Hi all,
I've been trying to get a simple firewall system up-and-running in
OpenBSD. I have "The Book of PF" and "Secure Architectures
with OpenBSD" so I thought it would be very simple. Well, we're two
weeks later now and still no firewall. :-) The pf rules I found in
those books don't seem to work as I expected them to work.
Before I list my current pf.conf, let me give a few more details. My
firewall will be running a few services for my network (DHCP, NTP, and
DNS). I need to use NAT to get my own network Internet access. DHCP
works. I seem to have managed to get DNS (maradns on lo0 and sk1) and
ICMP working.
/etc/pf.conf
01 ext_if = "sk0"
02 int_if = "sk1"
03 localnet = $int_if:network
04 internet = $ext_if:network
05 udp_services = "{ domain, ntp }"
06 icmp_types = "{ echoreq, unreach }"
07
08 nat log on $ext_if from $localnet to any -> ($ext_if)
09
10 block log all
11
12 pass quick inet proto { tcp, udp } from $internet to any port $udp_services
13 pass quick inet proto { tcp, udp } from $localnet to any port $udp_services
14 pass quick inet proto { tcp, udp } from $lo0:network to any port
$udp_services
15
16 pass inet proto icmp all icmp-type $icmp_types
17 pass from { lo0, $localnet } to any keep state
a. Why do I need 12? I had expected 13 (which I don't seem to need).
Wouldn't 12 be for incoming requests from the Internet?
b. Given that ping works from my network (so that presumably routing
is okay), why doesn't anything else work? HTTP seems blocked by the
firewall.
c. How can I get pflog to flush immediately? I noticed I have to wait
a minute or so before logged lines show up.
d. Any other pointers?
Cheers,
Hilco
