[wellylug] OpenBSD firewalls (was 'Broadband')
David Antliff
dave.antliff at paradise.net.nz
Thu Aug 12 12:30:48 NZST 2004
On Thu, 12 Aug 2004, Mark Signal wrote:
> Are there many differences between setting up a firewall on BSD versus
> Linux?
Hi Mark,
The configuration differences are significant but the functionality is
similar - as you know, Linux makes use of IPTables. This has the potential
to be quite complex (and flexible) however it's fairly easy to use
'standard' rules for most configurations. OpenBSD on the other hand uses
PF - Packet Filter (which now includes NAT, balancing, etc). This performs
a similar job but is different in execution.
http://www.openbsd.org/faq/pf/
For example your rules might look like this (incomplete rule set):
ext_if="ne0"
int_if="ne3"
# NAT section
nat on $ext_if from $internal_net to any -> ($ext_if)
# redirect ssh
rdr on $ext_if proto tcp from any to $external_addr/32 port 22 -> 192.168.0.34 port 22
# Packet Filter section
# start safe
block in all
block out all
pass quick on lo0 all
# allow all incoming connections from trusted addresses
pass in quick on $int_if from $internal_net to any flags S/SA keep state
# allow the following connections from untrusted hosts
pass in quick proto tcp from any to any port 22 flags S/SA keep state
+ a few outgoing rules as exceptions to 'block out all'.
It does all your standard logging, statistics, etc.
Personally I find PF easier to use. I wouldn't say it was better or worse
than iptables, just different. I'm not an advanced PF user by any means.
More information about the wellylug
mailing list