On 4/16/24 10:27 AM, Karel Lucas wrote:
First and most importantly, I would like to apologize to anyone who was
disturbed by my conversation. It is not my intention to offend people. I
may be curt, but that's not because it's in my character. In daily life
I work with electronics and computers and am much less familiar with
networks. I don't need this knowledge for what I do in daily life. It is
therefore difficult for me to estimate what is important to link back to
this mailing list. So if I am curt, please try to remember that it is
not intentional, but a matter of lack of knowledge. Again, I don't want
to hurt anyone.
Hi Karel,
I think you may be missing the point that everyone try to explained to
you. OpenBSD is a mailing list that have very think skin compare to any
others. You need to be very rude to offend people here unless you are
one that fell you have rights to other people free times.
You got some VERY knowledgeable people answering you. If I was you I
would fell lucky for their time, believe me. I have been on this list
from OpenBSD 2.7. A few decades ago...
Now you say you don't have the network know how to do this, sure
everyone start somewhere. You say you don't needs this either in your
daily job and keep asking others to point you at the page in the PF
book, etc.
Remember they are NOT the one in needs to know, you are, so make the
effort please. Many will hold your hands gladly IF you show willingness
to do your share.
Even the site have basic start example here:
https://www.openbsd.org/faq/pf/index.html
And even some of them could be simple too, but they are provided as
example to show what's possible. Up to the reader to start there and go
where they want too...
Now to the point, it was told to you to start simple and explained what
you want to do.
Here you say you have no special needs, etc.
So why in gods name would you want to do a bridge setup?
KISS principle apply!
And it was asked as well to explained your setup. NOT what you think it
should be or how it is connected, what interface does what, etc.
What do you want to do, plain and simple.
Here you say that "The internal network consists mainly of regular
clients, so no email, web or name servers", so no needs for bridge, or
DMZ, etc.
Also looks like you use private IP's so yes NAT is needed obviously.
Now if you want multiple networks, WHY?
Any reason for it? I see none if you don't have hosting services.
You say it could be possible, sure it can, I can have multiple vlan and
domains routing, configure a specific IPMI DMZ for my servers
configuration, add ssh keys for wireless access with time base access
and limit, and kids restrictions, etc. But I wouldn't do that until I
get my basin system going and know why.
Amy be I don't have kids so why do that part of the setup, but may be I
have wireless and friends coming over and they obviously all/may be want
fast internet access on my wireless, but I don't what them to have
access to ANY of my devices from their phones that might compromise my
network, so I would have a guess wireless access to to outside world
ONLY. But if I have no friends, then why would I want that? Etc...
Sure may be you have wireless that you want to isolate from others hard
wire computers, etc. You have NAS, may be you want to isolate it form
wireless, or some specific computers, kids access restricted may be, etc.
But no where did you ever describe what is it that you want...
May be before you start building a house, you need to know what you want
in it, etc.
Same thing here.
Start small and then go from there.
Why? Doing incremental setup help understand your setup and why you do it.
Then down the line when you make changes or want to add something to it,
when your pf configuration is clean, you will know where to add it and
what it does.
Look to me that if your setup have NO special needs, no hosting services
that needs to be reach form the Internet, then only thing you need is a
VERY simple NAT setup, on two interfaces and that's it.
It's not because you have 4 interfaces that you need to use 4 interfaces...
Start be defining what is it that you want and FORGET ABOUT interface 1,
and then 2 for admin, and 3 for nas, etc.
What is it that you want to do and go from there.
Define your needs and then address them ONE by ONE.
Fix one, test and then go to the next one.
And FORGET ABOUT BRIDGE SETUP PLEASE!!!!!!!!!!!!!!!
You have absolutely NO need for this with what you say so far in any of
your communications.
Example of thinking.
I see you try to use MANY macros, do you really need that? It's suppose
to be to make things simpler to understand and cleaner to read, not more
complex.
The key of a decent firewall is first to know what is it that you want
to do and look to me you still do not know that yet.
I would even say and said for many decades, a good firewall NOT only
stop incoming traffic, but also stop outgoing one. This mean, KNOW your
traffic and let get out what you want to go out!
Define your needs first then address them one by one.
So if I continue with my example, I see you did this:
tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
I would ask again WHY?
If you DO NOT host any services, then you don't need to define any...
Again, it is NOT because you can do something that you should do it.
And IF you would have some, why define them in two places????
Properly define needs will avoid basic mistakes like this that sooner or
later WILL bit you in the butts!
And even here IF I go deeper, if it is only for you, why have both
secure one and insecure one and even why pop3 and IMAP? Don't you know
the configuration of your mail client?
If that was ONLY for you, do you actually setup your mail clients to use
all of them?
Here I would argue no.
I would very strongly FIRST start by thinking what you want to do,
define your needs, argue them and why you want them. Are they needed and
justify them.
After they are define and you understand why, then and ONLY then would
you start doing your config for it.
AND you should do one at the time, test, make sure it works the way you
want then to, then do the next one.
If you have no service you are hosting, then you should simply do a NAT
setup and that's it as you would have no other needs.
Knowing what you want and why, is the key to understand your setup and
know why you did what you did, and trust me, you will know how to
maintain it too because you will know what you did and why you did it!
Look to me, you haven't done the basic yet. Meaning define what you want
and justify why...
And you sure try to do a setup that is way to complicated for your needs
and doing that, specially if you go bridge way, you will think you are
prospected and you will have a Swiss cheese setup big time.
There is nothing worst then a false sense of security.
Now as you can see I didn't suggest ANY configuration, as I see no needs
on your setup, yet. You haven't given any reason for any specific
configuration needs.
And last VERY important point, if you asked for help, then PROVIDE YOUR
FULL configuration, NOT what you might think is relevant as you said you
don't have the knowledge for it, so don't assume what you send is useful.
If you want people to help you, start by helping them helping you and
give them ALL the information!
Hope this provide you some help from the start and yes I mean from the
start.
Define what you want to do and FORGET any configuration until you can
explain what you want very clearly and simply.
You might be surprise how simple it can be...
Could be as simple as:
match out on egress inet from !(egress:network) to any nat-to egress:0
Here I am not saying to do this. I only type this as an example to show
how simple it possibly can be on a NAT setup with no simple needs.
Daniel
