On Sun, 23 Sep 2018 12:21:36 +0800 Fung wrote:
> simple router build with OpenBSD
> Wan a.b.c.d
> Lan 192.168.0.1/24
> Unbound run for DNS cache in 127.0.0.1
>
>
> we want:
> no mater a client pc set dns to any address ( 8.8.8.8 or 9.9.9.9 )
> all clients' dns query are redirect to the localhost cache in the
> router
>
>
> Can we achieve using pf.conf?
Yes Fung;- block everything in & out, then permit only what you want:
ext_if="blah"
lan_if="blah"
set skip on lo
set block-policy drop
match in all scrub ( random-id reassemble tcp )
match out on $ext_if inet \
from $lan_if:network \
to any \
nat-to $ext_if
block in all
block in log on $ext_if
block return in on $lan_if
block return out
# DNS:
# Notify/query:
pass out on $ext_if inet proto {udp, tcp} \
from $ext_if port > 1023 \
to any port domain \
user {_nsd, _unbound}
# Let LAN clients query us:
pass in on $lan_if inet proto {udp, tcp} \
from $lan_if:network port > 1023 \
to $lan_if port domain \
user root \
modulate state
# debug:
pass out inet proto {udp, tcp} \
from any port > 1023 \
to any port domain \
group hostmasters
block in from no-route
block in from $bogon
block return out to $bogon
block on ! lo inet6
antispoof for {lo0, $lan_if, $ext_if} inet
Configure 'domain-name-servers' in dhcpd.conf(5).
Cheers,
--
Craig Skinner | http://linkd.in/yGqkv7
