On 11/09/2011 02:30 AM, David Walker wrote:
Mostaf Faridi<mostafafaridi () gmail ! com> wrote:
I want migrate from FreeBSD to OpenBSD , yesterday I install OpenBSD 5
amd64 and run samba server with OpenBSD and it work good . In first step I
run samba server with OpenBSD , and after this I want run NAT server with
OpenBSD .
Great.
And for start I want understand , is my PF.conf work in OpenBSD
or no ?
No.
Next question ...
What's the best way to get from there to OpenBSD 5.0 pf.conf?
Start from scratch.
If you can do all the other things (install, samba, etcetera) you can
start writing a pf.conf from scratch.
You should be writing one for the Samba server ... so you should look
upon this as an essential skill.
Besides, if somebody moves the network in the future (add a few
machines maybe) what will you do?
Follow the dots.
Get the pf.conf man page ...
Work out your macros ...
Hint, that's all the stuff from the old pf.conf with an "=".
Another hint, this is the entire macro text as it applies to you:
Macros can be defined that will later be expanded in context. Macro
names must start with a letter, and may contain letters, digits and
underscores. Macro names may not be reserved words (for example pass,
in, out). Macros are not expanded inside quotes.
For example:
ext_if = "kue0"
all_ifs = "{" $ext_if lo0 "}"
pass out on $ext_if from any to any
pass in on $ext_if proto tcp from any to any port 25
Next hint, the only difficult bit about that is "Macros are not
expanded inside quotes." and the use of quotes inside the braces ...
The $ should help you work that out.
Happy hint, that's half your work done in five minutes by copying and
pasting from your old pf.conf ...
In this case it's okay if you follow the dots - read the man page, if
it's the same syntax then it's the same syntax.
Work out your OPTIONS ...
Keep it really simple, for example in your old pf.conf you load
fingerprints but don't appear to use them.
Hint, you probably don't need any options at all to start (i.e.
default will be fine).
Do you understand your timeouts and limit? If not, don't use them.
Work out your TABLES ...
Or better yet don't use them until you have a working NAT system.
Hint, as near as I can tell ... you're not using any of the tables in
your pf.conf ...
Check that and then ... get rid of them.
Read the small section in the man page on "Translation" under PACKET
FILTERING - its a few pages down.
Look at the EXAMPLES for some ideas.
Write one NAT rule and one RDR rule, using your macros.
If you get stuck go here:
http://www.openbsd.org/faq/pf/nat.html#config
http://www.openbsd.org/faq/pf/rdr.html#filter
If you're still stuck go here:
http://www.openbsd.org/faq/pf/example1.html
Bear in mind that parts of the PF FAQ might be still in 4.9 and you want 5.0 ...
Someone else should be able to answer that but ... the man page will
give you an answer.
Once you've got that worked out ...
Do NAT and RDR for all your other macros ...
Test.
Then worry about all the other stuff.
If you can install and use OpenBSD you can learn pf or at least if you
won't learn pf you shouldn't be installing and using OpenBSD at least
not in a packet filtering role. :]
I hate Windows OS , and want only run all of my servers with BSD, specially
OpenBSD.
I only want my servers to run OpenBSD but I'm happy to use Windows on
the desktop.
Best wishes.
Thanks
all guys ,
I read documents about pf in OpenBSD and I think . when I want my
pf.conf work in OpenBSD 5 , I have to change it . and I change my pf
like this :
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
############################### MACROS
############################################################
ext_if = "sk0"
int_if = "re0"
External_net = "10.10.10.192/27"
Local_net = "192.168.0.0/24"
Local_Web = "192.168.0.10"
Local_Srv = "192.168.0.1"
Prtcol = "{ tcp, udp }"
Admin_IP = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types = "{ echorep, unreach, squench, echoreq, timex }"
#Define ports for common internet services
#TCP_SRV = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443 }"
#UDP_SRV = "{ 53 }"
TCP_SRV = "{ 80, 443 }"
UDP_SRV = "{ }"
Samba_TCP = "{ 139, 445 }"
Samba_UDP = "{ 137, 138 }"
SERVER = "10.10.10.200"
NAT1 = "10.10.10.194"
NAT2 = "10.10.10.195"
NAT3 = "10.10.10.196"
NAT4 = "10.10.10.197"
NAT5 = "10.10.10.198"
NAT6 = "10.10.10.199"
NAT7 = "10.10.10.201"
NAT8 = "10.10.10.202"
NAT9 = "10.10.10.203"
NAT10 = "10.10.10.204"
NAT11 = "10.10.10.205"
NAT12 = "10.10.10.206"
NAT13 = "10.10.10.207"
NAT14 = "10.10.10.208"
NAT15 = "10.10.10.209"
NAT16 = "10.10.10.210"
NAT17 = "10.10.10.211"
NAT18 = "10.10.10.212"
NAT19 = "10.10.10.213"
NAT20 = "10.10.10.214"
NAT21 = "10.10.10.215"
NAT22 = "10.10.10.216"
NAT23 = "10.10.10.217"
NAT24 = "10.10.10.218"
NAT25 = "10.10.10.219"
#### All IP of Groups which can be connect to Internet
paltalk1 = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
paltalk2 = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
paltalk3 = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28,
192.168.0.29 }"
webdsgn1 = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
webdsgn2 = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
webdsgn3 = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
webdsgn4 = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
webdsgn5 = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
webdsgn6 = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
webdsgn7 = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
webdsgn8 = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53,
192.168.0.54 }"
rased1 = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
rased2 = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
rased3 = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
rased4 = "{ 192.168.0.69, 192.168.0.70 }"
rased5 = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202,
192.168.0.203, 192.168.0.204, 192.168.0.205 }"
rased6 = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208,
192.168.0.209, 192.168.0.210, 192.168.0.211 }"
rased7 = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214,
192.168.0.215, 192.168.0.216, 192.168.0.217 }"
rased8 = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220,
192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224,
192.168.0.225 }"
admin1 = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
admin2 = "{ 192.168.0.58, 192.168.0.59 }"
############################### TABLES
############################################################
#Define privileged network address sets
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12,
10.0.0.0/8, 0.0.0.0/8, \
14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23,
224.0.0.0/3 }
table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
table <hackers> persist file "/usr/local/pf/Network/hackers.lst"
#Define Favoured client hosts
table <Admin> persist file "/usr/local/pf/Network/Admin.lst"
table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
table <Rased> persist file "/usr/local/pf/Network/Rased.lst"
table <LocalHost> const { self }
############################### OPTIONS
############################################################
#Default behaviour
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
#set state-policy if-bound
############################### TRAFFIC NORMALIZATION
##############################################
#Filter traffic for unusual packets
scrub in all
############################### TRANSLATION
######################################################
#NAT for the external traffic
#Mask internal ip addresses with actual external ip address
#nat pass on $ext_if from $Local_net to any -> $SERVER
match out on egress inet from !(paltalk1) to any nat-to (NAT1)
match out on egress inet from !(paltalk2) to any nat-to (NAT2)
match out on egress inet from !(paltalk3) to any nat-to (NAT3)
match out on egress inet from !(webdsgn1) to any nat-to (NAT4)
match out on egress inet from !(webdsgn2) to any nat-to (NAT5)
match out on egress inet from !(webdsgn3) to any nat-to (NAT6)
match out on egress inet from !(webdsgn4) to any nat-to (NAT7)
match out on egress inet from !(webdsgn5) to any nat-to (NAT8)
match out on egress inet from !(webdsgn6) to any nat-to (NAT9)
match out on egress inet from !(webdsgn7) to any nat-to (NAT10)
match out on egress inet from !(webdsgn8) to any nat-to (NAT11)
match out on egress inet from !(rased1) to any nat-to (NAT12:0)
match out on egress inet from !(rased2) to any nat-to (NAT13)
match out on egress inet from !(rased3) to any nat-to (NAT14)
match out on egress inet from !(rased4) to any nat-to (NAT15)
match out on egress inet from !(rased5) to any nat-to (NAT16)
match out on egress inet from !(rased6) to any nat-to (NAT17)
match out on egress inet from !(rased7) to any nat-to (NAT18)
match out on egress inet from !(rased8) to any nat-to (NAT19)
match out on egress inet from !(admin1) to any nat-to (NAT20)
match out on egress inet from !(admin2) to any nat-to (NAT21)
############################### PACKET FILTERING
#################################################
# Default Rule
pass quick on { $ext_if, $int_if } all keep state
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
much different is in NAT rule , and other things is simillar old pf.
I have 27 valid IPs or static IPs , and I have to put many lines in my
pf.conf
I want three invalid IPs assigned to one Valid or static IP. for example
if my valid IP is 10.10.10.1 , I need these IPs 192.168.0.1 ,
192.168.0.2 , 192.168.0.3 assigned to 10.10.10.1
this is my net work digram
|
|
|
------------|------------
10.10.10.192/27
external
OpenBSD pf firewall
internal
192.168.168.0.1/24
------------|------------
|
|
|
please help me to find my mistakes in this new pf.conf
I will use it OpenBSD 5 server .
if I have mistake or error in this pf.conf , please help me .
best wishes,
mfaridi
