On Mon, Feb 23, 2009 at 5:58 PM, Hilco Wijbenga
<[email protected]> wrote:
> Hi all,
>
> I've been trying to get a simple firewall system up-and-running in
> OpenBSD. I have "The Book of PF" and "Secure Architectures
> with OpenBSD" so I thought it would be very simple. Well, we're two
> weeks later now and still no firewall. :-) The pf rules I found in
> those books don't seem to work as I expected them to work.
>
> Before I list my current pf.conf, let me give a few more details. My
> firewall will be running a few services for my network (DHCP, NTP, and
> DNS). I need to use NAT to get my own network Internet access. DHCP
> works. I seem to have managed to get DNS (maradns on lo0 and sk1) and
> ICMP working.
>
> /etc/pf.conf
> 01 ext_if = "sk0"
> 02 int_if = "sk1"
> 03 localnet = $int_if:network
> 04 internet = $ext_if:network
> 05 udp_services = "{ domain, ntp }"
> 06 icmp_types = "{ echoreq, unreach }"
> 07
> 08 nat log on $ext_if from $localnet to any -> ($ext_if)
> 09
> 10 block log all
> 11
> 12 pass quick inet proto { tcp, udp } from $internet to any port $udp_services
> 13 pass quick inet proto { tcp, udp } from $localnet to any port $udp_services
> 14 pass quick inet proto { tcp, udp } from $lo0:network to any port
> $udp_services
> 15
> 16 pass inet proto icmp all icmp-type $icmp_types
> 17 pass from { lo0, $localnet } to any keep state
>
> a. Why do I need 12? I had expected 13 (which I don't seem to need).
> Wouldn't 12 be for incoming requests from the Internet?
yes. if you want to provide your $udp_services to others on the other
side of your firewall. and you really don't need 13 if you have 17.
you can use 'set skip on lo0' and not worry about 14 and simplify 17.
> b. Given that ping works from my network (so that presumably routing
> is okay), why doesn't anything else work? HTTP seems blocked by the
> firewall.
> c. How can I get pflog to flush immediately? I noticed I have to wait
> a minute or so before logged lines show up.
> d. Any other pointers?
I'm not sure what you are trying to do exactly with that rule sets.
But I wonder if your problem isn't pf based, but rather because you
don't have packet forwarded enabled:
$ man pfctl
/forwarding
kk
The packet filter does not itself forward packets between interfaces.
Forwarding can be enabled by setting the sysctl(8) variables
net.inet.ip.forwarding and/or net.inet6.ip6.forwarding to 1. Set them
permanently in sysctl.conf(5).
Although you say "ping works from my network", you are not clear about
what "works" means. Does it mean you can ping the firewall or can ping
yahoo.com?
I'd suggest reading through pf.conf(5) and examine each EXAMPLE section.
--patrick
