[geeks] YeeHa

[Shawn Wallbridge]

I am using the snapshot from about a week ago, so pretty close. I will go to
3.1 sometime in the next couple of weeks. I have done so many OBSD installs
in the last couple of weeks (some friends and I did a presentation on
OpenBSD to the local Unix User Group) that I don't really feel like doing
another one tomorrow.

Mine is pretty much the stock one in the FAQ, but here it is.

bash-2.05a$ cat /etc/pf.conf
# Define useful variables
ExtIF="le0"              # External Interface
IntNet="192.168.0.0/24"       # Our internal network
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# Clean up fragmented and abnormal packets
scrub in all

# don't allow anyone to spoof non-routeable addresses
block in  quick on $ExtIF from $NoRouteIPs to any
block out quick on $ExtIF from any to $NoRouteIPs

# by default, block all incoming packets, except those explicitly
# allowed by further rules
block in on $ExtIF all

# allow ssh
pass  in on $ExtIF inet proto tcp from any to any port 22 flags S/SA keep
state

# and let out-going traffic out and maintain state on established
connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
pass  out on $ExtIF inet proto tcp  all flags S/SA keep state
pass  out on $ExtIF inet proto udp  all         keep state
pass  out on $ExtIF inet proto icmp all         keep state

bash-2.05a$ cat /etc/nat.conf
nat on le0 from 192.168.0.0/24 to any -> x.x.x.x

shawn

-----Original Message-----
From: geeks-admin at sunhelp.org [mailto:geeks-admin at sunhelp.org]On Behalf
Of alex j avriette
Sent: Friday, May 17, 2002 11:02 PM
To: geeks at sunhelp.org
Subject: Re: [geeks] YeeHa


On Friday, May 17, 2002, at 11:40 PM, Shawn Wallbridge wrote:

> I just replaced my firewall running Linux on a P166 with a SPARCclassic
> running OpenBSD.

are you using -current? 3.1 comes out, um, tomorrow. care to share your
pf.conf?

alex