Harry Putnam wrote:
> "Melameth, Daniel D." <[EMAIL PROTECTED]> writes:
> Thanks for the nifty summary. I want to pester you just a little more
> then I'll get to work on this and see if I get really stuck
> somewhere.
Sounds good ;-) .
> > # Address translation for machines on your LAN
> > nat on $ext_if from $int_if:network to any -> ($ext_if)
>
> This looks like its designed to allow my other boxes to be (NATed) to
> from the open bsd box. But that won't be happening. That happens at
> the netgear right now. I'm only wanting to aim the same network
> traffic at the obsd box as hits the netgear. Not actually do anything
> with it such as NATing. (only log or handle OBSD boxes own traffic
> to/from internet)
All bets are off if you don't replace the Netgear with OpenBSD.
> I haven't googled on the mirror thing you mentioned yet so maybe I'm
> not understanding what will happen when I enable sending traffic to
> obsd from Netgear box.
>
> > # Block and log all traffic
> > block log all
>
> Well yeah, but this can get to be a very lot of data very soon. I'd
> like to see just one general example of blocking all but logging only
> say ssh or a few other specific things. In my tinkerings it appeared
> that it matters a lot where the log flag appears in the syntax.
On a consumer-class Internet connection, I don't expect too much.
However, the following should only log ssh:
# Block all traffic and block and log ssh
block all
block in log on $ext_if inet proto tcp from any to $ext_if port ssh
> > # Allow internal machines to use the Internet
> > pass out on $ext_if proto { tcp, udp, icmp } all keep state
>
> Again this won't be happening for the other machines but I kind of
> figured something like this would be necessary for the OBSD box
> itself.
You're on your own if you want to keep the Netgear as your bastion host
to the Internet. I understand you don't feel comfortable putting the
OpenBSD box there yet, but that's the only scenario I'll likely spend my
time providing assistance with.
> This all reminded me I meant to ask one thing about networking this.
>
> My net is currently all on 192.168.0/24. I'm wondering if this can
> all be done still in that network. That is, set both nics on the obsd
> box to that network. Where one side talks to the NETGEAR and the
> other talks to the rest of the lan.
While you can do this, here's where I'll stop with my reply as anything
beyond this is somewhat different from the example ruleset in the PF
guide and might become confusing for you. However, if you really don't
want to use the OpenBSD machine as a bastion host, I recommend just
using one NIC, as the "external" NIC, and going from there--someone else
on the list is more than welcome to chime in further.
> The first few rules in example1 from FAQ/PF. Appear to be able to be
> applied to make that happen.
>
> Some vars first:
> $ext_if=rl0 (192.168.0.19)
> $int_if=dc0 (192.168.0.18)
> $priv_nets=192.168.0/24
>
> block drop in quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
>
> So some kind of adjustment would have to happen here since the NETGEAR
> inside IF talking to obsd outside IF would both be $priv_nets.
>
> I'm thinking I could just use actual IPs:
>
> (NETGEAR and OBSD)
> sel_hosts = "{ 192.168.0.20, 192.168.0.19 }"
>
> nosel_hosts =
> "{ 192.168.0.4, 192.168.0.5 [...] }"
>
> (Keep everybody but NETGEAR and OBSD box [sel_hosts] out of $ext_if
> traffic)
>
> block drop in quick on $ext_if from $nosel_hosts to any
> block drop out quick on $ext_if from any to $nosel_hosts
>
> But I'm getting out of my league here already...
