SolarfluX
June 5th, 2003, 20:51
Post links to your pf.conf and ruleset expansion (pfctl -sr) here. If you don't have a site to host them on, post them here or visit #pf on irc.freenode.net to find out how to submit them to the pf-r (https://solarflux.org/pf/).

SolarfluX
June 13th, 2003, 17:39
Still waiting...

:wink:

thedude
June 14th, 2003, 13:13
This is setup for a small home LAN already behind a Linksys router running NAT (my landlord's). The OpenBSD firewall or should I say bridge is in betwen my landlord's Linksys router and my Linksys router/WAP. Note, that in order to run a link from OpenBSD to a Linksys router you cannot use the WAN or "uplink"ports on the Linksys. Any comments on my pf.conf are welcome.
***I would not have been able to get this up and running w/out screamingelectron.org.***






#Interfaces
external = "xl0"
internal = "vr0"
private = "{ 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8,192.168.1.0/24, 192.168.0.0/24, 255.255.255.255/32 }"

#Options
set optimization aggressive

#Scrub
scrub in all fragment reassemble
scrub out all

#Nat
nat on $external from 192.168.2.0/24 to any -> $external

#That which is not expressly permitted is denied
block in on $external all

#Landlord's router
pass in quick on $external from 192.168.1.1 to any keep state

#Block non-routable addresses
block in quick on $external from $private to any
block out quick on $internal from any to $private

#Block and reset connection on auth requests
block return-rst in on $external proto tcp from any to any port = auth flags S/S

#block all outgoing except traffic that we've initiated from behind
#the firewall and are keeping state on -> all legit traffic
block out on $external all
pass out on $external inet proto tcp all flags S/SA keep state
pass out on $external inet proto { udp, icmp } all keep state