Start at Part 1

… Let there be Traffic

Reference: The Book of PF

First I want to enable my router to forward my traffic. This is going to give me a baseline configuration of no filtering nor NATing. So to enable this I run:

sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip.forwarding=1

Next I uncomment the following two lines in /etc/sysctl.conf to make this reboot-safe.

net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
net.inet6.ip6.forwarding=1      # 1=Permit forwarding (routing) of IPv6 packets

The Book of PF recommends using tests through out building up your environment, this is a good time to get baseline proof of functionality for these tests.

Next, I’m going to set up some macros in pf.conf to ease configuration changes in the future. First my routers interfaces.

# Interface Globals
ext_if = "rl0"
int_if = "xl0"
wifi_if = "rum0"

Next, I want to make variables for the two boxes that I setup MAC association in my DHCPD configs, My file server and my xbox, because they have special TCP and UDP port needs.

# Static machines
file_server = "192.168.0.2"
xbox = "192.168.0.3"

Lastly, I’m defining which services sections. I want to allow access to a few daemons running on the router itself, as well as allowing the hosts on my local subnets to utilize certain protocols themselves (as clients).

# Protocol Globals
router_daemons = "{ ssh, domain, ntp, bootps, 8080, 5022 }"
client_tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, imap,
imaps, 8000, 8080, 5190, 5222 }"
client_udp_services = "{ domain, bootps, 67 }"

Now it’s time to start off blocking everything so I add the statement to start off blocking all traffic, and add an exception to filtering on the loopback interface.

block all
set skip on lo

The location of this line is important. All NAT/RDR lines will occur before this line, and all firewalling rules will occur after this line, so keep that in mind for future configurations.

Now I’m going to allow all traffic, from initiated from hosts on my local subnets, be sent out to the internet (their sessions are kept as well).

To do this I tell my router to NAT for my local subnets:

# Provide NATing for my local subnets
nat on $ext_if from $wifi_if:network to any -> ($ext_if) static-port
nat on $ext_if from $int_if:network to any -> ($ext_if)

And then set which protocols are allowed to be passed out to the internet:

# Allowed Client traffic
pass out on $ext_if proto tcp to any port $client_tcp_services
pass out on $ext_if proto udp to any port $client_udp_services

And I can’t forget about my router itself, so I’ll allow access to its daemons from both my local subnets as well as the outside world.

# Router services
pass proto icmp
pass quick inet proto { tcp, udp } to any port $router_daemons

The last step is enable pf:

pfctl -e

And To make it reboot safe by uncommenting the following two lines in /etc/rc.conf

pf=YES                  # Packet filter / NAT
pf_rules=/etc/pf.conf           # Packet filter rules file

At this point, the file server cannot be access by the outside world, and connecting to xbox live isn’t going to happen. These will be covered in the next part of my OpenBSD router project.

Our final /etc/pf.conf for this part of the project:

# Interface Globals
ext_if = "rl0"
int_if = "xl0"
wifi_if = "rum0"

# Static machines
file_server = "192.168.0.2"
xbox = "192.168.0.3"

# Protocol Globals
router_daemons = "{ ssh, domain, ntp, bootps, 8080, 5022 }"
client_tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, imap, imaps, 8000, 8080, 5190, 5222 }"
client_udp_services = "{ domain, bootps, 67 }"

# Provide NATing for my local subnets
nat on $ext_if from $wifi_if:network to any -> ($ext_if) static-port
nat on $ext_if from $int_if:network to any -> ($ext_if)

block all
set skip on lo

# Allowed Client traffic
pass out on $ext_if proto tcp to any port $client_tcp_services
pass out on $ext_if proto udp to any port $client_udp_services

# Router services
pass proto icmp
pass quick inet proto { tcp, udp } to any port $router_daemons

Continue to Step 5.

Categories: Projects