Re: Special configuration of DHCP, NAT

On 2007-10-23, jens@xxxxxxxx <jens@xxxxxxxx> wrote:
Hi

My ISP provides me with 5 dynamic ip addresses.
I have 5+ computers connected today via a broadband router which means
I am just using 1 of my addresses.

I am now thinking about replacing the broadband router with my openbsd
box who is already handling my mail.

This is what I do at home with OpenBSD 4.1. Standard install. Running my web
site, mail server plus firewall to my LAN. OpenBSD DHCP's an address from the
DSL modem and NAT's the LAN. I use a combination of static IP address for
hosts plus bind and dhcpd.

I also make sure my one windoze box doesn't emit anything too nasty to the
Internet...

My /etc/pf.conf:

LAN = "fxp0"
WAN = "xl0"

icmp_types = "echoreq"

tcp_services = "{ ssh, http, https, smtp, imaps }"

MSports = "{ 135:139, 161, 389, 445, 593 }"

set skip on lo

scrub in on $WAN all
scrub out on $WAN all random-id

## NAT
nat on $WAN from $LAN:network to any -> ($WAN)

## FILTER RULES

block drop in all
block drop out all

## allow traffic out to Internet
pass out on $WAN proto tcp from any to any modulate state flags S/SA
pass out on $WAN proto { udp, icmp } from any to any

## allow pings
pass in on $WAN inet proto icmp from any to any icmp-type $icmp_types keep state

## watch for address spoofing
antispoof quick for { lo $LAN }

## allow LAN traffic
pass on $LAN

block on $LAN proto {udp, tcp} from any to any port $MSports

## allow specific server traffic, use TCP SYN Proxy
pass in on $WAN inet proto tcp from any to any \
port $tcp_services flags S/SA synproxy state


I also start up named and dhcpd per their man pages.

Hope this helps!


.

Relevant Pages

  • Re: Special configuration of DHCP, NAT
    ... DSL modem and NAT's the LAN. ... scrub in on $WAN all ... pass out on $WAN proto tcp from any to any modulate state flags S/SA ... pass in on $WAN inet proto icmp from any to any icmp-type $icmp_types keep state ...
    (comp.unix.bsd.openbsd.misc)
  • We have lots of users with SonicWalls for VPN connectivity in to FW-1, possible major security hole
    ... With default rule disabled: Disable default Src: LAN Dst: ALL ... The firewall WAN address is 24.184.168.52 ... A NT server on the internal LAN is 192.168.1.22 ... why is my internal server responding to this packet as a "Destination ...
    (Incidents)
  • Re: SBS 2003 - dual nics connectivity problem
    ... sbs 2003 servers, both with a nic for wan and a nic for lan. ... The problem is that after a day or so of running with both nics ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 - dual nics connectivity problem
    ... Paul Barker typed: ... both with a nic for wan and a nic for lan. ... I've tried different nics, ...
    (microsoft.public.windows.server.sbs)
  • Re: WAN speed issue
    ... environment, bits and bytes move at a speed of 10, 100 or possibly 1000 ... Therefore you are doomed to slowdown when connected through WAN. ... is true even on a LAN. ... > more likely design for a LAN environment and not via WAN which means ...
    (microsoft.public.access.tablesdbdesign)