I have a local nat here at home, so I needed to configure pf right away after installing openbsd. I've actually done that when I installed a week ago or so. But only today I study the pf user's guide (I didn't read it all, some topics such as queueing and load balancing, and everything after that I didn't get to read). You can read it at: http://www.openbsd.org/faq/pf/index.html
I think now I'm more confortable with the pf tool and I know a little more what it's capable of doing. I liked it, I thought it was far better to use than iptables (although I don't have much experience with iptables). I configured it this way:
# Macros
ext_if="vr0"
int_if="mtd0"
allowed_tcp="{ 6112:6119, 4662, 2222, ident }"
allowed_udp="{ 6112:6119, 4665, 4672 }"
# Tables
# Options
set loginterface $ext_if
set block-policy return
set skip on lo0
# Scrub
scrub in all max-mss 1440
# Queueing
# Translation
nat on egress from !(egress) -> (egress:0) static-port
#ftp workaround
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
#starcraft ports
rdr on egress proto { tcp, udp } to port 6112:6119 -> \
192.168.0.3
#emule ports
rdr on egress proto tcp to port 4662 -> 192.168.0.2
rdr on egress proto udp to port { 4665, 4672 } -> 192.168.0.2
# Filter rules
#allow everything from the internal network
pass in quick on $int_if all modulate state flags S/SA
#allow any packet to get out (this includes redirected stuff)
pass out quick all modulate state flags S/SA
block in on egress all
#ftp workaround
anchor "ftp-proxy/*"
pass in on egress proto tcp from any to any port $allowed_tcp \
modulate state flags S/SA
pass in on egress proto udp from any to any port \
$allowed_udp keep state
pass in inet proto icmp all icmp-type echoreq keep state
Monday, March 12, 2007
Sunday, March 11, 2007
Updating the etc.tgz set
After installing the OpenBSD I noticed that there were a few corrected bugs for my release (4.0) at www.openbsd.org/errata40.html. So, I figure it was time to upgrade. Everything went very smoothly, reading the release(8) manpage was enough to teach myself how to create a release with the patches. I'm currently following the -stable branch (patch branch), by the way.
After creating my release and installing it I found out that I was to merge the differences on the configuration files by myself. Doing so by hand is very tedius, so I wrote my own script to help me out. It will be helpful when I'm to upgrade to openbsd 4.1 also.
The usage of the script is very simple. Just decompress the etc.tgz set on some directory (in my case it was /tmp/config) and execute the program like this:
sh update-etc /tmp/config
I've done a little testing, but not too much, so it may still have some bugs, specially because I'm not really used to shell programming (I could write it in python, the scripting language I'm most confortable, but I wanted it to be compatible with openbsd out of the box). It has been working fine by now, if I find any bugs I'll make a new post telling everyone (I'll update this post also). If you find some bug tell me and I'll fix it.
Without any further ado, this is the script:
http://www.dcc.ufmg.br/~rafaelc/update-etc
download it, and have fun!
After creating my release and installing it I found out that I was to merge the differences on the configuration files by myself. Doing so by hand is very tedius, so I wrote my own script to help me out. It will be helpful when I'm to upgrade to openbsd 4.1 also.
The usage of the script is very simple. Just decompress the etc.tgz set on some directory (in my case it was /tmp/config) and execute the program like this:
sh update-etc /tmp/config
I've done a little testing, but not too much, so it may still have some bugs, specially because I'm not really used to shell programming (I could write it in python, the scripting language I'm most confortable, but I wanted it to be compatible with openbsd out of the box). It has been working fine by now, if I find any bugs I'll make a new post telling everyone (I'll update this post also). If you find some bug tell me and I'll fix it.
Without any further ado, this is the script:
http://www.dcc.ufmg.br/~rafaelc/update-etc
download it, and have fun!
Subscribe to:
Posts (Atom)