Upgrading to 4.1 I had to change the pass rules, for ``keep state'' and ``flags S/SA'' work differently now. So I ended up making other changes that I think rendered it more readable. Also, since that bug on IPv6 networking I block any ipv6 stuff. It's usually not very wise to share this kind of stuff, I think. But I don't see any problems, after all, this is just my home firewall. So, this is my current pf.conf:
#
# Macros
#
ext_if="vr0"
int_if="mtd0"
laptop="192.168.0.5"
desktop="192.168.0.2"
alexandre="192.168.0.3"
# 6111:6119 - starcraft
# 6881:6999 - bittorrent
# 4662 - emule
# 4665 - emule
# 2222 - ssh on this computer (my ISP won't let me use 22)
# 8080 - httpd on this computer (my ISP won't let me use 80)
# 8081 - httpd on my desktop
# 9418 - git
# 3690 - svn
allowed_tcp="{ 6111:6119, 6881:6999, 4662, 2222, 8080, 8081, 9418, ident,\
3690 }"
allowed_udp="{ 6111:6119, 4665, 4672, 3690 }"
#
# Tables
#
#
# Options
#
set loginterface $ext_if
set block-policy return
set skip on lo0
#
# Scrub
#
scrub in all max-mss 1440
#
# Queueing
#
#
# Translation
#
nat on egress from !(egress) -> (egress:0) static-port
#bittorrent
rdr on egress proto tcp to port 6881:6999 -> $laptop
#emule ports
rdr on egress proto tcp to port 4662 -> $desktop
rdr on egress proto udp to port { 4665, 4672 } -> $desktop
#git
rdr on egress proto tcp to port 9418 -> $laptop
#http
rdr on egress proto tcp to port 8081 -> $desktop
#starcraft ports
rdr on egress proto { tcp, udp } to port 6111:6119 -> $alexandre
#
# Filter rules
#
# I don't use IPv6
block in quick inet6
#allow everything from the internal network
pass in quick on $int_if all modulate state
#allow any packet to get out (this includes redirected stuff)
pass out quick all modulate state
#block everything by default
block in on egress all
#don't block this egressing traffic
pass in on egress proto tcp from any to any port $allowed_tcp modulate state
pass in on egress proto udp from any to any port $allowed_udp
pass in inet proto icmp all icmp-type echoreq
Subscribe to:
Post Comments (Atom)
3 comments:
What is the 'egress' inteface?
i.e. rdr on egress ...
I've been working on all my PF rules lately myself. Also, what are you impressions on OpenBSD 4.1?
It's good, I didn't do anything on 4.1 that I didn't do on 4.0. I liked how you don't have to set S/SA flags anymore, though. I have already moved on to 4.2 now. They said 4.2 had several improvements on pf code. It wasn't anything really noticeable for me, though.
Afaik, the egress is just the interface where the packages from the default route is comming. You have probably figured that out by now, though.
Thank you, I haven't had time to look further into the egress thing, however I appreciate your comment back.
I am still stuck on 3.7 right now, but I'll be upgrading at some point, as I run this on an embedded flash based system, I need to refine what is written to the CF card to save it dying from too many writes...
Post a Comment