Re: NAT, Firewall & pf

Mon, 23 Feb 2009 20:15:17 -0800 

I'm a lurker on this mailing list, and I'm no master of pf, but I think the
problem is that your block statement comes before all of your pass
statements.  In most firewall configurations, rules are processed until one
matches and then no others are processed.  So if the first rule that matches
your packets is block everything and log it then that is all you will get.
Try moving your block statement to the end of the pf.conf file.

Kevin


On Mon, Feb 23, 2009 at 7:58 PM, Hilco Wijbenga <hilco.wijbe...@gmail.com>wrote:

> Hi all,
>
> I've been trying to get a simple firewall system up-and-running in
> OpenBSD. I have "The Book of PF" and "Secure Architectures
> with OpenBSD" so I thought it would be very simple. Well, we're two
> weeks later now and still no firewall. :-) The pf rules I found in
> those books don't seem to work as I expected them to work.
>
> Before I list my current pf.conf, let me give a few more details. My
> firewall will be running a few services for my network (DHCP, NTP, and
> DNS). I need to use NAT to get my own network Internet access. DHCP
> works. I seem to have managed to get DNS (maradns on lo0 and sk1) and
> ICMP working.
>
> /etc/pf.conf
> 01 ext_if = "sk0"
> 02 int_if = "sk1"
> 03 localnet = $int_if:network
> 04 internet = $ext_if:network
> 05 udp_services = "{ domain, ntp }"
> 06 icmp_types = "{ echoreq, unreach }"
> 07
> 08 nat log on $ext_if from $localnet to any -> ($ext_if)
> 09
> 10 block log all
> 11
> 12 pass quick inet proto { tcp, udp } from $internet to any port
> $udp_services
> 13 pass quick inet proto { tcp, udp } from $localnet to any port
> $udp_services
> 14 pass quick inet proto { tcp, udp } from $lo0:network to any port
> $udp_services
> 15
> 16 pass inet proto icmp all icmp-type $icmp_types
> 17 pass from { lo0, $localnet } to any keep state
>
> a. Why do I need 12? I had expected 13 (which I don't seem to need).
> Wouldn't 12 be for incoming requests from the Internet?
> b. Given that ping works from my network (so that presumably routing
> is okay), why doesn't anything else work? HTTP seems blocked by the
> firewall.
> c. How can I get pflog to flush immediately? I noticed I have to wait
> a minute or so before logged lines show up.
> d. Any other pointers?
>
> Cheers,
> Hilco

Reply via email to