Here are the five files inline:
This is /etc/pf.conf:
# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# macros
ext_if="dc1"
int_if="dc0"
wir_if="ral0"
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
auth_server = "127.0.0.1 port 8080"
table <authorized_hosts> { 10.0.0.2 }
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8 }"
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
scrub out all
# nat/rdr
nat on $ext_if from !($int_if) -> ($ext_if:0)
nat on $ext_if from !($wir_if) -> ($ext_if:0)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $wir_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $wir_if proto tcp from !<authorized_hosts> to any port www -> \
$auth_server
# filter rules
block in log all
pass quick on { lo $int_if }
pass quick on { lo $wir_if }
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
antispoof quick for { lo $int_if }
antispoof quick for { lo $wir_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) \
user proxy flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass in on $wir_if from <authorized_hosts> to any keep state
pass in on $wir_if proto tcp from !<authorized_hosts> to $auth_server
pass out on $int_if from any to $int_if:network keep state
pass out on $wir_if from any to <authorized_hosts> keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
#pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
This is /etc/dhcpd.conf:
# $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
# Network(s): 192.168.0.0/255.255.255.0 and 10.0.0.0/255.255.255.0
# Domain name: daemonized.net
# Default router(s): 192.168.0.1 and 10.0.0.1
# Addresses: 192.168.0.2 - 192.168.0.127 and 10.0.0.2 - 10.0.0.127
#
max-lease-time 300;
default-lease-time 120;
option domain-name "daemonized.net";
option domain-name-servers 192.168.1.1;
# internal interface
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.1;
option broadcast-address 192.168.0.255;
range 192.168.0.2 192.168.0.127;
}
# wireless interface
subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option broadcast-address 10.0.0.255;
range 10.0.0.2 10.0.0.127;
}
This is /etc/rc.conf:
#!/bin/sh -
#
# $OpenBSD: rc.conf,v 1.104 2004/11/03 18:04:47 henning Exp $
# set these to "NO" to turn them off. otherwise, they're used as flags
routed_flags=NO # for normal use: "-q"
mrouted_flags=NO # for normal use: "", if activated
# be sure to enable multicast_router below.
bgpd_flags=NO # for normal use: ""
rarpd_flags=NO # for normal use: "-a"
bootparamd_flags=NO # for normal use: ""
rbootd_flags=NO # for normal use: ""
sshd_flags="" # for normal use: ""
named_flags=NO # for normal use: ""
rdate_flags=NO # for normal use: [RFC868-host] or [-n RFC2030-host]
timed_flags=NO # for normal use: ""
ntpd_flags=NO # for normal use: ""
isakmpd_flags=NO # for normal use: ""
mopd_flags=NO # for normal use: "-a"
apmd_flags=NO # for normal use: ""
dhcpd_flags="" # for normal use: ""
rtadvd_flags=NO # for normal use: list of interfaces
# be sure to set net.inet6.ip6.forwarding=1
route6d_flags=NO # for normal use: ""
# be sure to set net.inet6.ip6.forwarding=1
rtsold_flags=NO # for normal use: interface
# be sure to set net.inet6.ip6.forwarding=0
# be sure to set net.inet6.ip6.accept_rtadv=1
lpd_flags=NO # for normal use: "" (or "-l" for debugging)
sensorsd_flags=NO # for normal use: ""
hotplugd_flags=NO # for normal use: ""
# use -u to disable chroot, see httpd(8)
httpd_flags="" # for normal use: "" (or "-DSSL" after reading ssl(8))
# For normal use: "-L sm-mta -bd -q30m", and note there is a cron job
sendmail_flags=NO
spamd_flags=NO # for normal use: "" and see spamd-setup(8)
spamd_grey=NO # use spamd greylisting if YES
spamlogd_flags="" # use eg. "-i interface" and see spamlogd(8)
# Set to NO if ftpd is running out of inetd
ftpd_flags=NO # for non-inetd use: "-D"
# Set to NO if identd is running out of inetd
identd_flags=NO # for non-inetd use: "-b -elo"
# On some architectures, you must also disable console getty in /etc/ttys
xdm_flags=NO # for normal use: ""
# For enabling console mouse support (i386 and alpha only)
wsmoused_flags=NO # for ps/2 or usb mice: "", serial: "-p /dev/cua00"
# set the following to "YES" to turn them on
rwhod=NO
nfs_server=NO # see sysctl.conf for nfs client configuration
lockd=NO
amd=NO
pf=YES # Packet filter / NAT
portmap=NO # Note: inetd(8) rpc services need portmap too
inetd=YES # almost always needed
check_quotas=YES # NO may be desirable in some YP environments
krb5_master_kdc=NO # KerberosV master KDC. Run 'info heimdal' for help.
krb5_slave_kdc=NO # KerberosV slave KDC.
afs=NO # mount and run afs
# Multicast routing configuration
# Please look at netstart(8) for a detailed description if you change these
multicast_host=NO # Route all multicast packets to a single interface
multicast_router=NO # A multicast routing daemon will be run, e.g. mrouted
# miscellaneous other flags
# only used if the appropriate server is marked YES above
savecore_flags= # "-z" to compress
ypserv_flags= # E.g. -1 for YP v1, -d for DNS etc
yppasswdd_flags=NO # "-d /etc/yp" if passwd files are in /etc/yp
nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver
amd_dir=/tmp_mnt # AMD's mount directory
amd_master=/etc/amd/master # AMD 'master' map
syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log"
pf_rules=/etc/pf.conf # Packet filter rules file
pflogd_flags= # add more flags, ie. "-s 256"
afsd_flags= # Flags passed to afsd
shlib_dirs= # extra directories for ldconfig, separated
# by space
local_rcconf="/etc/rc.conf.local"
[ -f ${local_rcconf} ] && . ${local_rcconf} # Do not edit this line
This is /etc/sysctl.conf
# $OpenBSD: sysctl.conf,v 1.33 2004/09/22 17:49:39 hshoexer Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time. See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of packets
#net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0)
#net.inet.tcp.rfc1323=0 # 0=disable TCP RFC1323 extensions (for if tcp
is slow)
#net.inet.tcp.rfc3390=1 # 1=Enable RFC3390 for TCP window increasing
#net.inet.esp.enable=0 # 0=Disable the ESP IPsec protocol
#net.inet.ah.enable=0 # 0=Disable the AH IPsec protocol
#net.inet.esp.udpencap=0 # 0=Disable ESP-in-UDP encapsulation
#net.inet.ipcomp.enable=1 # 1=Enable the IPCOMP protocol
#net.inet.tcp.ecn=1 # 1=Enable the TCP ECN extension
#ddb.panic=0 # 0=Do not drop into ddb on a kernel panic
#ddb.console=1 # 1=Permit entry of ddb from the console
#fs.posix.setuid=0 # 0=Traditional BSD chown() semantics
#vm.swapencrypt.enable=1 # 1=Encrypt pages that go to swap
#vfs.nfs.iothreads=4 # number of nfsio kernel threads
#net.inet.ip.mtudisc=0 # 0=disable tcp mtu discovery
#kern.usercrypto=1 # 1=enable userland use of /dev/crypto
#kern.splassert=2 # 2=enable and verbose error messages.
#machdep.allowaperture=2 # See xf86(4)
#machdep.apmwarn=10 # battery % when apm status messages enabled
#machdep.apmhalt=1 # 1=powerdown hack, try if halt -p doesn't work
#machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a nice halt
#machdep.userldt=1 # allow userland programs to play with ldt,
# required by some ports
#kern.emul.aout=1 # enable running dynamic OpenBSD a.out bins
#kern.emul.bsdos=1 # enable running BSD/OS binaries
#kern.emul.freebsd=1 # enable running FreeBSD binaries
#kern.emul.ibcs2=1 # enable running iBCS2 binaries
#kern.emul.linux=1 # enable running Linux binaries
#kern.emul.svr4=1 # enable running SVR4 binaries
Finally this is /etc/resolv.conf:
nameserver 192.168.1.1
lookup file bind
Also, in pf, I think I have the correct services (tcp, ssh). I also
followed a trick from BSD Hacks about using table <authorized_hosts>
in adding IP addresses to a safe list that can access the list. Any
intruders will be redirected to a localhost web server that tells them
this is a private network. Suggestions? Help appreciated. Thanks.
Vivek
