Setting up PF

tested on obsd69

SNAT

    sysctl net.inet.ip.forwarding=1
    echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf

mv -i /etc/pf.conf /etc/pf.conf.dist
vi /etc/pf.conf

set skip on lo
pass
match out on vio0 from 10.1.1.0/24 to any nat-to 192.168.122.X

FULL NAT

within a firewall rule

pass in on INTERNAL-NIC proto tcp from CIDR to FACING-NIC port 80 rdr-to INTERNAL-IP
pass out on INTERNAL-NIC proto tcp to INTERNAL-IP port 80 received-on INTERNAL-NIC nat-to INTERNAL-NIC

Ready to go

tail -f /var/log/messages

check syntax

pfctl -nf /etc/pf.conf

enable

pfctl -e

(re)load

pfctl -f /etc/pf.conf

status

pfctl -s state

disable

pfctl -e

Logging

enable and start the logger

rcctl enable pflogd
rcctl start pflogd

watch the traffic live

    tcpdump -n -e -ttt -i pflog0

review logs from the past

    tcpdump -n -e -ttt -r /var/log/pflog

Resources

OpenBSD PF - Getting Started https://www.openbsd.org/faq/pf/config.html

General PFCTL Commands https://www.openbsdhandbook.com/pf/cheat_sheet/

syntax

https://man.openbsd.org/pf.conf

https://forums.freebsd.org/threads/pf-and-multiple-external-interfaces.21270/

https://www.rubysecurity.org/pf-syntax-check

icmp

https://www.cymru.com/Documents/icmp-messages.html

nat

OpenBSD PF - Network Address Translation https://www.openbsd.org/faq/pf/nat.html

OpenBSD PF - Traffic Redirection (Port Forwarding) https://www.openbsd.org/faq/pf/rdr.html

31.3. PF https://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html

logging

OpenBSD PF - Logging https://www.openbsd.org/faq/pf/logging.html

Filtering PF firewall logs https://www.techrepublic.com/blog/it-security/filtering-pf-firewall-logs/

advanced

COMPLEX ROUTING WITH OPENBSD https://research.kudelskisecurity.com/2013/05/21/complex-routing-with-openbsd/


GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH