blackmilk
February 3rd, 2004, 15:34
This is my pf.conf for NAT and rdr, with a default (silent) block inbound. (my first NAT & rdr ruleset)

I've ran through pfctl for syntax errors and the only error is :
[code:1:dfcb81370a]pass in log-all on ($ext_if) proto tcp from any to ($ext_if) port $ssh_local keep state (max 4) (tcp.established 7200) group wheel[/code:1:dfcb81370a]

If anyone could offer tips on spicing up the ruleset, and also any suggestions to fixing the above rule, it would be welcomed. I intend using the scanner blocking rules shown in absolute openbsd as well.
[code:1:dfcb81370a]

#-#Macros
ext_if="rl0" #External Interface
int_if="rl1" #Internal Interface <--- issues!
all_if="{ rl0, rl1, lo0 }" #Both interfaces and loopback

ext_ip="192.168.2.10"
ext_net="192.168.2.2/28" #Netmask 255.255.255.240
int_net="192.168.2.20/30" #Netmask 255.255.255.252

ssh_local="22"
ftp_local="{ 21, 20 }"
httpd_local="80"

table <used-private> const { 192.168.0.0/24 }
table <bad-private> const { 10.0.0.0/8, 176.16.0.0/12 } #Do i really need this!

#-#Options!
set loginterface $ext_if #logging on $ext_if
set loginterface $int_if #logging on $int_if
set limit states 1000 #Number of connections
set block-policy drop #block policy - silent!

#Normalise packets we transmit and recieve
scrub in on $ext_if min-ttl 30 no-df
scrub in on $int_if min-ttl 5 no-df

#-#NAT!
no nat on $ext_if proto 51 from $int_net to any
nat on $ext_if from $int_net to any -> ($ext_if)

#-#Redirection!
#Check on this!!!
rdr on $ext_if proto tcp from any to ($ext_if) port ftp -> 127.0.0.1 port 8021
#FTPD Access-below!
rdr on $ext_if proto tcp from any to ($ext_if) port 20001 -> ($ext_if) port 21

#-#Packet filtering!
#default block stance
block in all

#Antispoof!
antispoof for $all_if

#state modulation for poor client ISN's
pass in on $int_if inet from $int_net to any modulate state

#rfc1918-private addresses, pass in 192.168.2.0/24
pass in log on $all_if from <used-private> to any keep state

pass in log-all on ($ext_if) proto tcp from any to ($ext_if) port $ssh_local keep state (max 4) (tcp.established 7200) group wheel

pass in log proto tcp from any to ($ext_if) port $ftp_local keep state (max 10) group wheel

#DNS queries
pass in proto udp from any port 53 to ($ext_if) port 53
[/code:1:dfcb81370a]

Thanks for ya time

frisco
February 3rd, 2004, 15:55
pass in log-all on $ext_if proto tcp from any to $ext_if port $ssh_local keep state (max 4 tcp.established 7200) group wheel

bsdjunkie
February 3rd, 2004, 15:57
I've ran through pfctl for syntax errors and the only error is :
Code:
pass in log-all on ($ext_if) proto tcp from any to ($ext_if) port $ssh_local keep state (max 4) (tcp.established 7200) group wheel

Try [code:1:f51c732a28]pass in log on ($ext_if) proto [/code:1:f51c732a28]

#-#Options!
set loginterface $ext_if #logging on $ext_if
set loginterface $int_if #logging on $int_if

You can only specify one log interface at a time.

blackmilk
February 3rd, 2004, 16:18
I tried both suggestions, neither worked. But frisco was closest,
pass in log-all on $ext_if proto tcp from any to ($ext_if) port $ssh_local keep state (max 4 tcp.established 7200) group wheel
The second ($ext_if) was correct as I was specifying an IP.

I'm specifying "log-all" because I would like all packets to be logged due to the nature of the service. "log" only captures the first packet.

According to Absolute OpenBSD...
PF's logging functions can be enabled on an interface-by-interface basis with the "loginterface" keyword
It doesn't state otherwise in pf.conf's man page, am I wrong?

Thanks for the input :) Very helpful

bsdjunkie
February 3rd, 2004, 16:22
http://openbsd.org/faq/pf/options.html

set loginterface int
Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked. Statistics can only be gathered for one interface at a time.

blackmilk
February 3rd, 2004, 16:33
Ahh, you were right! Should send that correction into him. Thanks :)