PF firewall rule for passing Echolink

I did some google searching trying to find if anyone else constructed a PF exception for Echolink before I tackled it and the results are fairly sparse.

I, by no means, have a handle on PF, but this pf.conf is working for me. Here is my contribution for anyone else that might be looking too:
Code:
# macros
#
ext_if          = "xl0"
int_if          = "xl1"
localnet        = $int_if:network

# options
#
set loginterface $ext_if

# tables - none
#

# normalization
#
scrub in  on $ext_if all           fragment reassemble
scrub out on $ext_if all random-id fragment reassemble

# Redirect for Echolink
#
rdr on $ext_if proto {tcp,udp} from any to any port 5198:5200 -> 192.168.1.54

# NAT
#
nat on $ext_if from $localnet to any -> $ext_if

pass from { lo0, $localnet } to any
Comments are welcomed.

:)
 
Usually firewall should be set to block everything and allow only required ports. I do not see you are blocking anything at all...
 
vivek said:
Usually firewall should be set to block everything and allow only required ports. I do not see you are blocking anything at all...

PF, by default, blocks everything.
 
SirDice said:
PF, by default, blocks everything.

I do not see any info regarding default block @ pf / pf.conf man page or openbsd.org pf faq page. If this is true than why all books and docs asks to put the following:
Code:
# setup a default deny policy
block all
 
Hmm.. It seems I was confused with IPFilter. That has an pass all implicit rule but can be started with a block all implicit rule.

PF seems to have a "pass all" implicit rule:
There is an implicit pass all at the beginning of a filtering ruleset meaning that if a packet does not match any filter rule the resulting action will be pass.
http://www.openbsd.org/faq/pf/filter.html

Implicit rules should never be counted on though. For one there's no accounting done on them and second it's pretty easy to get them the wrong way around (as I've just demonstrated ;) ).
 
Back
Top