SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2008, 05:23 AM
| ||||
| ||||
 pf advice I am new to openbsd and network administration in general. I recently decided to set up a good home network and decided upon openbsd for my firewall. My firewall has 3 NICs. sis0 is connected to my cable modem. dc0 is connected to my local network. and sis1 is connected to a wireless access point with wep disabled. My objective is to share internet with people in the parking lot as long as a)they don't encroach on my bandwidth too much and b) my LAN is secure. here is my pf.conf. I will write my understanding of what is happening below. I'd appreciate any advice you have to give. #------------------------------------------------------------------------------------------ # # begin pf.conf internet="sis0" wlan="sis1" lan="dc0" #allowing 'auth' per www.openbsd.org example pf configuration tcp_services = "{ ssh, auth }" icmp_types = "echoreq" wlan_tcp_services = "{ ssh, domian, auth, nameserver, bootps, bootpc }" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" # options set block-policy return #set loginterface $internet # scrub scrub in all # queueing altq on $internet cbq bandwidth 100% queue {wireless, local} queue local priority 5 cbq(default) queue wireless priority 0 # nat/rdr nat on $internet from $lan:network to any tag LOCAL -> ($internet) nat on $internet from $wlan:network to any tag WIRELESS -> ($internet) # filter rules block all pass quick on lo0 all #drop quick impossible(spoofed) connections block drop in quick on $internet from $priv_nets to any #block drop out quick on $internet from any to $priv_nets #allow ping from all interfaces pass in inet proto icmp all icmp-type $icmp_types keep state #----------------------------------------------- # LAN # # allow anything. home network is safe, except for burglers #----------------------------------------------- pass in on $lan from $lan:network to any keep state pass out on $lan from any to $lan:network keep state #------------------------------------------------ # WIRELESS LAN # # drop quick from wireless to lan # allow all wireless traffic headed for the internet # don't allow wireless to connect to firewall, except # for necessary things #------------------------------------------------ block drop in quick on $wlan from any to $lan:network tagged WIRELESS pass in on $wlan from $wlan:network to !($wlan) keep state pass in inet proto tcp on $wlan from $wlan:network to ($wlan) \ port $wlan_tcp_services keep state pass out on $wlan from any to $wlan:network keep state #------------------------------------------------ # INTERNET # # allow ssh and auth commands from inet # pass out tcp connection packets only, queueing # pass out all udp and icmp packets #------------------------------------------------ pass in on $internet inet proto tcp from any to ($internet) \ port $tcp_services flags S/SA keep state pass out on $internet proto tcp all tagged WIRELESS modulate state flags S/SA \ queue wireless pass out on $internet proto {udp, icmp } all tagged WIRELESS keep state flags S/SA \ queue wireless pass out on $internet proto tcp all modulate state flags S/SA pass out on $internet proto { udp, icmp } all keep state # end pf.conf #--------------------------------------------------------------------------------------------------------- 1) 1) i set up a cbq queue. I use this instead or priq even though i don't do any bandwidth limiting, because i don't want traffic on local to completely shut out the traffic from wireless, just run faster. 2) i then nat the two internal interfaces and tag these packets so that i can queue their traffic later 3) drop possible screwy packets, let people ping ping on any interface, blah, blah, blah 4) i allow anything and everything on the local interface 5) here is where it gets interesting... and confusing. I want to allow wireless traffic to all parts of the net, but only to my firewall when absolutely necessary, and never to the lan. Necessary includes DHCP (bootp), DNS, and SSH. 6) now i pass everything to the internet that needs to be passed. I use the tag from nat to put wireless traffic in its queue and everything else in the local queue. I only want to make sure wireless traffic doesn't preempt me. I'm using stateful inspection, so the traffic i add to the state table here will remember the queue it is associated with, thus queueing and prioritizing all incoming and outgoing traffic. I'd really like to know if this ruleset is going to accomplish my goals, if it is the best way to accomplish them, and, on a side note, what i would have to change to allow vpn via ipsec. Thanks, Grady      |
Linear Mode
