Timo, If this box is going to be a firewall and you expect to pass packets from one interface to the other you _MUST_ enable packet forwarding. Even if pf is setup correctly for your network, no packets will traverse between your internal and external networks unless packet forwarding is turned on.
You can see if ip.forwarding is set to on=1 or off=0 by typing "sysctl -a | grep ip.forward". If ip.forwarding is off you can manually enable it by typing "sysctl net.inet.ip.forwarding=1". This command will only take affect for this session and ip.forwarding will be set back to its previous setting on reboot. OpenBSD Pf Firewall "how to" ( pf.conf ) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org On Thu, Oct 25, 2007 at 09:15:22AM +0300, Timo Myyr? wrote: >Hi, > >I'm currently trying to configure small home network: >ADSL ----> Server / Firewall ----> Desktop > >Now I'm working on building a proper firewall to my server. So far the >situation is following: > >- Servers internet connection works >- Desktop receives IP, nameserver and default route from server's >DHCP service. >-Desktop can connect to server by SSH but can't connect to anything beyond >that. > >Server's fxp0 gets dynamic IP from ISP and fxp1 uses static IP. > >What I need: >-server running the most common services available to public. Then some >services available only to LAN. >-Desktop will only run games as client and will use the servers private >services > >Here's my current pf.conf: > >### MACROS ### >ext_if="fxp0" >lan_if="fxp1" >server_ip="xxx.xxx.xxx.xxx" >pri_ports="{ >20,21,22,25,80,110,113,123,443,2049,3306,6660,6669,6900:6999,8080}" ># Ports open on server to LAN >pub_ports="{ 20,21,22,25,80,110,113,123,443,6900:6999,8080}" # Ports >open on server to internet >game_ports="27000:27040 > >lan_ip="xxx.xxx.xxx.xxx" > >p180_ip="xxx.xxx.xxx.xxx" > > >### TABLES ### >table <spamd-white> persist >table <intruders> persist >table <badhosts> const {10.0.0.0/8, 176.16.0.0/12, 192.168.0.0/16} > >### OPTIONS ### >set skip on lo >set block-policy return > >set optimization normal > >set loginterface fxp0 >set limit { states 50000, frags 100000 } # Are these good limits, I >have 4GB RAM? > > >### TRAFFIC NORMALIZATION ### >scrub in all fragment reassemble > >### BANDWIDTH MANAGEMENT ### > > >### TRANSLATION ### >nat-anchor "ftp-proxy/*" >nat on $ext_if from !($ext_if) to any -> ($ext_if) > > >### REDIRECTION ### >rdr-anchor "ftp-proxy/*" >rdr pass on $lan_if proto tcp to port ftp -> 127.0.0.1 port 8021 >rdr pass on $ext_if proto tcp from any to any port smtp -> 127.0.0.1 port 8025 >no rdr on $ext_if proto tcp from <spamd-white> to any port smtp >rdr on $ext_if inet proto {tcp,udp} from any to ($ext_if) port >$game_ports -> $p180_ip >rdr on $lan_if inet proto {tcp,udp} from $lan_ip to any -> ($ext_if) > >### ANCHORS ### >anchor "ftp-proxy/*" > >### PACKET FILTERING ### ># Block rules >block in all # Default to block all incoming and outgoing traffic >block out all > ># Antispoof >antispoof quick log for { lo $lan_if } > ># Incoming traffic >pass in on $ext_if proto {tcp,udp} from port $game_ports to $p180_ip >#pass quick on $lan_if no state > >pass in on $ext_if proto {tcp,udp} to ($ext_if) port $pub_ports >pass in log on $lan_if proto {tcp,udp} from ($lan_if) port $pri_ports >to $server_ip >pass in on $lan_if proto {tcp,udp} from any to any keep state > ># Outgoing traffic >pass out log on $ext_if proto {tcp,udp} from ($ext_if) to port $pub_ports >pass out on $ext_if proto {tcp,udp,icmp} from $lan_ip to any > > How to change the pf.conf to allow desktop traffic to access the internet? >I have tried some solutions like removing the default block rules but it >still didn't work and I'm starting to run out of ideas.
