Hello Bob,
a good place to start, imo, is https://solarflux.org/pf/
There you can find a lot of examples regarding pf. You can use them as a template and then customize it to your own needs.
Another good reference is the PF guide at: http://www.openbsd.org/faq/pf/index.html
There are a lot of ways to do that you are looking for but clearly, it is not needed to assign alias interfaces on your gateway or/and firewall to do that. You can use two nics to do it. You could bridge your interface as well.
Short example:
Internet -> fxp0 - OpenBSD - fxp1 -> YOUR_NETWORK
ext_if=fxp0 int_if=fxp1
IP_RANGE = "xxx.xxx.xxx.0/16 ... ... ..."
WWW_SERVER = "xxx.xxx.xxx.xxx/32 ... .. ..."
BAD_HOSTS = '{ xxx.xxx.xxx.xxx/24 xxx.xxx.xxx.xxx/32 ... .... }'
...
...
.scrub in all scrub out all random-id
block in from $BADHOSTS to any
pass in quick from $IP_RANGE to any keep state pass in proto tcp from any to $WWW_SERVER port = 80 synproxy state
... .... ....
I hope this gave you the idea.
MzOzD
Hi,
I'm sorry for the newbie advice question. I've ran OpenBSD for a couple years, and pf as well, performing straight forward NAT, rdr, etc.... all with the firewall having one public internet routable address, and multiple machines behind with private addresses..
however, someone at my work wants me to install a firewall at a colo site - in front of say, six machines, all with public internet routable addresses...
so - I know this is likely a really stupid question, but how do I manage this? does the firewall have a bunch of aliased IP addresses and rdr respectively to private addresses behind? is bgp (I know nothing about yet) something that I need/should be using?
Another thing of note, some of these machines will be running similar services, such as two different machines running httpd...
sorry - please point me to the correct section I've missed in the FAQ or something I can research more on...
thanks bob
__________________________________ Do you Yahoo!? All your favorites on one personal page – Try My Yahoo!
http://my.yahoo.com
