all incoming packets, except those explicitly
# allowed by further rules
block in on $ext_if all
# and let out-going traffic out and maintain state on established connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
block out on $ext_if all
pass out on $Ext_if inet proto tcp all flags S/SA keep state
pass out on $Ext_if inet proto udp all keep state
pass out on $Ext_if inet proto icmp all keep state
--------------------NAT.CONF--------------------------------
ext_if = "dc0"
nat on $ext_if inet from 192.168.1.0/24 to any -> $Ext_if
-------------------hostname files----------------
/etc/hostname.dc0
dhcp NONE NONE NONE
/etc/hostname.dc1
inet 192.168.1.1 255.255.255.0 NONE media autoselect
Look good? Missing anything? Suggestions?
I appreciate everyones input. Please feel free to make comments or suggestions. I do appreciate it very much.
Thanks everyone.
Tarballed