1. You need to enable routing on your BSD box
edit /etc/sysctl.conf and change the 0 (zero) with 1
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4
packets
In order to enable routing without restart the BSD type:
sysctl -w net.inet.ip.forwarding=1
On Mon, Feb 23, 2009 at 8:58 PM, Hilco Wijbenga <hilco.wijbe...@gmail.com>wrote:
> Hi all,
>
> I've been trying to get a simple firewall system up-and-running in
> OpenBSD. I have "The Book of PF" and "Secure Architectures
> with OpenBSD" so I thought it would be very simple. Well, we're two
> weeks later now and still no firewall. :-) The pf rules I found in
> those books don't seem to work as I expected them to work.
>
> Before I list my current pf.conf, let me give a few more details. My
> firewall will be running a few services for my network (DHCP, NTP, and
> DNS). I need to use NAT to get my own network Internet access. DHCP
> works. I seem to have managed to get DNS (maradns on lo0 and sk1) and
> ICMP working.
>
> /etc/pf.conf
> 01 ext_if = "sk0"
> 02 int_if = "sk1"
> 03 localnet = $int_if:network
> 04 internet = $ext_if:network
> 05 udp_services = "{ domain, ntp }"
> 06 icmp_types = "{ echoreq, unreach }"
> 07
> 08 nat log on $ext_if from $localnet to any -> ($ext_if)
> 09
> 10 block log all
> 11
> 12 pass quick inet proto { tcp, udp } from $internet to any port
> $udp_services
> 13 pass quick inet proto { tcp, udp } from $localnet to any port
> $udp_services
> 14 pass quick inet proto { tcp, udp } from $lo0:network to any port
> $udp_services
> 15
> 16 pass inet proto icmp all icmp-type $icmp_types
> 17 pass from { lo0, $localnet } to any keep state
>
> a. Why do I need 12? I had expected 13 (which I don't seem to need).
> Wouldn't 12 be for incoming requests from the Internet?
> b. Given that ping works from my network (so that presumably routing
> is okay), why doesn't anything else work? HTTP seems blocked by the
> firewall.
> c. How can I get pflog to flush immediately? I noticed I have to wait
> a minute or so before logged lines show up.
> d. Any other pointers?
>
> Cheers,
> Hilco
