June 5th, 2003, 20:51
Post links to your pf.conf and ruleset expansion (pfctl -sr) here. If you don't have a site to host them on, post them here or visit #pf on to find out how to submit them to the pf-r (

June 13th, 2003, 17:39
Still waiting...


June 14th, 2003, 13:13
This is setup for a small home LAN already behind a Linksys router running NAT (my landlord's). The OpenBSD firewall or should I say bridge is in betwen my landlord's Linksys router and my Linksys router/WAP. Note, that in order to run a link from OpenBSD to a Linksys router you cannot use the WAN or "uplink"ports on the Linksys. Any comments on my pf.conf are welcome.
***I would not have been able to get this up and running w/out***

external = "xl0"
internal = "vr0"
private = "{,,,,, }"

set optimization aggressive

scrub in all fragment reassemble
scrub out all

nat on $external from to any -> $external

#That which is not expressly permitted is denied
block in on $external all

#Landlord's router
pass in quick on $external from to any keep state

#Block non-routable addresses
block in quick on $external from $private to any
block out quick on $internal from any to $private

#Block and reset connection on auth requests
block return-rst in on $external proto tcp from any to any port = auth flags S/S

#block all outgoing except traffic that we've initiated from behind
#the firewall and are keeping state on -> all legit traffic
block out on $external all
pass out on $external inet proto tcp all flags S/SA keep state
pass out on $external inet proto { udp, icmp } all keep state