OpenBSD PF

Main Menu

Buy me a beer

I really appreciate your gesture.

OpenBSD PF

Written by Bart Dorlandt

Sunday, 10 June 2007 16:18

Some info:

http://www.openbsd.org/faq/pf/
https://solarflux.org/pf/
http://www.bgnett.no/~peter/pf/en/long-firewall.html#PREFACE
http://geodsoft.com/howto/harden/OpenBSD/firewall.htm#ipfilter

Debug your rules:

To view the logfiles:
- tcpdump -n -e -ttt -r /var/log/pflog
To tail -f the logfile: (well not really but...)
- tcpdump -n -e -ttt -i pflog0

Use pfctl -s nat to show the effective nat-rules.
Use pfctl -s rules to show your effective pf-rules.

Some hints

FTP throught the firewall in combination with NAT

Put ftpproxy_flags="" into /etc/rc.conf.local

# Section NAT
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $IntIF proto tcp from $ata port 21 -> 127.0.0.1 port 8021

#--- at the end of the file --- below Section Rules/Filters
anchor "ftp-proxy/*"

Redirection to a internal host in combination with NAT

# secion NAT
rdr on $ExtIF proto tcp from any to any port 8022 -> $internal_host port 22

# Section Rules/Filters
$piq log on $ExtIF inet proto tcp from any to $internal_host port 22 flags S/SA keep state

My configuration

At the following link you'll find my configuration used on one of my servers. This configuration is used for a host-based firewall. '''No NAT'''. It is used to deny a lot of incoming traffic and to only let through some outgoing traffic. Please take a look at the link and take your advantage. There are some comments between the lines, I hope you'll find your way. pf.conf

Last Updated on Friday, 13 February 2009 15:37

Related items:

Newsyslog for Apache (2007-06-10) OpenBSD apache (2007-06-10) OpenBSD /etc/security (2007-06-10) OpenBSD /etc/login.conf (2007-06-10) OpenBSD /etc/changelist (2007-06-10)

Bart Dorlandt - BAMweb.nl