Today I had the big opportunity to setup an OpenBSD based gateway. I’ve never used OpenBSD before and I was really excited about. All in one: Really clean (almost spartanic), secure 4.4BSD. Although I had some problems during the partitioning process - I didn’t thought they have such a l33t partitioning tool - the installation went smooth. Afterwards I’ve fetched the ports and installed some common utilities: No compilation errors etc.

Here some pics:

Then my first ipf configuration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24


# Set network interfaces
ext_if=sk0 #internet
int_if=sk1  #LAN
# Allowed  icmp type
icmp_types=echoreq

# Skip all loopback traffic
set skip on lo

# Scrub all traffic
scrub in

# Perform NAT on external interface
nat on $ext_if from $int_if:network -> ($ext_if:0)

# Define default behavior: block IN, pass OUT
block in
pass out keep state

# Allow inbound traffic on internal interface
pass quick on $int_if

# No spoofing
antispoof quick for { lo $int_if }

Quite easy, isn’t it?

[Update: 2011-02-17]

As stated here there have been some changes made to the pf syntax in 4.8.

1
2


# Perform NAT on external interface
nat on $ext_if from $int_if:network -> ($ext_if:0)

should be changed to

1
2
3


..
match out on $ext_if from $int_if nat-to ($ext_if)
...