1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PF firewall rule for passing Echolink

Discussion in 'Firewalls' started by johnblue, Apr 29, 2009.

  1. johnblue

    johnblue Member

    Messages:
    225
    Likes Received:
    0
    I did some google searching trying to find if anyone else constructed a PF exception for Echolink before I tackled it and the results are fairly sparse.

    I, by no means, have a handle on PF, but this pf.conf is working for me. Here is my contribution for anyone else that might be looking too:
    Code:
    # macros
    #
    ext_if          = "xl0"
    int_if          = "xl1"
    localnet        = $int_if:network
    
    # options
    #
    set loginterface $ext_if
    
    # tables - none
    #
    
    # normalization
    #
    scrub in  on $ext_if all           fragment reassemble
    scrub out on $ext_if all random-id fragment reassemble
    
    # Redirect for Echolink
    #
    rdr on $ext_if proto {tcp,udp} from any to any port 5198:5200 -> 192.168.1.54
    
    # NAT
    #
    nat on $ext_if from $localnet to any -> $ext_if
    
    pass from { lo0, $localnet } to any
    Comments are welcomed.

    :)
     
  2. vivek

    vivek New Member

    Messages:
    809
    Likes Received:
    0
    Usually firewall should be set to block everything and allow only required ports. I do not see you are blocking anything at all...
     
  3. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,418
    Likes Received:
    14
    PF, by default, blocks everything.
     
  4. vivek

    vivek New Member

    Messages:
    809
    Likes Received:
    0
    I do not see any info regarding default block @ pf / pf.conf man page or openbsd.org pf faq page. If this is true than why all books and docs asks to put the following:
    Code:
    # setup a default deny policy
    block all
    
     
  5. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,418
    Likes Received:
    14
    Hmm.. It seems I was confused with IPFilter. That has an pass all implicit rule but can be started with a block all implicit rule.

    PF seems to have a "pass all" implicit rule:
    http://www.openbsd.org/faq/pf/filter.html

    Implicit rules should never be counted on though. For one there's no accounting done on them and second it's pretty easy to get them the wrong way around (as I've just demonstrated ;) ).