Hello all. I would like to find out how to set up a simple firewall for my OpenBSD machine. Not NAT/Router or anything like that. Links and or advise is appreciated.

Jeempc

Thanks for the link but what I was looking for is some simple examples not a manual on how to do everything. I already looked there and couldn't figure it out. That is why I posted here.
I would have to believe that someone is doing the same thing that I want to do and can provide their experience.

http://www.openbsd.org/faq/pf/example1.html

Thanks for all your knowledge. As I said I already looked there smart alec.
jeempc

Maybe explain what you want to do with the firewall. I am not quite sure what you mean by "simple"?

jeempc, that second link has a very small example showed completely at the bottom of the page, with each part of it explained above. If that is not simple enough for you, then you must say exactly what you're looking for and why the example above is not what you want. It really is extremely simple.

Protect one machine and only allow ssh and http.
Sorry about being so vague. I am used to Linux where there are many canned scripts for a basic setup.
Jeempc

Well, that's a major difference between BSD and Linux. In the BSD OSs, the documentation is extremely good and they provide good examples in the man pages and on-line documentation, so it's easy to understand and you can write your own (with the bonus of you knowing why it works the way it does).

For the most part, Linux distributions have rather poor documentation, but a lot of people post their config files for other people to blindly download and use. The end result is that many Linux users don't end up knowing why their services work the way they do, and in particular don't understand how their firewall works. That's bad!

For something as important as security, you should understand how everything works so you know what to change and what effect it will have if you do change something. You should attempt to learn how packet filtering works in the BSD operating systems rather than just ask for someone to give you rules. I could give you a config file that would work, but you would have to trust me that I didn't purposely leave a vulnerability that I could exploit later, and if you ever wanted to change anything with it more than likely you would ask me instead of changing it yourself.

I suggest that you take the time to read the Home or Small Office example that was pointed out to you above. The example shows 3 local machines, but it still applies to what you want. If you actually read the example, you would see that SSH connections are allowed from the outside to the firewall, and HTTP requests are redirected to COMP3 in the example. If you want SSH and HTTP to go to a machine behind the firewall, then change the SSH rule to look like the HTTP rule. If your SSH and HTTP servers are both on the same machine as the firewall, then change the HTTP rule to look like the SSH rule.

All the BSD packet filter languages (IPF, IPFW, PF) are written in "natural language", so there should be no problem at all comprehending them if you take the time to read the documentation.

Thanks. I appreciate the concern for security. It is funny because I couldn't get anywhere on google except long explanations about packet filtering.
I will take the time to learn it the right way--I was going to anyways, I just wanted a framework to get started.
Thanks for explaining how the BSD community works.
It will save me from asking other questions that get the RTFM responses

Jeempc

Read the FAQ that was linked all the way near the top of this thread, and also read the pf.conf man page [pf.conf(5)]. Those will explain what you need to know to setup a firewall with OpenBSD. pf.conf(5) shows all the possible options to use, so it gives you ideas of other rules you could setup. You should also read pfctl(8) (to see how to manipulate PF from the command line), pflogd(8) (for instructions on setting up logging), and ftp-proxy(8) (for an explanation of how PF handles FTP traffic).

As a side note you also have the choice to use pf under freebsd.

Yes, but all the features of OpenBSD PF don't work on FreeBSD (yet) and it isn't as stable.

shutup and read the faq

Be nice to everyone but me huh!
I am reading it.