After much tribulation, I was able to get my FreeBSD machine operating as a gateway router between my lan and ISP router. I used pf because I found a decent howto online - Building an OpenBSD/pf Firewall. The pain came when I tried typing the rules in - what a friggin' nightmare (insert lots of whining and complaining). Anyhow, I wound up with this set of rules and would like some feedback:
Goals:
Block all inbound traffic on the external interface
Allow all traffic on localhost and on the internal interface
NAT everything going out and coming back on the external interface
Allow ICMP echoreq and unreach so ping and traceroute work
All of this is IPv4. I'm not doing IPv6 yet.
Questions:
Does the ruleset look reasonable?
Does it meet the goals efficiently?
Any tweaks advised?
Is pf a solid choice for this or is ipfw preferred?
Code:
cat /etc/pf.conf
ext_if="em0"
int_if="ue0"
localnet=$int_if:network
icmp_types="{ echoreq, unreach }"
set skip on lo
scrub in
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
block all
pass from {self, $localnet} to any keep state
pass in quick inet proto icmp all icmp-type $icmp_types keep state
Goals:
Block all inbound traffic on the external interface
Allow all traffic on localhost and on the internal interface
NAT everything going out and coming back on the external interface
Allow ICMP echoreq and unreach so ping and traceroute work
All of this is IPv4. I'm not doing IPv6 yet.
Questions:
Does the ruleset look reasonable?
Does it meet the goals efficiently?
Any tweaks advised?
Is pf a solid choice for this or is ipfw preferred?