Checking pf.conf configuration

andy geek_show at dsl.pipex.com
Thu Nov 9 15:19:20 PST 2006 

Hi all

I'd be appreciative of any input you could offer on the following 
pf.conf file please.

1. I am wanting to connect a Win98SE box to the OBSD that is acting as a 
firewall so that the Windows box can access the Internet and all that 
good stuff. Do I need to change anything in this pf.conf file to enable 
me to do this? I suspect not, but just want to make sure first.

2. I have the BitIP rule disabled. The IP address is for my workstation 
behind the OBSD firewall. If I enabled this by deleting the #, would 
this enable me to access Bit-Torrents, because up till now I haven't 
been able to, and I am wondering if this is why?

3. If I wanted to install privoxy on my firewall:
(a) is this wise ?
(b) what would I need to add/amend on this pf.conf to enable my outgoing 
packets to be anonymized at source?

Thanks for your thoughts. Here's the pf.conf file:

====== pf.conf =======

########### simple pf.conf ##################
# allow all outgoing TCP, UDP
# allow outgoing ICMP ping
# specifically block 11 common inet services
# Modified for nntp and bittorrent
#############################################


# MACRO
ext_if = "rl0"
int_if = "vr0"
PING = "echoreq"
allow_tcp = "{ 119 }"                      #Port needed for nntp server

#IntNet = "192.168.1.0/24"                  #Sub-net range
#InBitTCP = "{ 6969, 6881:6889 }"           #Ports needed for BitTorrent
#BitIP = "192.168.1.40"                     #BitTorrent client

tcp_services = "{ smtp, pop3, pop3s, www, msa, https, ftp, whois, ssh, telnet, rsync }"
udp_services = "{ domain }" 


# OPTIONS:
set block-policy drop
set optimization normal
set loginterface $ext_if

# SCRUB:
scrub in on $ext_if all

# NAT/RDR
nat on $ext_if from $int_if:network to any -> $ext_if

#nat on $ext_if proto tcp from $IntNet port $InBitTCP to any -> $ext_if \
 static-port  
#nat on $ext_if proto udp from $IntNet port $InBitTCP to any -> $ext_if \
 static-port 
#rdr on $ext_if proto tcp from !$IntNet to any port 6969 -> $BitIP port 6969 
#rdr on $ext_if proto udp from !$IntNet to any port 6881:6889 -> $BitIP \
 port 6881:6889

# filter:

block log on $ext_if all

#pass in quick on $ext_if inet proto tcp from any to any port $InBitTCP \
 flags S/SA synproxy state
#pass in quick on $ext_if inet proto udp from any to any port $InBitTCP

#pass out on $int_if inet proto tcp from any to $IntNet port $port_bittorrent \
flags S/SA synproxy state
#pass out on $int_if inet proto udp from any to $IntNet port $port_bittorrent

pass quick on lo0 all

pass out on $ext_if proto tcp from any to any port $allow_tcp keep state

pass out quick on $ext_if inet proto tcp from \
    { $ext_if:network, $int_if:network } to any port $tcp_services keep state

pass out quick on $ext_if inet proto udp from \
    { $ext_if:network, $int_if:network } to any port $udp_services keep state

pass out quick on $ext_if inet proto icmp from \
    { $ext_if:network, $int_if:network } to any icmp-type $PING keep state

antispoof for $ext_if
antispoof for $int_if

#### /etc/pf.conf ends ######################

More information about the Openbsd-newbies mailing list