How many times have you tried to protect or separate two segments of your LAN or two contiguous LANs? Or how many times you haven’t on a NAT possibility? Maybe you can find the answers to your questions in this tutorial.
I used the latest release of OpenBSD (5.0) with PF. My basic installation included only bsd bsd.rd base50.tgz etc50.tgz man50.tgz (just for doubts 😀 ) It took me 10 minutes to install and configure it. (Here is a screenshot about my installation)
First step: Configuration files
We need to uncomment the two lines on:
In oder to enable IP Forwarding,
And, if you need to enable IPv6, uncomment the following line;
Check in your
if PF is like this,
Then reboot your system.
Second step: Configure your Firewall bridge
A bridge is a link between two or more separate networks. Unlike a router, packets transfer through the bridge “invisibly” — logically, the two network segments appear to be one segment to nodes on either side of the bridge. The bridge will only forward packets that have to pass from one segment to the other, so among other things, they provide an easy way to reduce traffic in a complex network and yet allow any node to access any other node when needed.
To make up a bridge we have to prepare our interfaces: In OpenBSD, interfaces are named for the type of card, not for the type of connection. So we cannot find eth0 or something like this but we find names like fxp0 or pcn0 etc.
First we have to delete all conf on our interfaces:
#ifconfig fxp0 delete
#ifconfig pcn0 delete
#ifconfig fxp0 up
#ifconfig pcn0 up
and create a bridge,
#ifconfig bridge0 create
adding our interfaces
#ifconfig bridge0 add fxp0 add pcn0 up
at this point we can check our bridge, we need to connect two PC’s each for interface and ping one each other. Just remember Pc’s must be on the same mask and if all is well let’s go to activate the invisible-firewall!
First we make permanent the modifications below:
#echo up > /etc/hostname.fxp0
#echo up > /etc/hostname.pcn0
#echo “add fxp0 add pcn0 up” > /etc/hostname.bridge0
then our first roules on PF in /etc/pf.conf:
write at top to enable all on the first interface
pass all on fxp0
pass all on pcn0
save and exit then
#pfctl -f /etc/pf.conf
now you can see what appends on your bridge:
#tcpdump -nei fxp0
#tcpdump -nei pflog0
Now you can add all roules in /etc/pf.conf: block some protocols, destination/source IP or/and Ports… block all rst packets… or, maybe, you need to sniff all traffic… but this is not my purpose.