Hi everyone,

My apologies in advance if this question has been asked - the issue is I'm not entirely sure what I'm asking, so looking for information has been a little difficult.

My aim:

Configure my OpenBSD 3.5 box to act as a pf router/firewall protecting my network (10 computers) and ultimately run a honey ney at a later date.

My OpenBSD box contains two nics ( I realise it will need three for the honey net - but that comes later).

My Internet connection is an ADSL connection which is using a Netcomm NB1300 router. The Netcomm router contains all the connection details (IP address - static, DNS etc) and is DHCP enabled. It's local IP is 192.168.1.1

My main question is - within my pf.conf file do I need to specify my "red_ip" (external IP address) as the Netcomm's IP address or as my ISP assigned IP?

I'm new to using pf and would like any help provided. I am reading through any docs I can find and am gradually making sense of them.

Additional information:

My ISP is called TPG (Australia Company) everytime I try and do something like this I find trouble due to their set up. i.e. The authentication is based on the phone number the connection is being made from - no username or password required.

My external NIC is rl1 and the internal is rl0

Any additional information needed - please ask. As you can see my pf.conf is still under construction - any tips would be greatly appreciated. Thanks in advance.

gsee

My pf.conf:


## Macros

# Unknown thingy
SYN_ONLY="S/FSRA"
# External NIC
red_nic="rl1"
# Internal NIC
green_nic="rl0"

# External IP
red_ip="192.168.1.1"
# Internal IP
green_ip="192.168.1.5"

## Tables

table <lanComps> const {192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4}

## Global Options

set logininterface $red_nic
set block-policy return

## Traffic Normalisation

scrub in on $red_nic all fragment reassemble
scrub out on $red_nic all fragment reassemble random-id no-df

## Queueing Rules

# Not set...

## Translation Rules (NAT)

# I think my hardware router does this...

## Filter Rules

# Defaul block all
block all


# TCP rules

block return-rst in log on $red_nic proto TCP all
pass in log quick on $red_nic proto TPC from any to $red_ip port 22 flags $SYN_ONLY keep state
pass in log quick on $red_nic proto TPC from any to $red_ip port 113 flags $SYN_ONLY keep state

# UDP rules
# I don't need UDP

# ICMP rules
block in log on $red_nic proto icmp all
pass in log quick on $red_nic proto icmp from any to $red_ip echoreq keep state


# Log the unknown
block out log on $red_nic all
pass out log quick on $red_nic from $red_ip to any keep state

# Allow local computers
pass in quick on lo0 all
pass out quick on lo0 all

The easiest way to find out what IP you should use is to set the configuration for your external NIC to DHCP. In your filtering rules, you should use ($red_nic), which means "the IP of rl1, whatever it happens to be at the time". This will allow your rules to change if your DHCP lease changes.

How would I go about doing that? Would it then be best to have my Netcomm router provide DHCP to the external or red nic for my BSD router and then configure the BSD router to provide DHCP to the rest of the network?


Did you mean ($red_nic) or $red_ip)?

Also, can you see any other problems with the pf.conf file?

Thanks for your help, greatly appreicated.

Gsee

man hostname.if

I mean ($red_nic), that will resolve to the current IP of the NIC (just like I said in my original post).

Hi all,

I'm still having trouble setting up the router. I feel I'm close but simply
don't understand what the problem is at present. I currently have pf disabled
(I think - I disabled it from rc.conf).

At present my external card (rl1) is connected directly to the Netcomm Modem/router
and can ping it. My Internal card (rl0) is connected to the network however can't
ping.

Interesting points:

If I switch the cables leading into each card I get the opposite results -
i.e. with switched cables I can ping the network but not ping the Netcomm router. Also
with the cables like this, despite being able to ping the network I can't ping
the IP address of the network card attached to the network from any of the
networked computers.

If I run "arp -a" I generally receive a different response each time. The
difference being that not all nodes are always listed. When they are listed
they are as follows:

Netcomm (192.168.1.1) at XX:XX:XX:XX:XX:XX on rl0 - note I actually get a MAC
address but can't be bothered entering it.

fileserver (192.168.1.3) at XX:XX:XX:XX:XX:XX on rl0

TuxBox (192.168.1.2) at XX:XX:XX:XX:XX:XX on rl0.

rednic (192.168.1.13) at (incomplete) on rl0 - note no MAC address

greennic (192.168.1.42) at XX:XX:XX:XX:XX:XX on rl0 static - note MAC address
found

Now... the interesting and confusing thing about that is that rl0 is my
internal network card. Thus, rl0 should not be able to see the Netcomm router
as it isn't connected to it.

I have both cards receiving an IP address statically:

External IP = 192.168.1.13
Internal IP = 192.168.1.42

Additionally, the external card (rl1) can't be pinged from the BSD box itself - if I do ping
192.168.1.42 I get replies... however ping 192.168.1.13 reports that the host
is down. This is only when pinging locally, if pinging from a networked
computer I get no replies from anything.

If I ping 192.168.1.42 () I get no replies, however the BSD box prints:
" Oct 4 11:28:33 bsdrouter /bsd: arp: attempt to add entry for 192.168.1.2 on
rl0 by XX:XX:XX:XX:XX:XX on rl1"

From here I really have no idea. I don't know if it's something I've set up
wrong, a hardware issue (doubtful). If it's a setup problem I have no idea how
big or small.
If anyone can lend a light on the matter please do and your patience would be
greatly appreciated.

Thanking you in advance,
Gsee

BTW, The networked computers 'underneath' the BSD router are all obtaining
their IP addresses etc without any problems.

Why do you have both your NICs on the same subnet? That's not going to work. Each NIC must be on a separate subnet and ip forwarding must be enabled (as described in the PF User's Guide).