Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19
pf.conf in OpenBSD
Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: pf.conf in OpenBSD

  1. #1
    Moderator
    Good Guru
    Schotty's Avatar
    Join Date
    Jul 2001
    Location
    Milwaukee, WI
    Posts
    5,760

    pf.conf in OpenBSD

    I got a pf.conf file I put together for my gateway. It isnt letting any traffic thru if I have the rules set. I was hoping someone could see the error and clue me in on it.

    I have three NICs, ne4 (lan) ne3 (wan) and xl0(wan) to deal with. IIRC only xlo and ne4 are mentioned.

    Code:
    # Setup a variable for who IS allowed to go online
    FullInternetIPs="{206.190.6.3/32,206.190.6.8/32, 206.190.6.11/32,206.190.6.211/3
    2,206.190.6.243/32,206.190.6.56/32}"
    WAN="xl0"
    LAN="ne4"
    # Normalize all incoming traffic
    scrub in on $WAN all
    
    #Block and log everything by default
    block out log on $LAN all
    block in log on $LAN all
    
    # Silently drop broadcasts
    block in quick on $WAN from any to 255.255.255.255/32
    
    # Filter Internet connections
    
    # Allow Toolbar access
    pass out on $LAN from any to 209.184.193.164/32
    pass in on $LAN from 209.184.193.164/32 to any
    
    # Allow Mapquest
    pass out on $LAN from any to 64.12.37.89/32
    pass out on $LAN from any to 64.12.51.56/32
    pass out on $LAN from any to 64.12.37.57/32
    pass in on $LAN from 64.12.37.89/32 to any
    pass in on $LAN from 64.12.51.56/32 to any
    pass in on $LAN from 64.12.37.57/32 to any
    
    # Allow full access for the chosen ones
    pass out on $LAN from $FullInternetIPs to any
    pass in on $LAN from any to $FullInternetIPs
    The basic idea here is to allow access only to the Mapquest and Toolbar IP's. And for the chosen ones, full access. This is basically so customer service cant surf the web while working (like I am doing right now)

    Thanks much!!

  2. #2
    Moderator
    Good Guru
    Schotty's Avatar
    Join Date
    Jul 2001
    Location
    Milwaukee, WI
    Posts
    5,760

    Re:pf.conf in OpenBSD

    Bump...

    I take it that there are not many OpenBSD gurus here anymore..... :-[

    Update :: I now have this configuration. I also feel that this looks cleaner. At this point I have been trying to figure out some of my logs. Stuff isn't getting back to the user's machine.

    /etc/pf.conf
    Code:
    ####################################################
    # Setup a variable for who IS allowed to go online #
    ####################################################
    
    FullInternetIPs="{192.168.254.2/32,
                      192.168.1.2/32,
                      206.190.6.3/32,
                      206.190.6.8/32,
                      206.190.6.11/32,
                      206.190.6.32/32,
                      206.190.6.56/32,
                      206.190.6.222/32,
                      206.190.6.243/32,
                      206.190.6.247/32,
                      206.190.6.249/32}"
    DNS="{206.141.239.126/32,
          206.141.251.2/32,
          209.253.113.118/32,
          209.253.113.2/32}
    WAN="xl0"
    LAN="ne4"
    
    pass out on $LAN all
    
    # Block and log everything by default
    block in log on $LAN all
    
    # Allow loopback adpater traffic full reign
    pass in quick on lo0 all
    pass out quick on lo0 all
    
    # Silently drop broadcasts
    block in quick on $WAN from any to 255.255.255.255/32
    
    ###############################
    # Filter Internet connections #
    ###############################
    
    # Allow DNS queries
    pass in quick on $LAN from 206.190.6.0/24 to $DNS keep state
    pass out quick on $LAN from $DNS to 206.190.6.0/24 keep state
    
    # Allow Toolbar access
    pass out quick on $LAN from 206.190.6.0/24 to 209.184.193.164/32 keep state
    pass in quick on $LAN from 209.184.193.164/32 to 206.190.6.0/24 keep state
    
    # Allow Mapquest
    pass out quick on $LAN from 206.190.6.0/24 to 64.12.37.89/32 keep state
    pass out quick on $LAN from 206.190.6.0/24 to 64.12.51.56/32 keep state
    pass out quick on $LAN from 206.190.6.0/24 to 64.12.37.57/32 keep state
    pass in quick on $LAN from 64.12.37.89/32 to 206.190.6.0/24 keep state
    pass in quick on $LAN from 64.12.51.56/32 to 206.190.6.0/24 keep state
    pass in quick on $LAN from 64.12.37.57/32 to 206.190.6.0/24 keep state
    
    # Allow full access for the chosen ones
    pass out quick log on $LAN from $FullInternetIPs to any keep state
    pass in quick log on $LAN from any to $FullInternetIPs keep state
    
    # Allow SSH sessions from LAN
    pass in quick log on 206.190.6.0/24 to 206.190.6.222/32 port = 22 keep state
    pass out quick log on 206.190.6.222/32 to 206.190.6.0/24 keep state

  3. #3

    Re:pf.conf in OpenBSD

    What do you mean trying to figure out some of your logs? What is it dropping?

  4. #4
    Senior Member
    Join Date
    May 2002
    Posts
    394

    Re:pf.conf in OpenBSD

    I sent the thread to GNU/Vince and here is what he said.

    Hey,

    from what I can see, he only has one rule for $WAN, and it's a
    silent
    block (block in quick). Tell him to try to have a rule that lets
    through other in/out traffic on $WAN. Of course, I have no knowledge
    of
    his network disposal, so I can't help much I'm afraid.

    Vince
    I hope it gives you a place to start



  5. #5
    Moderator
    Good Guru
    Schotty's Avatar
    Join Date
    Jul 2001
    Location
    Milwaukee, WI
    Posts
    5,760

    Re:pf.conf in OpenBSD

    [quote author=Ashcrow link=board=10;threadid=1834;start=0#36989 date=1023425316]
    What do you mean trying to figure out some of your logs? What is it dropping?
    [/quote]

    Everything coming in at the current (the second post) configuration. I can see that the stuff is going out, but the logs state that the stuff isnt alowed back in.

    Thanks much Ash!!

  6. #6
    Moderator
    Good Guru
    Schotty's Avatar
    Join Date
    Jul 2001
    Location
    Milwaukee, WI
    Posts
    5,760

    Re:pf.conf in OpenBSD

    [quote author=noblestknight link=board=10;threadid=1834;start=0#37047 date=1023454695]
    I sent the thread to GNU/Vince and here is what he said.

    Hey,

    from what I can see, he only has one rule for $WAN, and it's a
    silent
    block (block in quick). Tell him to try to have a rule that lets
    through other in/out traffic on $WAN. Of course, I have no knowledge
    of
    his network disposal, so I can't help much I'm afraid.

    Vince
    I hope it gives you a place to start



    [/quote]

    Thanks for whipping it his way for me

    I know he is good with OpenBSD, and it always helps to have an intelligent group of minds attacking a problem.

    As far as the LAN configuration :

    2 DSL lines coming in. The one I am using here is the generic internet browsing one (the other is for email). Those two and the LAN are connected to the gateway. The DSL lines are on the 192.168.254.0/24 and 192.168.1.0/24 (this is the one that is for the internet browsing). The LAN is on 206.190.6.0/24 with the gateway on 206.190.6.222. As I have got it, I know for a fact that this probably is the messiest, slopped up pile of puke you guys have seen -- but this is my frist whack at it


    Thanks much!!

  7. #7

    Re:pf.conf in OpenBSD

    [quote author=Schotty link=board=10;threadid=1834;start=0#37059 date=1023458323]
    Everything coming in at the current (the second post) configuration. I can see that the stuff is going out, but the logs state that the stuff isnt alowed back in.
    [/quote]

    So your logs state that people can send out traffic but the traffic is not allowed back in but in practice the traffic is comming back in?

    I am still a bit confused here

    GnuVince and I use to be the boards OpenBSD Duo Zelot Bregade!

  8. #8
    Senior Member
    Join Date
    May 2002
    Posts
    394

    Re:pf.conf in OpenBSD

    Where in the rules is the part about allowing stuff to come back in?

  9. #9
    Moderator
    Good Guru
    Schotty's Avatar
    Join Date
    Jul 2001
    Location
    Milwaukee, WI
    Posts
    5,760

    Re:pf.conf in OpenBSD

    [quote author=Ashcrow link=board=10;threadid=1834;start=0#37120 date=1023473419]
    [quote author=Schotty link=board=10;threadid=1834;start=0#37059 date=1023458323]
    Everything coming in at the current (the second post) configuration. I can see that the stuff is going out, but the logs state that the stuff isnt alowed back in.
    [/quote]

    So your logs state that people can send out traffic but the traffic is not allowed back in but in practice the traffic is comming back in?

    I am still a bit confused here

    GnuVince and I use to be the boards OpenBSD Duo Zelot Bregade!
    [/quote]

    To Ashcrowe : For the confusion -- how do you think I feel -- I have barely a clue what the hell I am doing ;D

    To all : And yes, it was you and GnuVince that got me hooked on OpenBSD. And I am glad too... Too bad GnuVince had to quit... I liked his sense of humor.

    To noblestknight: You arent alone.

    To all : Yeah, well -- here Ill make a free website somewhere and post the logs. Its about time I do that anyhow. Ill upate my post here with the URL.


    UPDATE!!:

    http://www.geocities.com/rammstein_schotty/index2.htm

  10. #10

    Re:pf.conf in OpenBSD

    2 things:
    1. It's nice to know someone liked me :-[
    2. How does it work now Schotty?
    3. Did I just make a GnuVince's 2?

Similar Threads

  1. Nettune.conf
    By vishal wadhwa in forum Linux - Hardware, Networking & Security
    Replies: 5
    Last Post: 12-17-2006, 11:31 PM
  2. smb.conf example
    By trickster in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 06-21-2004, 11:48 PM
  3. DNS /etc/host.conf
    By Rastar in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 09-20-2002, 11:48 PM
  4. vga=792 in /etc/lilo.conf
    By wing328 in forum Linux - General Topics
    Replies: 1
    Last Post: 06-03-2002, 03:11 PM
  5. My pf.conf file
    By in forum Linux - Software, Applications & Programming
    Replies: 9
    Last Post: 03-28-2002, 05:46 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •