Checking pf.conf configuration

Woodchuck djv at bedford.net
Sun Nov 12 23:55:37 PST 2006 

On Thu, 9 Nov 2006, andy wrote:

> Hi all
> 
> I'd be appreciative of any input you could offer on the following 
> pf.conf file please.
> 
> 1. I am wanting to connect a Win98SE box to the OBSD that is acting as a 
> firewall so that the Windows box can access the Internet and all that 
> good stuff. Do I need to change anything in this pf.conf file to enable 
> me to do this? I suspect not, but just want to make sure first.

It looks like it might work.  Why not try it?

> 2. I have the BitIP rule disabled. The IP address is for my workstation 
> behind the OBSD firewall. If I enabled this by deleting the #, would 
> this enable me to access Bit-Torrents, because up till now I haven't 
> been able to, and I am wondering if this is why?

Beats me.  Why not try it?

> 3. If I wanted to install privoxy on my firewall:
> (a) is this wise ?
> (b) what would I need to add/amend on this pf.conf to enable my outgoing 
> packets to be anonymized at source?

Beats me.

tcpdump is your friend, BTW.

What sort of anonymizing do expect this privoxy thing to do?

Dave

> 
> Thanks for your thoughts. Here's the pf.conf file:
> 
> ====== pf.conf =======
> 
> ########### simple pf.conf ##################
> # allow all outgoing TCP, UDP
> # allow outgoing ICMP ping
> # specifically block 11 common inet services
> # Modified for nntp and bittorrent
> #############################################
> 
> 
> # MACRO
> ext_if = "rl0"
> int_if = "vr0"
> PING = "echoreq"
> allow_tcp = "{ 119 }"                      #Port needed for nntp server
> 
> #IntNet = "192.168.1.0/24"                  #Sub-net range
> #InBitTCP = "{ 6969, 6881:6889 }"           #Ports needed for BitTorrent
> #BitIP = "192.168.1.40"                     #BitTorrent client
> 
> tcp_services = "{ smtp, pop3, pop3s, www, msa, https, ftp, whois, ssh, telnet, rsync }"
> udp_services = "{ domain }" 
> 
> 
> # OPTIONS:
> set block-policy drop
> set optimization normal
> set loginterface $ext_if
> 
> # SCRUB:
> scrub in on $ext_if all
> 
> # NAT/RDR
> nat on $ext_if from $int_if:network to any -> $ext_if
> 
> #nat on $ext_if proto tcp from $IntNet port $InBitTCP to any -> $ext_if \
>  static-port  
> #nat on $ext_if proto udp from $IntNet port $InBitTCP to any -> $ext_if \
>  static-port 
> #rdr on $ext_if proto tcp from !$IntNet to any port 6969 -> $BitIP port 6969 
> #rdr on $ext_if proto udp from !$IntNet to any port 6881:6889 -> $BitIP \
>  port 6881:6889
> 
> # filter:
> 
> block log on $ext_if all
> 
> #pass in quick on $ext_if inet proto tcp from any to any port $InBitTCP \
>  flags S/SA synproxy state
> #pass in quick on $ext_if inet proto udp from any to any port $InBitTCP
> 
> #pass out on $int_if inet proto tcp from any to $IntNet port $port_bittorrent \
> flags S/SA synproxy state
> #pass out on $int_if inet proto udp from any to $IntNet port $port_bittorrent
> 
> pass quick on lo0 all
> 
> pass out on $ext_if proto tcp from any to any port $allow_tcp keep state
> 
> pass out quick on $ext_if inet proto tcp from \
>     { $ext_if:network, $int_if:network } to any port $tcp_services keep state
> 
> pass out quick on $ext_if inet proto udp from \
>     { $ext_if:network, $int_if:network } to any port $udp_services keep state
> 
> pass out quick on $ext_if inet proto icmp from \
>     { $ext_if:network, $int_if:network } to any icmp-type $PING keep state
> 
> antispoof for $ext_if
> antispoof for $int_if
> 
> #### /etc/pf.conf ends ######################
> 
> 
> _______________________________________________
> Openbsd-newbies mailing list
> Openbsd-newbies at sfobug.org
> http://mailman.theapt.org/listinfo/openbsd-newbies
> 

-- 
  "Confound these wretched rodents! For every one I fling away,
               a dozen more vex me!" -- Doctor Doom

More information about the Openbsd-newbies mailing list