"Melameth, Daniel D." <[EMAIL PROTECTED]> writes:
Thanks for the nifty summary. I want to pester you just a little more
then I'll get to work on this and see if I get really stuck
somewhere.
> # Address translation for machines on your LAN
> nat on $ext_if from $int_if:network to any -> ($ext_if)
This looks like its designed to allow my other boxes to be (NATed) to
from the open bsd box. But that won't be happening. That happens at
the netgear right now. I'm only wanting to aim the same network
traffic at the obsd box as hits the netgear. Not actually do anything
with it such as NATing. (only log or handle OBSD boxes own traffic
to/from internet)
I haven't googled on the mirror thing you mentioned yet so maybe I'm
not understanding what will happen when I enable sending traffic to
obsd from Netgear box.
> # Block and log all traffic
> block log all
Well yeah, but this can get to be a very lot of data very soon. I'd like
to see just one general example of blocking all but logging only say
ssh or a few other specific things. In my tinkerings it appeared that
it matters a lot where the log flag appears in the syntax.
> # Allow internal machines to use the Internet
> pass out on $ext_if proto { tcp, udp, icmp } all keep state
Again this won't be happening for the other machines but I kind of
figured something like this would be necessary for the OBSD box
itself.
This all reminded me I meant to ask one thing about networking this.
My net is currently all on 192.168.0/24. I'm wondering if this can
all be done still in that network. That is, set both nics on the obsd
box to that network. Where one side talks to the NETGEAR and the
other talks to the rest of the lan.
The first few rules in example1 from FAQ/PF. Appear to be able to be
applied to make that happen.
Some vars first:
$ext_if=rl0 (192.168.0.19)
$int_if=dc0 (192.168.0.18)
$priv_nets=192.168.0/24
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
So some kind of adjustment would have to happen here since the NETGEAR
inside IF talking to obsd outside IF would both be $priv_nets.
I'm thinking I could just use actual IPs:
(NETGEAR and OBSD)
sel_hosts = "{ 192.168.0.20, 192.168.0.19 }"
nosel_hosts =
"{ 192.168.0.4, 192.168.0.5 [...] }"
(Keep everybody but NETGEAR and OBSD box [sel_hosts] out of $ext_if
traffic)
block drop in quick on $ext_if from $nosel_hosts to any
block drop out quick on $ext_if from any to $nosel_hosts
But I'm getting out of my league here already...
