Hi, I use my OpenBSD machine as NAT-router and want to protect it using pf. I use the following rules to forward all packets destined to the internet, but block any packets destined to the router itself:
# Masquerade and route lan clients to outside pass in on bge0 from 192.168.23.0/24 #pass all #but block anything destined to this host, exceptions are allowed later block in on bge0 from any to (egress) block in on bge0 from any to (tun) block in on bge0 from any to (wlan) block in on bge0 from any to (bge0) According to ifconfig(8) I should be able to write this easier and better maintainable by using the 'all' interface group instead of bge0, egress, tun and wlan: # Masquerade and route lan clients to outside pass in on bge0 from 192.168.23.0/24 #pass all #but block anything destined to this host, exceptions are allowed later block in on bge0 from any to (all) But this doesn't work: /etc/pf.conf:63: syntax error pfctl: Syntax error in config file: pf rules not loaded It seems that there is no 'all' interface group as documented in ifconfig(8) or at least pf.conf cannot use it. Christopher
