Upgrading to 4.1 I had to change the pass rules, for ``keep state'' and ``flags S/SA'' work differently now. So I ended up making other changes that I think rendered it more readable. Also, since that bug on IPv6 networking I block any ipv6 stuff. It's usually not very wise to share this kind of stuff, I think. But I don't see any problems, after all, this is just my home firewall. So, this is my current pf.conf:
#
# Macros
#
ext_if="vr0"
int_if="mtd0"
laptop="192.168.0.5"
desktop="192.168.0.2"
alexandre="192.168.0.3"
# 6111:6119 - starcraft
# 6881:6999 - bittorrent
# 4662 - emule
# 4665 - emule
# 2222 - ssh on this computer (my ISP won't let me use 22)
# 8080 - httpd on this computer (my ISP won't let me use 80)
# 8081 - httpd on my desktop
# 9418 - git
# 3690 - svn
allowed_tcp="{ 6111:6119, 6881:6999, 4662, 2222, 8080, 8081, 9418, ident,\
3690 }"
allowed_udp="{ 6111:6119, 4665, 4672, 3690 }"
#
# Tables
#
#
# Options
#
set loginterface $ext_if
set block-policy return
set skip on lo0
#
# Scrub
#
scrub in all max-mss 1440
#
# Queueing
#
#
# Translation
#
nat on egress from !(egress) -> (egress:0) static-port
#bittorrent
rdr on egress proto tcp to port 6881:6999 -> $laptop
#emule ports
rdr on egress proto tcp to port 4662 -> $desktop
rdr on egress proto udp to port { 4665, 4672 } -> $desktop
#git
rdr on egress proto tcp to port 9418 -> $laptop
#http
rdr on egress proto tcp to port 8081 -> $desktop
#starcraft ports
rdr on egress proto { tcp, udp } to port 6111:6119 -> $alexandre
#
# Filter rules
#
# I don't use IPv6
block in quick inet6
#allow everything from the internal network
pass in quick on $int_if all modulate state
#allow any packet to get out (this includes redirected stuff)
pass out quick all modulate state
#block everything by default
block in on egress all
#don't block this egressing traffic
pass in on egress proto tcp from any to any port $allowed_tcp modulate state
pass in on egress proto udp from any to any port $allowed_udp
pass in inet proto icmp all icmp-type echoreq
Saturday, November 17, 2007
Thursday, November 15, 2007
Upgrading from 4.0 to 4.1 (mergemaster)
Yeah, yeah, I never post on this thing. But that's because I rarely have any issues with OpenBSD. I decided to upgrade from 4.0 to 4.1 (yep, I'm still running behind the latest version). I didn't use my etc-update script at all this time, instead I used the mergemaster. It's a very good program, but you have to know what parameters to call it with. I didn't at first and I think I might have done some minor damage to my system, oh well, it won't happen again.
What I did was just calling mergemaster without any parameters or anything. It seems that it generates the stock options and let you chose what to upgrade. That's rather nice behaviour, but it wasn't clear to me at first. So I ended up using de /dev/MAKEDEV it generated. I relised that and copied the MAKEDEV on base41.tgz to /dev, I think I fixed it fine. Well, the system is working, so I guess I didn't do TERRIBLE bad.
Now, for doing it right. All you need is upacking the etc41.tgz to /tmp and then use mergemaster like this:
# mergemaster -rt /tmp
It worked smoothly and now I have a upgraded system :).
Later on I found out that if I had just changed the /usr/src for the openbsd 4.1 src it would work simply typing ``mergemaster''. I guess we only learn by trying, and you guys may learn by my mistakes.
See you in a few months (or years, or decades)
What I did was just calling mergemaster without any parameters or anything. It seems that it generates the stock options and let you chose what to upgrade. That's rather nice behaviour, but it wasn't clear to me at first. So I ended up using de /dev/MAKEDEV it generated. I relised that and copied the MAKEDEV on base41.tgz to /dev, I think I fixed it fine. Well, the system is working, so I guess I didn't do TERRIBLE bad.
Now, for doing it right. All you need is upacking the etc41.tgz to /tmp and then use mergemaster like this:
# mergemaster -rt /tmp
It worked smoothly and now I have a upgraded system :).
Later on I found out that if I had just changed the /usr/src for the openbsd 4.1 src it would work simply typing ``mergemaster''. I guess we only learn by trying, and you guys may learn by my mistakes.
See you in a few months (or years, or decades)
Subscribe to:
Posts (Atom)