tested on obsd69
sysctl net.inet.ip.forwarding=1
ls -lF /etc/sysctl.conf # no exist
echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf
mv -i /etc/pf.conf /etc/pf.conf.dist
vi /etc/pf.conf
dedicated IP
set skip on lo pass out on vio0 from INTERNAL-CIDR to any nat-to EXTERNAL-IP
–or–
match out on xn0 inet from INTERNAL-CIDR nat-to EXTERNAL-IP
masquerade
set skip on lo pass out on vio0 from INTERNAL-CIDR to any nat-to vio0
and in case your facing IP sometimes changes while serving NAT
pass out on vio0 from INTERNAL-CIDR to any nat-to (vio0)
dedicated facing IP
pass on vio0 from INTERNAL-IP to any binat-to FACING-IP
masqueradde
pass on vio0 from INTERNAL-IP to any binat-to vio0
masqueradde a changing IP
pass on vio0 from INTERNAL-IP to any binat-to (vio0)
tail -f /var/log/messages
check syntax
pfctl -nf /etc/pf.conf
enable
pfctl -e
(re)load
pfctl -f /etc/pf.conf
show loaded definitions
pfctl -sq
status
pfctl -s state
disable
pfctl -d
enable and start the logger
rcctl enable pflogd rcctl start pflogd
watch the traffic live
tcpdump -n -e -ttt -i pflog0
review logs from the past
tcpdump -n -e -ttt -r /var/log/pflog
OpenBSD PF - Getting Started https://www.openbsd.org/faq/pf/config.html
OpenBSD PF - Packet Filtering https://www.openbsd.org/faq/pf/filter.html
OpenBSD PF - Runtime Options https://www.openbsd.org/faq/pf/options.html
General PFCTL Commands https://www.openbsdhandbook.com/pf/cheat_sheet/
https://man.openbsd.org/pf.conf
https://forums.freebsd.org/threads/pf-and-multiple-external-interfaces.21270/
https://www.rubysecurity.org/pf-syntax-check
https://www.cymru.com/Documents/icmp-messages.html
OpenBSD PF - Network Address Translation https://www.openbsd.org/faq/pf/nat.html
Configuring NAT https://www.openbsd.org/faq/pf/nat.html#config ==> masquerade
OpenBSD PF - Traffic Redirection (Port Forwarding) https://www.openbsd.org/faq/pf/rdr.html
31.3. PF https://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html
OpenBSD PF - Logging https://www.openbsd.org/faq/pf/logging.html
Filtering PF firewall logs https://www.techrepublic.com/blog/it-security/filtering-pf-firewall-logs/
COMPLEX ROUTING WITH OPENBSD https://research.kudelskisecurity.com/2013/05/21/complex-routing-with-openbsd/
https://www.openbsd.org/faq/pf/
https://www.openbsd.org/faq/pf/filter.html
https://paulgorman.org/technical/openbsd-pf.txt
https://ral.ucar.edu/~tor/sadocs/tcpip/pf.html
https://www.dragonflybsd.org/~aggelos/pf/config.html