Here are the five files inline: This is /etc/pf.conf:
# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. # macros ext_if="dc1" int_if="dc0" wir_if="ral0" tcp_services = "{ 22, 113 }" icmp_types = "echoreq" auth_server = "127.0.0.1 port 8080" table <authorized_hosts> { 10.0.0.2 } priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8 }" # options set block-policy return set loginterface $ext_if # scrub scrub in all scrub out all # nat/rdr nat on $ext_if from !($int_if) -> ($ext_if:0) nat on $ext_if from !($wir_if) -> ($ext_if:0) rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 rdr on $wir_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 rdr on $wir_if proto tcp from !<authorized_hosts> to any port www -> \ $auth_server # filter rules block in log all pass quick on { lo $int_if } pass quick on { lo $wir_if } block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets antispoof quick for { lo $int_if } antispoof quick for { lo $wir_if } pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in on $ext_if inet proto tcp from any to ($ext_if) \ user proxy flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass in on $wir_if from <authorized_hosts> to any keep state pass in on $wir_if proto tcp from !<authorized_hosts> to $auth_server pass out on $int_if from any to $int_if:network keep state pass out on $wir_if from any to <authorized_hosts> keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state #pass in on $ext_if proto tcp to ($ext_if) port ssh keep state This is /etc/dhcpd.conf: # $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $ # # DHCP server options. # See dhcpd.conf(5) and dhcpd(8) for more information. # # Network(s): 192.168.0.0/255.255.255.0 and 10.0.0.0/255.255.255.0 # Domain name: daemonized.net # Default router(s): 192.168.0.1 and 10.0.0.1 # Addresses: 192.168.0.2 - 192.168.0.127 and 10.0.0.2 - 10.0.0.127 # max-lease-time 300; default-lease-time 120; option domain-name "daemonized.net"; option domain-name-servers 192.168.1.1; # internal interface subnet 192.168.0.0 netmask 255.255.255.0 { option routers 192.168.0.1; option broadcast-address 192.168.0.255; range 192.168.0.2 192.168.0.127; } # wireless interface subnet 10.0.0.0 netmask 255.255.255.0 { option routers 10.0.0.1; option broadcast-address 10.0.0.255; range 10.0.0.2 10.0.0.127; } This is /etc/rc.conf: #!/bin/sh - # # $OpenBSD: rc.conf,v 1.104 2004/11/03 18:04:47 henning Exp $ # set these to "NO" to turn them off. otherwise, they're used as flags routed_flags=NO # for normal use: "-q" mrouted_flags=NO # for normal use: "", if activated # be sure to enable multicast_router below. bgpd_flags=NO # for normal use: "" rarpd_flags=NO # for normal use: "-a" bootparamd_flags=NO # for normal use: "" rbootd_flags=NO # for normal use: "" sshd_flags="" # for normal use: "" named_flags=NO # for normal use: "" rdate_flags=NO # for normal use: [RFC868-host] or [-n RFC2030-host] timed_flags=NO # for normal use: "" ntpd_flags=NO # for normal use: "" isakmpd_flags=NO # for normal use: "" mopd_flags=NO # for normal use: "-a" apmd_flags=NO # for normal use: "" dhcpd_flags="" # for normal use: "" rtadvd_flags=NO # for normal use: list of interfaces # be sure to set net.inet6.ip6.forwarding=1 route6d_flags=NO # for normal use: "" # be sure to set net.inet6.ip6.forwarding=1 rtsold_flags=NO # for normal use: interface # be sure to set net.inet6.ip6.forwarding=0 # be sure to set net.inet6.ip6.accept_rtadv=1 lpd_flags=NO # for normal use: "" (or "-l" for debugging) sensorsd_flags=NO # for normal use: "" hotplugd_flags=NO # for normal use: "" # use -u to disable chroot, see httpd(8) httpd_flags="" # for normal use: "" (or "-DSSL" after reading ssl(8)) # For normal use: "-L sm-mta -bd -q30m", and note there is a cron job sendmail_flags=NO spamd_flags=NO # for normal use: "" and see spamd-setup(8) spamd_grey=NO # use spamd greylisting if YES spamlogd_flags="" # use eg. "-i interface" and see spamlogd(8) # Set to NO if ftpd is running out of inetd ftpd_flags=NO # for non-inetd use: "-D" # Set to NO if identd is running out of inetd identd_flags=NO # for non-inetd use: "-b -elo" # On some architectures, you must also disable console getty in /etc/ttys xdm_flags=NO # for normal use: "" # For enabling console mouse support (i386 and alpha only) wsmoused_flags=NO # for ps/2 or usb mice: "", serial: "-p /dev/cua00" # set the following to "YES" to turn them on rwhod=NO nfs_server=NO # see sysctl.conf for nfs client configuration lockd=NO amd=NO pf=YES # Packet filter / NAT portmap=NO # Note: inetd(8) rpc services need portmap too inetd=YES # almost always needed check_quotas=YES # NO may be desirable in some YP environments krb5_master_kdc=NO # KerberosV master KDC. Run 'info heimdal' for help. krb5_slave_kdc=NO # KerberosV slave KDC. afs=NO # mount and run afs # Multicast routing configuration # Please look at netstart(8) for a detailed description if you change these multicast_host=NO # Route all multicast packets to a single interface multicast_router=NO # A multicast routing daemon will be run, e.g. mrouted # miscellaneous other flags # only used if the appropriate server is marked YES above savecore_flags= # "-z" to compress ypserv_flags= # E.g. -1 for YP v1, -d for DNS etc yppasswdd_flags=NO # "-d /etc/yp" if passwd files are in /etc/yp nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver amd_dir=/tmp_mnt # AMD's mount directory amd_master=/etc/amd/master # AMD 'master' map syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log" pf_rules=/etc/pf.conf # Packet filter rules file pflogd_flags= # add more flags, ie. "-s 256" afsd_flags= # Flags passed to afsd shlib_dirs= # extra directories for ldconfig, separated # by space local_rcconf="/etc/rc.conf.local" [ -f ${local_rcconf} ] && . ${local_rcconf} # Do not edit this line This is /etc/sysctl.conf # $OpenBSD: sysctl.conf,v 1.33 2004/09/22 17:49:39 hshoexer Exp $ # # This file contains a list of sysctl options the user wants set at # boot time. See sysctl(3) and sysctl(8) for more information on # the many available variables. # net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets #net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of packets #net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0) #net.inet.tcp.rfc1323=0 # 0=disable TCP RFC1323 extensions (for if tcp is slow) #net.inet.tcp.rfc3390=1 # 1=Enable RFC3390 for TCP window increasing #net.inet.esp.enable=0 # 0=Disable the ESP IPsec protocol #net.inet.ah.enable=0 # 0=Disable the AH IPsec protocol #net.inet.esp.udpencap=0 # 0=Disable ESP-in-UDP encapsulation #net.inet.ipcomp.enable=1 # 1=Enable the IPCOMP protocol #net.inet.tcp.ecn=1 # 1=Enable the TCP ECN extension #ddb.panic=0 # 0=Do not drop into ddb on a kernel panic #ddb.console=1 # 1=Permit entry of ddb from the console #fs.posix.setuid=0 # 0=Traditional BSD chown() semantics #vm.swapencrypt.enable=1 # 1=Encrypt pages that go to swap #vfs.nfs.iothreads=4 # number of nfsio kernel threads #net.inet.ip.mtudisc=0 # 0=disable tcp mtu discovery #kern.usercrypto=1 # 1=enable userland use of /dev/crypto #kern.splassert=2 # 2=enable and verbose error messages. #machdep.allowaperture=2 # See xf86(4) #machdep.apmwarn=10 # battery % when apm status messages enabled #machdep.apmhalt=1 # 1=powerdown hack, try if halt -p doesn't work #machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a nice halt #machdep.userldt=1 # allow userland programs to play with ldt, # required by some ports #kern.emul.aout=1 # enable running dynamic OpenBSD a.out bins #kern.emul.bsdos=1 # enable running BSD/OS binaries #kern.emul.freebsd=1 # enable running FreeBSD binaries #kern.emul.ibcs2=1 # enable running iBCS2 binaries #kern.emul.linux=1 # enable running Linux binaries #kern.emul.svr4=1 # enable running SVR4 binaries Finally this is /etc/resolv.conf: nameserver 192.168.1.1 lookup file bind Also, in pf, I think I have the correct services (tcp, ssh). I also followed a trick from BSD Hacks about using table <authorized_hosts> in adding IP addresses to a safe list that can access the list. Any intruders will be redirected to a localhost web server that tells them this is a private network. Suggestions? Help appreciated. Thanks. Vivek