OpenBSD Journal

NAT with pf

Contributed by jose on from the jacek's-writings dept.

Jacek Artymiak is back at it again. In this installment of Securing Small Networks with OpenBSD , Jacek begins a tour of the pf feature set. This column is about NAT with pf , which many of us use to keep our personal networks fully on our cable modems. This article covers a lot of gound in PF and will be a useful reference for some of the newer features in pf for many users. Thanks again, Jacek!

(Comments are closed)

  1. By Anonymous Coward () on

    s/nat on $ext_if proto $nat_p from $prv_ads to any -> $ext_ad/nat on $ext_if proto $nat_p from $prv_ads to !$prv_ads -> $ext_ad

    1. By Anonymous Coward () on

      Where can I find a really good, complete, and secure /etc/pf.conf . Most of the ones I've seen haven't been complete.

        1. By Anonymous Coward () on

          hehehe very clever. i should've made myself more clear. i'm looking for something that will nat my lan and like only allow out smtp, www, https, dns, and ftp. it wouldn't allow anything in and would drop all packets originating from the outside. i guess my main point is that there are so many options and i'm not sure which order it should all go in.

          1. By Anonymous Coward () on

            Write one yourself. It's not very hard:

            1) Make a list of what should be let through and in what directions.
            2) Read the man page.
            3) Write a pf.conf.
            4) Test.
            5) Repeat 2-4 until the tests are successful.

            It'll take a while, but it's worth it. pf is great to work with.

          2. By Xavier Santolaria () on

            Have a look at
  {3.2,current}. You should get enough information there to make it work in your env'.

          3. By Michael Anuzis () on

            Taught a course at my university that covered this topic. Check out day 3:

            If you scroll down to "Designing your firewall", section 3; there's an area where I've recommended a basic structure of what order to put your rules in. This is the structure I use and I find it works very well.

            just a disclaimer/forwarning the class was taught fairly casually don't expect too much strictness/formality. --Michael

      2. By gryp () on

        I am currently busy writing a manual for pf. Im just in a starting phase, so it is not ready yet. I guess it won't be usefull until OpenBSD 3.3.

      3. By Anonymous Coward () on

      4. By Anonymous Coward () on

        unplug your network cable from cable/dsl modem and you are safe for now on

    2. By Anonymous Coward () on

      After applying all available patches, recompiling kernel, and rebooting, I find it best to set up a sample pf.conf that passes and logs everything. Have a list of the things that you would like to do, connect to internet, newsgroups, mail, etc. Then shut down your internet connection and look at the logs. From there you can open up what you need and block everything else. Not too much trouble and you end up with exactly what you are looking for, protected by a GREAT firewall.
      Here's to daniel.
      Or RTFM (:0

  2. By Anonymous Coward () on

    SO nobody is perfect here


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]