I'm using OpenBSD 4.6 at home as an access point, firewall and home
server (with pf).
I've recently had some issues trying to use pidgin's [XMPP] video
support on one of my client computers, yet, if I connect it directly
to the internet it works fine; hence the problem is the firewall
configuration (as one of the pidgin devs pointed out it might have
been).
I THINK UDP packets are being dropped, but I must really say, this
problem is a bit above my level of understanding.
I need to know how to make sure UDP packets don't get dropped on the
way to my PC, but i'm not really sure how.
I think a simple "pass in proto udp" is a bit extremist (though it would work).
Any better suggestions?
My current pf.conf file is:
-----
# $OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# Skip lo
set skip on lo
#############
# Variables #
#############
extif = "re0"
intif = "ral0"
chaos = "172.16.1.7"
mamaquina = "172.16.1.12"
tcp_services="{ 22, 113, 80, 443 }"
icmp_types = "echoreq"
allproto = "{ tcp, udp, ipv6, icmp, esp, ipencap }"
privnets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
table <intnet> { 172.16.0.1/16 }
# Options
set loginterface $extif
match in all scrub (no-df)
#######
# NAT #
#######
nat on $extif from $intif:network -> ($extif)
# TODO Maybe move this down to service ports? Check first.
rdr pass log on $extif proto tcp from any to any port 1022 -> $chaos port 22
block in
pass out keep state
antispoof quick for { lo $intif }
block drop in on $extif from $privnets to any
block drop in on $extif from any to $privnets
#################
# SERVICE PORTS #
#################
# Open ports for local servicesAbro puerto de servicios locales
pass in on $extif inet proto tcp from any to ($extif) port
$tcp_services flags S/SA keep state
### OTHER PORTS AND OPENINGS
pass in on $extif from any to 172.16.1.7
pass in on $extif from any to 172.16.2.4
pass in on $extif proto {tcp, udp} from any to any port 53
# ICMP Traffic
pass in inet proto icmp all icmp-type $icmp_types keep state
# LAN - everything is allow in/out
pass in quick on $intif
pass out quick on $intif
### Block remote connections to the X Server
block in on ! lo0 proto tcp to port 6000:6010
-----
Thanks for your time guys!
--
Hugo Osvaldo Barrera
