I have a local nat here at home, so I needed to configure pf right away after installing openbsd. I've actually done that when I installed a week ago or so. But only today I study the pf user's guide (I didn't read it all, some topics such as queueing and load balancing, and everything after that I didn't get to read). You can read it at: http://www.openbsd.org/faq/pf/index.html
I think now I'm more confortable with the pf tool and I know a little more what it's capable of doing. I liked it, I thought it was far better to use than iptables (although I don't have much experience with iptables). I configured it this way:
# Macros
ext_if="vr0"
int_if="mtd0"
allowed_tcp="{ 6112:6119, 4662, 2222, ident }"
allowed_udp="{ 6112:6119, 4665, 4672 }"
# Tables
# Options
set loginterface $ext_if
set block-policy return
set skip on lo0
# Scrub
scrub in all max-mss 1440
# Queueing
# Translation
nat on egress from !(egress) -> (egress:0) static-port
#ftp workaround
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
#starcraft ports
rdr on egress proto { tcp, udp } to port 6112:6119 -> \
192.168.0.3
#emule ports
rdr on egress proto tcp to port 4662 -> 192.168.0.2
rdr on egress proto udp to port { 4665, 4672 } -> 192.168.0.2
# Filter rules
#allow everything from the internal network
pass in quick on $int_if all modulate state flags S/SA
#allow any packet to get out (this includes redirected stuff)
pass out quick all modulate state flags S/SA
block in on egress all
#ftp workaround
anchor "ftp-proxy/*"
pass in on egress proto tcp from any to any port $allowed_tcp \
modulate state flags S/SA
pass in on egress proto udp from any to any port \
$allowed_udp keep state
pass in inet proto icmp all icmp-type echoreq keep state
No comments:
Post a Comment