Charles wrote:
> Greeting all..
> I have brought my 2 year old OpenBSD 3.3 box out of
> the attic after 2 years..
> Plugged it in.. turned on pf and it worked.. but my rules need to be
> updated..
>
> I am now running my own Mailserver and have a VOIP phone..
> Tried to update based on other posts
> ---------
> Problems:
> I am not receiving mail
> and
> Not sure what to use to ensure QOS for my VOIP phone..
>
> --------
> I will move to OpenBSD 3.7 when i have the rules working correctly.
>
> thx for any help..
>
> -----------
> My setup
>
> OpenBSD 3.3 Intel NetPC ( 1 onboard intel and 1 PCI nic - only one pci
> slot so can't have a DMZ)
>
> Mail Server 192.168.1.2
> Voip Phone 192.168.1.7
>
> My rules (borrowed and modifed )(tried to comment better)
>
> ************************************************** ***********
> # ---------------------
> # Generic configuration
> # ---------------------
>
> set limit { states 20000, frags 20000 }
> set optimization aggressive
> # Enabling the block-policy return show "closed ports"
> http://scan.sygatetech.com/quickscan.html
> # set block-policy return
> set fingerprints "/etc/pf.os"
>
> # --------------------
> # Variable definitions
> # --------------------
>
> ext_if = "fxp0"
> int_if = "xl0"
> dhcp_servers = "{ 172.19.57.13 }"
>
> # new macros not working (need to check syntax)
> # 192.168.1.2 = "mail"
> # 192.168.1.7 = "voipbox"
>
> # a portnumber.
> friends = "xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx"
> # read the pf-howto for details.
> TCP_OPTIONS = "flags S/SAFR keep state"
>
> # http://www.iana.org/assignments/ipv4-address-space
> # http://rfc.net/rfc1918.html
> reserved = " {
> 0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8,
> 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
> 224.0.0.0/3 } "
> # Persistant IPs
> bad = " { 61.143.182.138, 211.162.110.197, 82.67.29.10,
> 203.197.199.180 } "
>
> #Tables
> table persist { 216.73.80.0/20, 204.253.104.0/24,
> 205.138.3.0/24, 208.184.29.0/24 }
> table persist { 2.23.190.0/24, 65.247.105.0/24,
> 65.215.137.0/24 }
> table persist file "/etc/tables/blacklists"
> # spamd-setup puts addresses to be redirected into table .
> table persist
> # These hosts are trusted
> trusted = "{ xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx,
> xxx.xxx.xxx.xxx }"
>
>
> # For Future
> # server = "{ smtp, http }"
> # guest = "xxx.xxx.xxx.xxx"
>
>
> # -----------
> # scrub rules
> # -----------
>
> # scrub in all # borks with linux nfs
> scrub in on $ext_if all
>
> # but this fixes it again
> scrub in on $int_if all no-df
>
>
> # ----------
> # altq rules
> # ----------
>
> # These are very simple altq rules.
> # All they do is give priority to outgoing ssh traffic.
> altq on $ext_if cbq bandwidth 128Kb \
> queue { std_out, ssh_out, ack_out}
>
> queue std_out cbq(red default)
> queue ssh_out priority 4 cbq(red)
> queue ack_out priority 6 cbq(red)
>
> # ---------
> # Nat and Rdr rules
> # ---------
>
> nat on $ext_if inet from $int_if/24 to any -> ($ext_if)
>
> # Redirect to Mailserver
> rdr on $ext_if proto tcp from any to $ext_if port 2525 -> 192.168.1.2
> port 2525
> # --------
> # pf rules
> # --------
>
> # Default policy.
> # remove the log-keyword if you ever get ddossed.
> block out log on $ext_if all queue std_out
> block in log on $ext_if all
>
>
> # ---------------
> # SPOOFERS
> # ---------------
>
> # Block spoofing.
> block in quick on $ext_if from $reserved to any
> block out quick on $ext_if from $reserved to any
>
> # bad ips.
> block in quick on $ext_if from $bad to any
>
> # antispoof _has_ to be preceeded with pass in quick on lo0 all.
> pass in quick on { lo0, lo1 } all
> antispoof for { lo0, $int_if, $ext_if }
>
> # -deny popup ads
> block in quick on $ext_if from any to { , ,
> }
> block out quick on $ext_if from { , ,
> } to any
>
> # block x10 ads
> block in quick on $ext_if from 63.211.210.20/32 to any
> block out quick on $ext_if from any to 63.211.210.20/32
>
>
> # Block AIM
> # block in on $int_if from any to login.oscar.aol.com
>
> # ----
> # ICMP
> # ----# The inet keyword means ipv4 so ipv6 pings will be blocked.
> pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
> queue std_out
> pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
>
>
> # ---
> # UDP
> # ---
>
> # outgoing UDP
> pass out quick on $ext_if proto udp all keep state queue std_out
>
>
> # I only allow dhcp-traffic from the dhcp-servers I use.
>
> pass in quick on $ext_if inet proto {udp,tcp} \
> from $dhcp_servers port 67 \
> to 255.255.255.255 port 68
>
> # ---
> # TCP
> # ---
>
> # Incoming TCP
>
> # First the nat'ed traffic
>
> # The rest of all this trafic should be aimed at $ext_if so We can cut
> # of the rest. Broadcasts and other garbage. Saves a lot of fubar in
> # the logs
>
> block in quick on $ext_if inet from any to ! ($ext_if)
>
>
> # trusted
> pass in quick on $ext_if inet proto tcp from $trusted to ($ext_if)
> port ssh \
> $TCP_OPTIONS
>
> # Pass rule for Mailserver
>
> pass in quick on $ext_if inet proto tcp from any to any port 2525 \
> keep state
>
> # Outgoing TCP
>
> # Outgoing SSH always gets the highest priority.
> pass out quick on $ext_if proto tcp from any to any port ssh \
> keep state queue ( ssh_out, ack_out )
>
> pass out quick on $ext_if proto tcp all keep state \
> queue std_out
>
> # Make voip super interactive for smooth conversation
> pass in on $ext_if proto { udp, icmp } from any to 192.168.1.7 \
> keep state queue voip_in
> pass out on $ext_if proto { udp, icmp } from 192.168.1.7 to any \
> keep state queue voip_out
>
------------------------------
After more reading on altq and several other sites.. my email server is
receiving mail (on a non-standard port) .. still working on
the proper numbers for alt queue

My broadband connection is 4Mb down and 384 up.. my main concern is for
voip..

Looks like I will have to read more..

I wish there were some "default examples" for pf instead of having to
scour the internet for them.. (oh I know about the ones on Openbsd.org)

anyway.. I will post back my pf.conf (which is really quite simple) for
others to use..