*BSDThis forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My apologies in advance if this question has been asked - the issue is I'm not entirely sure what I'm asking, so looking for information has been a little difficult.
My aim:
Configure my OpenBSD 3.5 box to act as a pf router/firewall protecting my network (10 computers) and ultimately run a honey ney at a later date.
My OpenBSD box contains two nics ( I realise it will need three for the honey net - but that comes later).
My Internet connection is an ADSL connection which is using a Netcomm NB1300 router. The Netcomm router contains all the connection details (IP address - static, DNS etc) and is DHCP enabled. It's local IP is 192.168.1.1
My main question is - within my pf.conf file do I need to specify my "red_ip" (external IP address) as the Netcomm's IP address or as my ISP assigned IP?
I'm new to using pf and would like any help provided. I am reading through any docs I can find and am gradually making sense of them.
Additional information:
My ISP is called TPG (Australia Company) everytime I try and do something like this I find trouble due to their set up. i.e. The authentication is based on the phone number the connection is being made from - no username or password required.
My external NIC is rl1 and the internal is rl0
Any additional information needed - please ask. As you can see my pf.conf is still under construction - any tips would be greatly appreciated. Thanks in advance.
gsee
My pf.conf:
## Macros
# Unknown thingy
SYN_ONLY="S/FSRA"
# External NIC
red_nic="rl1"
# Internal NIC
green_nic="rl0"
# External IP
red_ip="192.168.1.1"
# Internal IP
green_ip="192.168.1.5"
set logininterface $red_nic
set block-policy return
## Traffic Normalisation
scrub in on $red_nic all fragment reassemble
scrub out on $red_nic all fragment reassemble random-id no-df
## Queueing Rules
# Not set...
## Translation Rules (NAT)
# I think my hardware router does this...
## Filter Rules
# Defaul block all
block all
# TCP rules
block return-rst in log on $red_nic proto TCP all
pass in log quick on $red_nic proto TPC from any to $red_ip port 22 flags $SYN_ONLY keep state
pass in log quick on $red_nic proto TPC from any to $red_ip port 113 flags $SYN_ONLY keep state
# UDP rules
# I don't need UDP
# ICMP rules
block in log on $red_nic proto icmp all
pass in log quick on $red_nic proto icmp from any to $red_ip echoreq keep state
# Log the unknown
block out log on $red_nic all
pass out log quick on $red_nic from $red_ip to any keep state
# Allow local computers
pass in quick on lo0 all
pass out quick on lo0 all
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
The easiest way to find out what IP you should use is to set the configuration for your external NIC to DHCP. In your filtering rules, you should use ($red_nic), which means "the IP of rl1, whatever it happens to be at the time". This will allow your rules to change if your DHCP lease changes.
Originally posted by chort The easiest way to find out what IP you should use is to set the configuration for your external NIC to DHCP.
How would I go about doing that? Would it then be best to have my Netcomm router provide DHCP to the external or red nic for my BSD router and then configure the BSD router to provide DHCP to the rest of the network?
Quote:
Originally posted by chort In your filtering rules, you should use ($red_nic), which means "the IP of rl1, whatever it happens to be at the time". This will allow your rules to change if your DHCP lease changes.
Did you mean ($red_nic) or $red_ip)?
Also, can you see any other problems with the pf.conf file?
I'm still having trouble setting up the router. I feel I'm close but simply
don't understand what the problem is at present. I currently have pf disabled
(I think - I disabled it from rc.conf).
At present my external card (rl1) is connected directly to the Netcomm Modem/router
and can ping it. My Internal card (rl0) is connected to the network however can't
ping.
Interesting points:
If I switch the cables leading into each card I get the opposite results -
i.e. with switched cables I can ping the network but not ping the Netcomm router. Also
with the cables like this, despite being able to ping the network I can't ping
the IP address of the network card attached to the network from any of the
networked computers.
If I run "arp -a" I generally receive a different response each time. The
difference being that not all nodes are always listed. When they are listed
they are as follows:
Netcomm (192.168.1.1) at XX:XX:XX:XX:XX:XX on rl0 - note I actually get a MAC
address but can't be bothered entering it.
fileserver (192.168.1.3) at XX:XX:XX:XX:XX:XX on rl0
TuxBox (192.168.1.2) at XX:XX:XX:XX:XX:XX on rl0.
rednic (192.168.1.13) at (incomplete) on rl0 - note no MAC address
greennic (192.168.1.42) at XX:XX:XX:XX:XX:XX on rl0 static - note MAC address
found
Now... the interesting and confusing thing about that is that rl0 is my
internal network card. Thus, rl0 should not be able to see the Netcomm router
as it isn't connected to it.
I have both cards receiving an IP address statically:
External IP = 192.168.1.13
Internal IP = 192.168.1.42
Additionally, the external card (rl1) can't be pinged from the BSD box itself - if I do ping
192.168.1.42 I get replies... however ping 192.168.1.13 reports that the host
is down. This is only when pinging locally, if pinging from a networked
computer I get no replies from anything.
If I ping 192.168.1.42 () I get no replies, however the BSD box prints:
" Oct 4 11:28:33 bsdrouter /bsd: arp: attempt to add entry for 192.168.1.2 on
rl0 by XX:XX:XX:XX:XX:XX on rl1"
From here I really have no idea. I don't know if it's something I've set up
wrong, a hardware issue (doubtful). If it's a setup problem I have no idea how
big or small.
If anyone can lend a light on the matter please do and your patience would be
greatly appreciated.
Thanking you in advance,
Gsee
BTW, The networked computers 'underneath' the BSD router are all obtaining
their IP addresses etc without any problems.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Why do you have both your NICs on the same subnet? That's not going to work. Each NIC must be on a separate subnet and ip forwarding must be enabled (as described in the PF User's Guide).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.