August 14th, 2002, 01:52
Hello everyone. Back again, with a question.

I'm about to make my OpenBSD Firewall/Gateway go live and I want to make sure I have all the bases covered before I turn it on. I wanted to post some information and let me know if im missing anything or if something is wrong.

Going to post my PF.CONF and NAT.CONF rules. Also going to post my /etc/hostname files as well, make sure I have everything correct.

Without further adue:

# Define useful variables
ext_if="dc0" # External Interface
int_if="dc1" # Our internal network range
NoRouteIPs="{,,,, }"

# Clean up fragmented and abnormal packets
scrub in all

# don't allow anyone to spoof non-routeable addresses
block in quick on $ext_if from $NoRouteIPs to any
block out quick on $ext_if from any to $NoRouteIPs

# by default, block all incoming packets, except those explicitly
# allowed by further rules
block in on $ext_if all

# and let out-going traffic out and maintain state on established connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
block out on $ext_if all
pass out on $Ext_if inet proto tcp all flags S/SA keep state
pass out on $Ext_if inet proto udp all keep state
pass out on $Ext_if inet proto icmp all keep state

ext_if = "dc0"
nat on $ext_if inet from to any -> $Ext_if

-------------------hostname files----------------


inet NONE media autoselect

Look good? Missing anything? Suggestions?

I appreciate everyones input. Please feel free to make comments or suggestions. I do appreciate it very much.

Thanks everyone.


August 14th, 2002, 16:08
This looks real good to me tarballed. Looks like a simple yet effective default deny. The only thing I noticed was a typo in your nat.conf you have

Quoting Tarball:

ext_if = "dc0"
nat on $ext_if inet from to any -> $Ext_if

notice the Capital E on your nat line, Notice, your variable has a lowercase e.

Other than that I think you're set. Good Job.

August 14th, 2002, 16:10
Ahh yes. Thanks for pointing that out. have to make sure I didn't do that on my nat.conf file.

Appreciate it. I'll let you know how it goes...should be firing it up either tonight or tomorrow.

Thanks again.