Hello,

Hopefully, the pf.conf file I have
attached will set up an internal
network, a dmz, and allow a mail server,
dns server and web server to all
operate securely over one static ip
address on ne3 (ext_if). If any one has
ideas on
a: how to make this work
b: how to make it simpler
c: how to make it more secure

then please tell me what to do, as I've
read the docs and man pages, but cannot
find many complete examples for a dmz,
and internal network with only one
static IP (external to internet).

thanks,
James

# $OpenBSD: pf.conf 28Oct03

# macros
ext_if = "ne3"
int_if = "ne4"
dmz_if = "ne5"
webserver = 192.168.10.40
mailserver = 192.168.10.41
dnsserver = 192.168.10.42
tcp_services = "{ 22, 113 } "

# did not allow ftp from subnet
tcp_services = "{ 20, 21, 113 }"
#tcp_services = "{ 20, 21, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8,
192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
int_net = "{ 192.168.0.0/24 }"
dmz_net = "{ 192.168.40.0/24 }"

set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
# this rule provides network address
translation from internal net to internet
nat on $ext_if from $int_if:network to
any -> ($ext_if)

# This rule directs external internet
web traffic to webserver on DMZ
rdr on $ext_if proto tcp from any to
$ext_if port 80 -> $webserver port 80
# This rule allow the intenal network
access to webserver
rdr on $int_if proto tcp from $int_if to
$ext_if port 80 -> $webserver port 80

# This rule directs external internet
mail traffic to mailserver on DMZ
rdr on $ext_if proto tcp from any to
$ext_if port 25 -> $mailserver port 25
# This rule allow the intenal network
access to mailserver
rdr on $int_if proto tcp from $int_if to
$ext_if port 25 -> $mailserver port 25

# This rule directs external internet
dns traffic to dnsserver on DMZ
rdr on $ext_if proto tcp from any to
$ext_if port 53 -> $dnsserver port 53
# This rule allow the intenal network
access to dns server
rdr on $int_if proto tcp from $int_if to
$ext_if port 53 -> $dnsserver port 53

# this rule keeps nat from messing up
traffic between int_net and dmz servers
no nat on $int_if proto tcp from $int_if
to $int_net

# this rule should only allow ssh from
1.2.3.4 to the webserver,
pass in on $ext_if proto tcp from
1.2.3.4 to $webserver port 22 keep state

# filter rules
block log all
pass quick on lo0 all
block drop in quick on $ext_if from
$priv_nets to any
block drop out quick on $ext_if from any
to $priv_nets
pass in on $ext_if inet proto tcp from
any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type
$icmp_types keep state
pass in on $int_if from $int_if:network
to any keep state
pass out on $int_if from any to
$int_if:network keep state
pass out on $ext_if proto tcp all
modulate state flags S/SA
pass out on $ext_if proto { udp, icmp }
all keep state