I've been considering switching my Linux+iptables-based router with one running OpenBSD and pf for a while now. And a recent hardware failure gave me a good opportunity to do so.
After looking (http://www.bgnett.no/~peter/pf/en/ and http://www.openbsd.org/faq/pf/ mostly), I've managed to get connectivity for my lan. I am not very experienced with such things, but I am interested in learning. My previous firewall was a ready-made one, where I just made modifications as I saw fit, and could easily revert it to a working state. The problem is, that only about 50% of things work. Sites like slashdot.org and google.com works, while vg.no (norwegian newspaper), msn messenger and CS: Source (Steam) does not. Obviously, this is not an acceptable situation, and then I turn to you. I'm connecting to the internet using PPPoE. # cat /etc/hostname.dc0 inet 10.0.0.1 255.255.255.0 NONE # cat /etc/hostname.ep1 up # cat /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 NONE \ pppoedev ep1 authproto pap \ authname "secretusername" authkey "mysupersecretpassword" up dest 0.0.0.1 !/sbin/route add default 0.0.0.1 my current pf.conf: ext_if="pppoe0" int_if="dc0" localnet=$int_if:network nat on $ext_if from $localnet to any -> ($ext_if) block all pass from { lo0, $localnet } to any keep state The output of ifconfig and route show might not be entirely correct, as the mahine is offline at the moment (need internet to post this message :p). But it was connected right before I did an 'ifconfig pppoe0 down' # ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 dc0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:04:e2:2e:80:0b media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 inet6 fe80::204:e2ff:fe2e:800b%dc0 prefixlen 64 scopeid 0x1 ep1: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:20:af:4a:44:9b media: Ethernet 10baseT inet6 fe80::220:afff:fe4a:449b%ep1 prefixlen 64 scopeid 0x2 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224 pfsync0: flags=0<> mtu 1460 groups: carp enc0: flags=0<> mtu 1536 pppoe0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1492 dev: ep1 state: initial sid: 0x0 PADI retries: 0 PADR retries: 0 groups: pppoe egress inet6 fe80::204:e2ff:fe2e:800b%pppoe0 -> prefixlen 64 scopeid 0x7 inet 0.0.0.0 --> 0.0.0.1 netmask 0xffffffff # route -n show Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default 0.0.0.1 UGS 1 14798 - pppoe0 0.0.0.1 default UH 1 0 - pppoe0 10.0.0/24 link#1 UC 3 0 - dc0 10.0.0.1 00:04:e2:2e:80:0b UHLc 1 112 - lo0 10.0.0.51 00:0d:9d:8b:2a:99 UHLc 2 12200 - dc0 10.0.0.53 00:08:a1:ac:27:06 UHLc 0 36 - dc0 127/8 127.0.0.1 UGRS 0 0 33224 lo0 127.0.0.1 127.0.0.1 UH 1 0 33224 lo0 224/4 127.0.0.1 URS 0 0 33224 lo0 Internet6: Destination Gateway Flags Refs Use Mtu Interface ::/104 ::1 UGRS 0 0 - lo0 ::/96 ::1 UGRS 0 0 - lo0 ::1 ::1 UH 12 0 33224 lo0 ::127.0.0.0/104 ::1 UGRS 0 0 - lo0 ::224.0.0.0/100 ::1 UGRS 0 0 - lo0 ::255.0.0.0/104 ::1 UGRS 0 0 - lo0 ::ffff:0.0.0.0/96 ::1 UGRS 0 0 - lo0 2002::/24 ::1 UGRS 0 0 - lo0 2002:7f00::/24 ::1 UGRS 0 0 - lo0 2002:e000::/20 ::1 UGRS 0 0 - lo0 2002:ff00::/24 ::1 UGRS 0 0 - lo0 fe80::/10 ::1 UGRS 0 0 - lo0 fe80::%dc0/64 link#1 UC 0 0 - dc0 fe80::204:e2ff:fe2e:800b%dc0 00:04:e2:2e:80:0b UHL 0 0 - lo0 fe80::%ep1/64 link#2 UC 0 0 - ep1 fe80::220:afff:fe4a:449b%ep1 00:20:af:4a:44:9b UHL 0 0 - lo0 fe80::%lo0/64 fe80::1%lo0 U 0 0 - lo0 fe80::1%lo0 link#6 UHL 0 0 - lo0 fe80::%pppoe0/64 fe80::204:e2ff:fe2e:800b%pppoe0 U 0 0 - pppoe0 fe80::204:e2ff:fe2e:800b%pppoe0 link#7 UHL 0 0 - lo0 fec0::/10 ::1 UGRS 0 0 - lo0 ff01::/32 ::1 UC 0 0 - lo0 ff02::%dc0/32 link#1 UC 0 0 - dc0 ff02::%ep1/32 link#2 UC 0 0 - ep1 ff02::%lo0/32 ::1 UC 0 0 - lo0 ff02::%pppoe0/32 fe80::204:e2ff:fe2e:800b%pppoe0 UC 0 0 - pppoe0 And then the output of dmesg: # dmesg OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Celeron ("GenuineIntel" 686-class, 128KB L2 cache) 502 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 268005376 (261724K) avail mem = 236724224 (231176K) using 3297 buffers containing 13504512 bytes (13188K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(fa) BIOS, date 07/26/99, BIOS32 rev. 0 @ 0xfb420, SMBIOS rev. 2.3 @ 0xf0800 (28 entries) bios0: <http://www.abit.com.tw> i440ZX-W977 (ZM6) apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf0000/0xb89c pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf00/144 (7 entries) pcibios0: PCI Exclusive IRQs: 10 11 pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371SB ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc0000/0x10000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03 ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "ATI Rage Magnum" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02 pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: <IBM-DJNA-371350> wd0: 16-sector PIO, LBA, 12949MB, 26520480 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x02: SMI iic0 at piixpm0 "unknown" at iic0 addr 0x18 not configured lm1 at iic0 addr 0x2d: W83782D dc0 at pci0 dev 9 function 0 "Accton EN2242" rev 0x11: irq 11, address 00:04:e2:2e:80:0b ukphy0 at dc0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 0x000749, model 0x0001 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: <PC speaker> spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: W83782D lm1 detached npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec isapnp0 at isa0 port 0x279: read port 0x203 ep1 at isapnp0 "3Com 3C509B EtherLink III, TCM5090, PNP80F7, " port 0x210/16 irq 5: address 00:20:af:4a:44:9b, utp/aui (default utp) biomask ff45 netmask ff65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 Any help would be appreciated.
