May I suggest relaying these more basic questions to @rookies mail-list? I think it would be great if we could have this channel reactivated, dedicated to help folks like Karel learn how to navigate more basic stuff, and keep misc@ for intermediary / advanced users inquiries.
On Wed, 17 Apr 2024 at 1:30 AM Daniel Ouellet <dan...@presscom.net> wrote: > > On 4/16/24 10:27 AM, Karel Lucas wrote: > > First and most importantly, I would like to apologize to anyone who was > > disturbed by my conversation. It is not my intention to offend people. I > > may be curt, but that's not because it's in my character. In daily life > > I work with electronics and computers and am much less familiar with > > networks. I don't need this knowledge for what I do in daily life. It is > > therefore difficult for me to estimate what is important to link back to > > this mailing list. So if I am curt, please try to remember that it is > > not intentional, but a matter of lack of knowledge. Again, I don't want > > to hurt anyone. > > Hi Karel, > > I think you may be missing the point that everyone try to explained to > you. OpenBSD is a mailing list that have very think skin compare to any > others. You need to be very rude to offend people here unless you are > one that fell you have rights to other people free times. > > You got some VERY knowledgeable people answering you. If I was you I > would fell lucky for their time, believe me. I have been on this list > from OpenBSD 2.7. A few decades ago... > > Now you say you don't have the network know how to do this, sure > everyone start somewhere. You say you don't needs this either in your > daily job and keep asking others to point you at the page in the PF > book, etc. > > Remember they are NOT the one in needs to know, you are, so make the > effort please. Many will hold your hands gladly IF you show willingness > to do your share. > > Even the site have basic start example here: > > https://www.openbsd.org/faq/pf/index.html > > And even some of them could be simple too, but they are provided as > example to show what's possible. Up to the reader to start there and go > where they want too... > > Now to the point, it was told to you to start simple and explained what > you want to do. > > Here you say you have no special needs, etc. > > So why in gods name would you want to do a bridge setup? > > KISS principle apply! > > And it was asked as well to explained your setup. NOT what you think it > should be or how it is connected, what interface does what, etc. > > What do you want to do, plain and simple. > > Here you say that "The internal network consists mainly of regular > clients, so no email, web or name servers", so no needs for bridge, or > DMZ, etc. > > Also looks like you use private IP's so yes NAT is needed obviously. > > Now if you want multiple networks, WHY? > > Any reason for it? I see none if you don't have hosting services. > > You say it could be possible, sure it can, I can have multiple vlan and > domains routing, configure a specific IPMI DMZ for my servers > configuration, add ssh keys for wireless access with time base access > and limit, and kids restrictions, etc. But I wouldn't do that until I > get my basin system going and know why. > > Amy be I don't have kids so why do that part of the setup, but may be I > have wireless and friends coming over and they obviously all/may be want > fast internet access on my wireless, but I don't what them to have > access to ANY of my devices from their phones that might compromise my > network, so I would have a guess wireless access to to outside world > ONLY. But if I have no friends, then why would I want that? Etc... > > Sure may be you have wireless that you want to isolate from others hard > wire computers, etc. You have NAS, may be you want to isolate it form > wireless, or some specific computers, kids access restricted may be, etc. > > But no where did you ever describe what is it that you want... > > May be before you start building a house, you need to know what you want > in it, etc. > > Same thing here. > > Start small and then go from there. > > Why? Doing incremental setup help understand your setup and why you do it. > > Then down the line when you make changes or want to add something to it, > when your pf configuration is clean, you will know where to add it and > what it does. > > Look to me that if your setup have NO special needs, no hosting services > that needs to be reach form the Internet, then only thing you need is a > VERY simple NAT setup, on two interfaces and that's it. > > It's not because you have 4 interfaces that you need to use 4 interfaces... > > Start be defining what is it that you want and FORGET ABOUT interface 1, > and then 2 for admin, and 3 for nas, etc. > > What is it that you want to do and go from there. > > Define your needs and then address them ONE by ONE. > > Fix one, test and then go to the next one. > > And FORGET ABOUT BRIDGE SETUP PLEASE!!!!!!!!!!!!!!! > > You have absolutely NO need for this with what you say so far in any of > your communications. > > Example of thinking. > > I see you try to use MANY macros, do you really need that? It's suppose > to be to make things simpler to understand and cleaner to read, not more > complex. > > The key of a decent firewall is first to know what is it that you want > to do and look to me you still do not know that yet. > > I would even say and said for many decades, a good firewall NOT only > stop incoming traffic, but also stop outgoing one. This mean, KNOW your > traffic and let get out what you want to go out! > > Define your needs first then address them one by one. > > So if I continue with my example, I see you did this: > > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > > I would ask again WHY? > > If you DO NOT host any services, then you don't need to define any... > > Again, it is NOT because you can do something that you should do it. > > And IF you would have some, why define them in two places???? > > Properly define needs will avoid basic mistakes like this that sooner or > later WILL bit you in the butts! > > And even here IF I go deeper, if it is only for you, why have both > secure one and insecure one and even why pop3 and IMAP? Don't you know > the configuration of your mail client? > > If that was ONLY for you, do you actually setup your mail clients to use > all of them? > > Here I would argue no. > > I would very strongly FIRST start by thinking what you want to do, > define your needs, argue them and why you want them. Are they needed and > justify them. > > After they are define and you understand why, then and ONLY then would > you start doing your config for it. > > AND you should do one at the time, test, make sure it works the way you > want then to, then do the next one. > > If you have no service you are hosting, then you should simply do a NAT > setup and that's it as you would have no other needs. > > Knowing what you want and why, is the key to understand your setup and > know why you did what you did, and trust me, you will know how to > maintain it too because you will know what you did and why you did it! > > Look to me, you haven't done the basic yet. Meaning define what you want > and justify why... > > And you sure try to do a setup that is way to complicated for your needs > and doing that, specially if you go bridge way, you will think you are > prospected and you will have a Swiss cheese setup big time. > > There is nothing worst then a false sense of security. > > Now as you can see I didn't suggest ANY configuration, as I see no needs > on your setup, yet. You haven't given any reason for any specific > configuration needs. > > And last VERY important point, if you asked for help, then PROVIDE YOUR > FULL configuration, NOT what you might think is relevant as you said you > don't have the knowledge for it, so don't assume what you send is useful. > > If you want people to help you, start by helping them helping you and > give them ALL the information! > > Hope this provide you some help from the start and yes I mean from the > start. > > Define what you want to do and FORGET any configuration until you can > explain what you want very clearly and simply. > > You might be surprise how simple it can be... > > Could be as simple as: > > match out on egress inet from !(egress:network) to any nat-to egress:0 > > Here I am not saying to do this. I only type this as an example to show > how simple it possibly can be on a NAT setup with no simple needs. > > Daniel > >