My NATting firewall/router is working fine: the problem is I don't understand why. Specifically, I can't see how packets are getting out the rl0 interface when there's no explicit rule to pass them out.
Notes: 1) This is on an old OpenBSD 3.9 system. Sorry, that's what I have to work with for now. I know it would be easier to answer on a newer OS version, but I'd appreciate help with this for the moment. 2) Only the relevant pf.conf rules are below - there are lots more "pass in" and "block in" rules in the working pf.conf that shouldn't matter to my question, I think. 3) The basic setup is an external interface (xl0 = $ext_if), a trusted good internal/wired network (xl1 = $good_if) and an untrusted wireless network (rl0 = $wls_if ). Only specific static IPs can connect on the wireless interface. 4) Note the lines which do allow "pass out on $wls_if" below, but they're restricted to packets from the good/trusted network, no where else. So my question is, again how regular packets from the Net pass out to the wireless network over rl0. Is this somehow a function of the NAT rules that I don't understand? Or something to do with established TCP connections being already green-lit? I would think without an explicit rule they'd be blocked (default block at the very end). So obviously, again, I don't understand something here...and I'm a little worried my non-understanding covers up a huge security hold in my ruleset. Thanks for any help and advice. BP # /etc/pf.conf ext_if = "xl0" good_if = "xl1" wls_if = "rl0" good_net = "192.168.0.128/26" wls_net = "192.168.1.128/26" ext_ip = "123.45.67.89" good_gw = "192.168.0.4" wls_gw = "192.168.1.4" table <firewall_ips> const { $good_gw, $wls_gw, $ext_ip } table <unroutable_ips> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, !$good_net, !$wls_net, 169.254.0.0/16, 127.0.0.0/8, 0.0.0.0/32, 25 5.255.255.255/32 } # policies / runtime options set loginterface $ext_if set state-policy if-bound # NAT outgoing connections nat pass on $ext_if proto {tcp udp icmp} from $good_net to ! <unroutable_ips> -> ($ext_if) nat pass on $ext_if proto {tcp udp icmp} from $wls_net to ! <unroutable_ips> -> ($ext_if) # get in trusted / loopback packets pass quick on $good_if all pass quick on lo0 all # get in "untrusted" wireless packets pass in quick on $wls_if inet from 192.168.1.140 to any flags S/SA keep state pass in quick on $wls_if inet from 192.168.1.136 to any flags S/SA keep state # Provide for outgoing traffic from the firewall itself to the Net at large pass out quick on $ext_if proto tcp all keep state flags S/SA pass out quick on $ext_if proto { udp icmp } all keep state # Provide for outgoing traffic from the trusted network to the wireless network pass out quick on $wls_if proto tcp from $good_net to $wls_net keep state flags S/SA pass out quick on $wls_if proto { udp icmp } from $good_net to $wls_net keep state # Block out everything else! block out log quick inet all label "block out (default)"