Marko: Thanks for your input. Your proposals got me thinking a few steps
further.
I now came up with the following solution which have all propertiers i want:
pass in on re0 inet to !all:network
pass in on re0 inet to em0:network # Just in case we would need to interact
# with some other service on the same segment...
block in quick log on re0 inet to em0 # ... but not our own IP
The above lines replaces my initial rule "pass in on re0 to !re0:network"
2018-01-04 16:29 GMT+01:00 Marko Cupać <marko.cu...@mimar.rs>:
> On Thu, 4 Jan 2018 14:09:50 +0100
> Jon S <jonsjost...@gmail.com> wrote:
>
> > Hello misc!
> >
> > My OpenBSD file server just became a router too (after getting a new
> > internet connection where the provider does not include a router in
> > the subscription).
>
> If possible, I'd avoid combining file server and firewall services on
> single box
>
> > This led to my first experieces with pf. After some work I came up
> > with whats below. It works as I want it to work, but I wonder if
> > there is a way to create a rule where incomming traffic to the
> > internal NIC (re0) is passed if it is targeted for em0 (external,
> > internet NIC)? The current solution would require an update of the
> > "pass in on re0 to !re0:network"-rule if another NIC is added (lets
> > say a DMZ).
>
> All my pf rulesets start with defining interface macros so they are
> more readable, and also more flexible (this way changing NIC with
> different driver needs one line changed, instead of all lines in the
> ruleset referencing that interface):
>
> # INTERFACE MACROS
> if_int = "re0"
> if_ext = "em0"
>
> > set skip on lo0
> >
> > # Block everything everywhere by default
> > block log all
>
> I prefer to put "match" section above default "block log all" rule.
> It's more logical to me, as something being "matched" has no impact if
> it's not "passed" or "blocked" later on in the ruleset.
>
> > # NAT local network to external
> > match out on em0 inet from re0:network nat-to (em0)
> >
> > # Allow all outgoing traffic
> > pass out on {em0, re0}
> >
> > # Allow only specific services on this machine to be accessed from
> > # local network
> > pass in on re0 inet proto tcp to port ssh # ssh
> > pass in on re0 inet proto icmp # icmp
> > pass in on re0 inet proto tcp to port 445 # samba
>
> Your description line does not describe accurately what next three
> lines do - as destination IP is not present, "to any" is assumed, so
> more accurate description would be "Allow specific services on any
> machine be accessed from local network".
>
> If you wanted your ruleset to match description line, and your
> services listen on internal NIC, you would do something like:
>
> pass in on $if_int inet proto tcp from re0:network to re0 port ssh
> pass in on $if_int inet proto icmp from re0:network to re0
> pass in on $if_int inet proto tcp from re0:network to re0 port 445
>
> >
> > #pass in on re0 inet to em0:network # This does not work, since the
> > #mask for this IF will only let traffic through to the limitied set of
> > #IPs on the same C-segment as em0. That would probably be a set of
> > #other customers at the nework operator...
> >
> > # This works, but will require an update if any furter NIC is involved
> > # later
> > pass in on re0 to !re0:network
>
> There are multiple ways to achieve this. One of them would be passing
> everything on $if_int, and blocking what you don't want later (if
> "quick" keyword is not used, last matching rule wins):
>
> pass in on $if_int
> block in on $if_int inet proto tcp from $if_int:network to \
> $if_int port { !=ssh !=445 }
>
> The other one would be blocking unwanted stuff quickly early in the
> ruleset, and passing what you want later on:
>
> block in quick on $if_int inet proto tcp from $if_int:network to \
> $if_int port { !=ssh !=445 }
> pass in on $if_int
>
> Both examples block only TCP to internal NIC, so blocking other
> protocols if there are any on the firewall also needs to be done.
> >
> > # I would like something like this to work, so that future added NICs
> > # wont open new unwanted paths
> > #pass in on re0 to em0
> >
> > # Allow only incomming SSH to external NIC
> > pass in on em0 inet proto tcp to port ssh
>
> In the end, your ruleset seems quite minimal. I suggest you start
> worrying about new NIC once you add it. For now it would be better to
> play around with pfctl -vvsr, systat states/rules, tcpdumping pflog etc.
>
> Hope this helps,
>
> --
> Before enlightenment - chop wood, draw water.
> After enlightenment - chop wood, draw water.
>
> Marko Cupać
> https://www.mimar.rs/
>
--
<-------------------------------------------->
Jon Sjöstedt
Gamla Björboholmsvägen 2
443 72 GRÅBO
Mobil 0735 - 029 557
jonsjost...@gmail.com jonsjost...@hotmail.com
