May 2009

We again met at OmniTI this month. Jason gave a very good introduction to packet filters in general and OpenBSD PF (slides). After everyone was up to speed on the basics of OpenBSD PF, we used OmniTI's lab computers loaded with an OpenBSD 4.5 LiveCD that Jason created to get hands-on experience with PF. The lab computers were already booted to the CD, so all we had to do was log in. The computers were connected to a switch in the lab that was configured with two VLANs. Jason gave us tasks geared towards learning PF:

  1. Configure vlan100 interface to use DHCP
  2. Configure vlan200 interface with a static IP
  3. Nat on vlan100 for vlan200's network
  4. Allow SSH from outside to a host on the vlan 200 network
  5. Block all other inbound traffic
  6. Bonus: Give SSH priority over HTTP

Here are examples of rulesets that Jason came up with:

# Macros
ext_if = "vlan100"
int_if = "vlan200"

# Options
set skip on lo

# Scrub
scrub in

# Translation
nat on $ext_if inet from ($int_if:network) to any -> ($ext_if)
rdr on $ext_if inet proto tcp from any to ($ext_if) port 2275 -> \
                 20.20.75.2 port ssh

# Filters
block in
pass out keep state
pass in on $ext_if inet proto tcp from any to 20.20.75.2 port ssh\
                   flags S/SA keep state
pass in on $int_if from ($int_if:network) to any keep state

And this one with queuing:

# Macros
ext_if = "vlan100"
int_if = "vlan200"

# Options
set skip on lo

# Scrub
scrub in

# Queueing 
altq on $ext_if priq bandwidth 1Gb queue \
               { std_out, http_out, ssh_out }
queue std_out   priq(default)
queue http_out  priority 6
queue ssh_out   priority 7

# Translation
nat on $ext_if inet from ($int_if:network) to any -> ($ext_if)
rdr on $ext_if inet proto tcp from any to ($ext_if) port 2275 -> \
                20.20.75.2 port ssh

# Filters
block in
pass out keep state
pass in on $ext_if inet proto tcp from any to 20.20.75.2 port ssh \
                flags S/SA keep state
pass in on $int_if from ($int_if:network) to any keep state queue std_out
pass in on $int_if inet proto tcp from ($int_if:network) to any \
                port http keep state queue http_out
pass in on $int_if inet proto tcp from ($int_if:network) to any \
                port ssh keep state queue(std_out, ssh_out)