Openunix.eu

Packet Filter in OpenBSD

• MANAGEMENT
  - To enable pf permanently make sure /etc/rc.conf contains:
  # set the following to "YES" to turn them on
pf=YES # Packet filter / NAT
- To start pf:
  pfctl -e
  - To tell pf which file to use (can be reload while running):
  pfctl -f /etc/pf.conf
  - To stop pf:
  pfctl -d
  
  
• VIEWING RULES
  pfctl -s rules


• VIEWING QUEUES (how traffic gets sorted by defined rules)
  pfctl -vvqs


• VIEWING LOGS
  # tcpdump -n -e -ttt -r /var/log/pflog port 80
  This can be further refined by limiting the display of packets to a certain host and port combination:
  # tcpdump -n -e -ttt -r /var/log/pflog port 80 and host 192.168.1.3
  The same idea can be applied when reading from the pflog0 interface:
  # tcpdump -n -e -ttt -i pflog0 host 192.168.4.2
  


• COMPLEX CONFIGURATION EXAMPLE
  # Here follows /etc/pf.conf
# Macros: User-defined variables that can hold IP addresses interface names, etc.
ext_if = "bge0"
int_if = "em0"
tcp_allow = "{21 53 80 111 4045:4047 2049 123 143 139 445 993 110 995 smtp submission domain ntp www https 5995 6888 6889 8085 49152:6553}"
udp_allow = "{20 21 53 111 4045:4047 2049 123 110 137 138 995 143 993 8085}"

# By default block everything:
block in all
block out all

# Allow our chosen ports to be open
pass in on $ext_if proto tcp from any to any port $tcp_allow
pass in on $ext_if proto udp from any to any port $udp_allow
pass out on $ext_if from any to any
pass out on $ext_if from any to any
pass in on $ext_if proto icmp from any to any
pass out on $ext_if proto icmp from any to any

# God knows what this does, but it is there
antispoof quick for { lo0 }

# Allow access to the loopback interface on our machine
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any

# Natting
pass out on $ext_if from $int_if:network to any nat-to $ext_if

# Redirecting ports to machines inside network
pass in on $ext_if proto tcp to port 6888 rdr-to 192.168.1.6 port 3389
pass in on $ext_if proto tcp to port 6888 rdr-to 192.168.1.42 port 6000
pass in on $ext_if proto tcp to port 6889 rdr-to 192.168.1.36 port 22

  
• SIMPLE CONFIG EXAMPLE WITH QUEUING - this one only creates a bottleneck so that users do not take more then 10% of the bandwith
  
  # $OpenBSD: pf.conf,v 1.53 2014/01/25 10:28:36 dtucker Exp $
  #
  # See pf.conf(5) for syntax and examples.
  # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
  # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
  
  ext_if="vr0"
  int_if="mos0"
  
  queue rootout on $ext_if bandwidth 100M, min 100M, max 100M
  queue one parent rootout bandwidth 1M, min 500K, max 2M default
  
  queue rootin on $int_if bandwidth 100M, min 100M, max 100M
  queue two parent rootin bandwidth 250K, min 128K, max 512K default
  
  pass out on $ext_if proto tcp from 10.2.0.0/24 set queue one
  pass out on $int_if proto tcp to 10.2.0.0/24 set queue two
  
  
  pass out on $ext_if from $int_if:network to any nat-to $ext_if
  
  

source: http://calomel.org, http://www.openbsd.org/faq/pf/

• HOME
~~~~~~~~~~~~~~~
• OpenBSD
• Networking
• Installing software
• Session managent
• Desktop env
• Multimedia
• Printing
• Sharing
• NetBSD
• Desktop
• Xen
• FreeBSD
• Linux
• Debian
• Centos
• OpenSuse
• Solaris
• Packages
• Zones
• ZFS
• Services
• Windows
~~~~~~~~~~~~~~~
• Git
• Ansible
• Atlassian
• Network tools
• Qemu
• Virtualbox
• Vim
• Tmux
• Mutt
• Mutt-settings
• Mutt-accounts
• Mutt-html,pdf,doc
• Mutt-address book
• Mutt-signature
• STar
~~~~~~~~~~~~~~~
• MySQL
• PostgreSQL
• Postfix
• OpenSSL
• tcpdump
• SSH
~~~~~~~~~~~~~~~
• Packet Filter
• IP Filter
• IPFilter
• IPNAT
• Commands
~~~~~~~~~~~~~~~
• Bash
• Hack
• If
• Loop
• Math
• Test
• Awk
• Array
• web-dev
• html
• php
• css
• Hacking
• LINUX DAYS

Powered by NetBSD. Running on a toaster.