Re: pf.conf newbie help

From: Dave Uhring (daveuhring_at_yahoo.com)
Date: 08/25/04 

Date: Wed, 25 Aug 2004 08:42:48 -0500

On Wed, 25 Aug 2004 06:04:44 -0700, Dennis Russo wrote:

> I actually don't use my DNS server for that box (the obsd box
> performing the NAT - only the machines behind it on my home network
> use it), but I did change the resolv.conf file to read what you have
> listed.

Wait a minute, here. Are you running BIND on the firewall machine or on
another machine connected to the protected LAN?

Here is the /etc/pf.conf on my home firewall, which runs *no* services at
all.

OpenBSD 3.5 (GENERIC) #34: Mon Mar 29 12:24:55 MST 2004

[root]# cat /etc/pf.conf
# Define useful variables
ExtIF="fxp0" # External Interface
int_if="tl0"
IntNet="192.168.0.0/24" # Our internal network
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23 }"
#Services="{ www, https }"

# Clean up fragmented and abnormal packets
scrub in all

nat on $ExtIF from 192.168.0.0/24 to any -> ($ExtIF)

# Deal with FTP problem using proxy
rdr on $ExtIF proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# don't allow anyone to spoof non-routeable addresses
block in quick on $ExtIF from $NoRouteIPs to any

block out quick on $ExtIF from any to $NoRouteIPs

# by default, block all incoming packets, except those explicitly
# allowed by further rules

block in on $ExtIF all

# and let out-going traffic out and maintain state on established connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
block out on $ExtIF all
pass out on $ExtIF inet proto tcp all flags S/SA keep state
pass out on $ExtIF inet proto udp all keep state
pass out on $ExtIF inet proto icmp all keep state