OpenBSD 4.0 pf scenario and question

OpenBSD 4.0 pf scenario and question

am 08.02.2007 19:09:22 von Boardstretcher

OpenBSD 4.0 pf scenario and questions

Network:
Openbsd Gateway with 2 NiC's
xl0 connected to cable modem (dhclient)
fxp0 connected to hub (dhcpd and bind)

Computers connected to hub
computer1 - 192.168.100.2
computer2 - 192.168.100.3

Objectives I am having trouble with:

1) Allow some traffic from computer1 to internet (port 80)
2) Disallow some traffic from computer1 to internet (the rest)
3) Allow all traffic from computer2 to internet
4) Allow some traffic into bsd box (port 80)
5) Forward packets from internet to computer2 ports (6000, 50000,
50001)

My guesses:

1) pass out quick from $computer1 port 80

2) block out all

3) pass out quick from $computer2

4) bsd_allowed="{ 80 }"
pass in quick on $ext_if inet from any to $ext_if port $bsd_allowed

5) forwarded_cpu="{ 6000, 50000, 50001 }"
rdr on $ext_if from any to $ext_if port $forwarded_cpu2 ->
$computer2

Re: OpenBSD 4.0 pf scenario and question

am 09.02.2007 01:58:46 von Eirik Seim

On 8 Feb 2007 10:09:22 -0800, Boardstretcher wrote:
> OpenBSD 4.0 pf scenario and questions
>
> Network:
> Openbsd Gateway with 2 NiC's
> xl0 connected to cable modem (dhclient)
> fxp0 connected to hub (dhcpd and bind)
>
> Computers connected to hub
> computer1 - 192.168.100.2
> computer2 - 192.168.100.3
>
> Objectives I am having trouble with:
>
> 1) Allow some traffic from computer1 to internet (port 80)
> 2) Disallow some traffic from computer1 to internet (the rest)
> 3) Allow all traffic from computer2 to internet
> 4) Allow some traffic into bsd box (port 80)
> 5) Forward packets from internet to computer2 ports (6000, 50000,
> 50001)

Need to change the order of apperance somewhat. Of course, you do
have the NAT rule(s) in place, I assume.

# 5:
rdr on $ext_if proto tcp from any to any port 6000 -> $computer2
rdr on $ext_if proto tcp from any to any port 50000 -> $computer2
rdr on $ext_if proto tcp from any to any port 50001 -> $computer2

# 2:
block out on $ext_if all
pass quick on $int_if # only filter on $ext_if

# 1:
pass out quick on $ext_if proto tcp from $computer1 to any port 80 \
keep state
pass out quick on $ext_if proto udp from $computer1 to any port 53 \
keep state

# 3:
pass out quick on $ext_if proto tcp from $computer2 to any keep state
pass out quick on $ext_if proto udp from $computer2 to any keep state
pass out quick on $ext_if proto icmp from $computer2 to any keep state

# 4:
pass in quick on $ext_if proto tcp from any to $ext_if port 80

--
New and exciting signature!