tested on obsd69
sysctl net.inet.ip.forwarding=1
echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf
mv -i /etc/pf.conf /etc/pf.conf.dist
vi /etc/pf.conf
set skip on lo
pass
match out on vio0 from 10.1.1.0/24 to any nat-to 192.168.122.X
within a firewall rule
pass in on INTERNAL-NIC proto tcp from CIDR to FACING-NIC port 80 rdr-to INTERNAL-IP pass out on INTERNAL-NIC proto tcp to INTERNAL-IP port 80 received-on INTERNAL-NIC nat-to INTERNAL-NIC
tail -f /var/log/messages
check syntax
pfctl -nf /etc/pf.conf
enable
pfctl -e
(re)load
pfctl -f /etc/pf.conf
status
pfctl -s state
disable
pfctl -e
enable and start the logger
rcctl enable pflogd rcctl start pflogd
watch the traffic live
tcpdump -n -e -ttt -i pflog0
review logs from the past
tcpdump -n -e -ttt -r /var/log/pflog
OpenBSD PF - Getting Started https://www.openbsd.org/faq/pf/config.html
General PFCTL Commands https://www.openbsdhandbook.com/pf/cheat_sheet/
https://man.openbsd.org/pf.conf
https://forums.freebsd.org/threads/pf-and-multiple-external-interfaces.21270/
https://www.rubysecurity.org/pf-syntax-check
https://www.cymru.com/Documents/icmp-messages.html
OpenBSD PF - Network Address Translation https://www.openbsd.org/faq/pf/nat.html
OpenBSD PF - Traffic Redirection (Port Forwarding) https://www.openbsd.org/faq/pf/rdr.html
31.3. PF https://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html
OpenBSD PF - Logging https://www.openbsd.org/faq/pf/logging.html
Filtering PF firewall logs https://www.techrepublic.com/blog/it-security/filtering-pf-firewall-logs/
COMPLEX ROUTING WITH OPENBSD https://research.kudelskisecurity.com/2013/05/21/complex-routing-with-openbsd/