On 8 Feb 2007 10:09:22 -0800, Boardstretcher wrote:
> OpenBSD 4.0 pf scenario and questions
>
> Network:
> Openbsd Gateway with 2 NiC's
> xl0 connected to cable modem (dhclient)
> fxp0 connected to hub (dhcpd and bind)
>
> Computers connected to hub
> computer1 - 192.168.100.2
> computer2 - 192.168.100.3
>
> Objectives I am having trouble with:
>
> 1) Allow some traffic from computer1 to internet (port 80)
> 2) Disallow some traffic from computer1 to internet (the rest)
> 3) Allow all traffic from computer2 to internet
> 4) Allow some traffic into bsd box (port 80)
> 5) Forward packets from internet to computer2 ports (6000, 50000,
> 50001)


Need to change the order of apperance somewhat. Of course, you do
have the NAT rule(s) in place, I assume.

# 5:
rdr on $ext_if proto tcp from any to any port 6000 -> $computer2
rdr on $ext_if proto tcp from any to any port 50000 -> $computer2
rdr on $ext_if proto tcp from any to any port 50001 -> $computer2

# 2:
block out on $ext_if all
pass quick on $int_if # only filter on $ext_if

# 1:
pass out quick on $ext_if proto tcp from $computer1 to any port 80 \
keep state
pass out quick on $ext_if proto udp from $computer1 to any port 53 \
keep state

# 3:
pass out quick on $ext_if proto tcp from $computer2 to any keep state
pass out quick on $ext_if proto udp from $computer2 to any keep state
pass out quick on $ext_if proto icmp from $computer2 to any keep state

# 4:
pass in quick on $ext_if proto tcp from any to $ext_if port 80

--
New and exciting signature!