PF firewall rule for passing Echolink

IPFW, PF, IPF (but not limited) related discussion

PF firewall rule for passing Echolink

Postby johnblue » 29 Apr 2009, 04:38

I did some google searching trying to find if anyone else constructed a PF exception for Echolink before I tackled it and the results are fairly sparse.

I, by no means, have a handle on PF, but this pf.conf is working for me. Here is my contribution for anyone else that might be looking too:
Code: Select all
# macros
#
ext_if          = "xl0"
int_if          = "xl1"
localnet        = $int_if:network

# options
#
set loginterface $ext_if

# tables - none
#

# normalization
#
scrub in  on $ext_if all           fragment reassemble
scrub out on $ext_if all random-id fragment reassemble

# Redirect for Echolink
#
rdr on $ext_if proto {tcp,udp} from any to any port 5198:5200 -> 192.168.1.54

# NAT
#
nat on $ext_if from $localnet to any -> $ext_if

pass from { lo0, $localnet } to any
Comments are welcomed.

:)
johnblue
Member
 
Posts: 224
Joined: 28 Jan 2009, 08:27
Location: O-o-o-o-o-o-o-klahoma

Postby vivek » 29 Apr 2009, 09:03

Usually firewall should be set to block everything and allow only required ports. I do not see you are blocking anything at all...
Neither in this world nor elsewhere is there any happiness in store for him who always doubts. If you enjoyed my answer please consider donating some money to FreeBSD foundation @ http://www.freebsdfoundation.org/
User avatar
vivek
Member
 
Posts: 809
Joined: 17 Nov 2008, 08:19
Location: Hyper Space

Postby SirDice » 29 Apr 2009, 09:37

vivek wrote:Usually firewall should be set to block everything and allow only required ports. I do not see you are blocking anything at all...


PF, by default, blocks everything.
User avatar
SirDice
Old Fart
 
Posts: 16196
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby vivek » 29 Apr 2009, 10:36

SirDice wrote:PF, by default, blocks everything.


I do not see any info regarding default block @ pf / pf.conf man page or openbsd.org pf faq page. If this is true than why all books and docs asks to put the following:
Code: Select all
# setup a default deny policy
block all
Neither in this world nor elsewhere is there any happiness in store for him who always doubts. If you enjoyed my answer please consider donating some money to FreeBSD foundation @ http://www.freebsdfoundation.org/
User avatar
vivek
Member
 
Posts: 809
Joined: 17 Nov 2008, 08:19
Location: Hyper Space

Postby SirDice » 29 Apr 2009, 15:00

Hmm.. It seems I was confused with IPFilter. That has an pass all implicit rule but can be started with a block all implicit rule.

PF seems to have a "pass all" implicit rule:
There is an implicit pass all at the beginning of a filtering ruleset meaning that if a packet does not match any filter rule the resulting action will be pass.

http://www.openbsd.org/faq/pf/filter.html

Implicit rules should never be counted on though. For one there's no accounting done on them and second it's pretty easy to get them the wrong way around (as I've just demonstrated ;) ).
User avatar
SirDice
Old Fart
 
Posts: 16196
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands


Return to Firewalls

Who is online

Users browsing this forum: plotterotter and 0 guests