Re: basic pf question without NAT or rdr

2007-06-01 Thread Boudewijn Ector 
Boudewijn Ector schreef:
 Hi there,


 I've been using openBSD for some months now, for example on my office
 router which uses NAT (based on a tweaked example config from the FAQ).
 This works really great!

 But now I'm designing a firewall which is not used for any routing, and
 will be ran on a machine having just one NIC. So it has to be a
 'personal firewall'. After having done the basic stuff, I'll add authpf
 (which runs by the way great on my router, really cool!).

 I've got the config:

 -bash-3.2# grep -v ^$ pf.conf
 # macros
 iface=sis0
 tcp_services={ 22 }
 icmp_types=echoreq
 # options
 set block-policy return
 #set loginterface $ext_if
 set skip on lo
 nat-anchor authpf/*
 rdr-anchor authpf/*
 binat-anchor authpf/*
 anchor authpf/*
 # filter rules
 block in
 #antispoof quick for { lo $int_if }
 block in quick on $iface proto tcp from any \
 port 1022
 pass out keep state
 pass in on $iface inet proto tcp from any \
port $tcp_services flags S/SA keep state
 pass in inet proto icmp all icmp-type $icmp_types keep state


 I'd like to close port 1022 for ALL traffic (and will allow it soon
 after authpf works).
 Can someone please point out what's wrong?

   
Just fixed it.
Note to /me; don't forget pfctl -e.

basic pf question without NAT or rdr

2007-05-31 Thread Boudewijn Ector 
Hi there,


I've been using openBSD for some months now, for example on my office
router which uses NAT (based on a tweaked example config from the FAQ).
This works really great!

But now I'm designing a firewall which is not used for any routing, and
will be ran on a machine having just one NIC. So it has to be a
'personal firewall'. After having done the basic stuff, I'll add authpf
(which runs by the way great on my router, really cool!).

I've got the config:

-bash-3.2# grep -v ^$ pf.conf
# macros
iface=sis0
tcp_services={ 22 }
icmp_types=echoreq
# options
set block-policy return
#set loginterface $ext_if
set skip on lo
nat-anchor authpf/*
rdr-anchor authpf/*
binat-anchor authpf/*
anchor authpf/*
# filter rules
block in
#antispoof quick for { lo $int_if }
block in quick on $iface proto tcp from any \
port 1022
pass out keep state
pass in on $iface inet proto tcp from any \
   port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state


I'd like to close port 1022 for ALL traffic (and will allow it soon
after authpf works).
Can someone please point out what's wrong?