I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|

I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

mostafa faridi-2
Hi
In work place , we have over 24 computer and all of them are windows and
, I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and I use
PF for NAT with FreeBSD 8.2 . after many search in google , I find this
pf.conf

====================================================
ns# cat  /usr/local/pf/pf.conf
# $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18
mlaier Exp $
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
# Edited by: mfaridi

################################ MACROS
############################################################

ext_if          = "sk0"
int_if          = "re0"
External_net    = "10.10.10.192/27"
Local_net       = "192.168.0.0/24"
Local_Web       = "192.168.0.10"
Local_Srv       = "192.168.0.1"
Prtcol          = "{ tcp, udp }"
Admin_IP        = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types      = "{ echorep, unreach, squench, echoreq, timex }"

#Define ports for common internet services
#TCP_SRV         = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443 }"
#UDP_SRV         = "{ 53 }"
TCP_SRV         = "{ 80, 443 }"
UDP_SRV         = "{ }"
Samba_TCP       = "{ 139, 445 }"
Samba_UDP       = "{ 137, 138 }"


SERVER          = "10.10.10.200"
NAT1            = "10.10.10.194"
NAT2            = "10.10.10.195"
NAT3            = "10.10.10.196"
NAT4            = "10.10.10.197"
NAT5            = "10.10.10.198"
NAT6            = "10.10.10.199"
NAT7            = "10.10.10.201"
NAT8            = "10.10.10.202"
NAT9            = "10.10.10.203"
NAT10           = "10.10.10.204"
NAT11           = "10.10.10.205"
NAT12           = "10.10.10.206"
NAT13           = "10.10.10.207"
NAT14           = "10.10.10.208"
NAT15           = "10.10.10.209"
NAT16           = "10.10.10.210"
NAT17           = "10.10.10.211"
NAT18           = "10.10.10.212"
NAT19           = "10.10.10.213"
NAT20           = "10.10.10.214"
NAT21           = "10.10.10.215"
NAT22           = "10.10.10.216"
NAT23           = "10.10.10.217"
NAT24           = "10.10.10.218"
NAT25           = "10.10.10.219"

#### All IP of Groups which can be connect to Internet
paltalk1        = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
paltalk2        = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
paltalk3        = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28,
192.168.0.29 }"
webdsgn1        = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
webdsgn2        = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
webdsgn3        = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
webdsgn4        = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
webdsgn5        = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
webdsgn6        = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
webdsgn7        = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
webdsgn8        = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53,
192.168.0.54 }"
rased1          = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
rased2          = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
rased3          = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
rased4          = "{ 192.168.0.69, 192.168.0.70 }"
rased5          = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202,
192.168.0.203, 192.168.0.204, 192.168.0.205 }"
rased6          = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208,
192.168.0.209, 192.168.0.210, 192.168.0.211 }"
rased7          = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214,
192.168.0.215, 192.168.0.216, 192.168.0.217 }"
rased8          = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220,
192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224,
192.168.0.225  }"
admin1          = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
admin2          = "{ 192.168.0.58, 192.168.0.59 }"

############################### TABLES
############################################################

#Define privileged network address sets
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12,
10.0.0.0/8, 0.0.0.0/8, \
                           14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23,
224.0.0.0/3 }
table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
table <hackers> persist file "/usr/local/pf/Network/hackers.lst"

#Define Favoured client hosts
table <Admin>   persist file "/usr/local/pf/Network/Admin.lst"
table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
table <Rased>   persist file "/usr/local/pf/Network/Rased.lst"
table <LocalHost> const { self }

############################### OPTIONS
############################################################
#Default behaviour
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
#set state-policy if-bound


############################### TRAFFIC NORMALIZATION
##############################################
#Filter traffic for unusual packets
scrub in all


############################### TRANSLATION
######################################################

#NAT for the external traffic
#Mask internal ip addresses with actual external ip address
#nat pass on $ext_if from $Local_net to any -> $SERVER

nat pass on $ext_if from $paltalk1 to any -> $NAT1
nat pass on $ext_if from $paltalk2 to any -> $NAT2
nat pass on $ext_if from $paltalk3 to any -> $NAT3
nat pass on $ext_if from $webdsgn1 to any -> $NAT4
nat pass on $ext_if from $webdsgn2 to any -> $NAT5
nat pass on $ext_if from $webdsgn3 to any -> $NAT6
nat pass on $ext_if from $webdsgn4 to any -> $NAT7
nat pass on $ext_if from $webdsgn5 to any -> $NAT8
nat pass on $ext_if from $webdsgn6 to any -> $NAT9
nat pass on $ext_if from $webdsgn7 to any -> $NAT10
nat pass on $ext_if from $webdsgn8 to any -> $NAT11
nat pass on $ext_if from $rased1   to any -> $NAT12
nat pass on $ext_if from $rased2   to any -> $NAT13
nat pass on $ext_if from $rased3   to any -> $NAT14
nat pass on $ext_if from $rased4   to any -> $NAT15
nat pass on $ext_if from $rased5   to any -> $NAT16
nat pass on $ext_if from $rased6   to any -> $NAT17
nat pass on $ext_if from $rased7   to any -> $NAT18
nat pass on $ext_if from $rased8   to any -> $NAT19
nat pass on $ext_if from $admin1   to any -> $NAT20
nat pass on $ext_if from $admin2   to any -> $NAT21


#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 5900 ->
192.168.0.100 port 5900
#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 2222 ->
192.168.0.50 port 22

############################### PACKET FILTERING
#################################################

# Default Rule
pass quick on { $ext_if, $int_if } all keep state




# End of File: pf.conf
===========================================================================================================================
I have 27 valid or static IPs,
all users  in my work place use paltalk , paltalk is messenger like
yahoo messenger and use for voice chat , and paltalk like yahoo has many
rooms for voice chat , but paltalk servers do not let users login with
three different room from one valid IP or static IP . or paltalk server
only let user login to three room from only one IP , and from one IP
only three computer can login to paltalk server and use it . so we get
27 valid or static IPs from ISP ,and I put all of them in my pf.conf
.and set many NAT line in my pf.conf.
but I think my pf.conf has problem and I do not know why sometimes some
users in work place can not use internet , when they open firefox and
start browse web pages ,they see error , but when they can not browse
web pages , their paltalk messenger is ON and they have voice chat , but
they can not browse webpages , this problem can solve when I reboot
server or disable and enable PF. but after one days or more this problem
happen again , and some user can not browse web pages with firefox and
other browser but they can voice chat
sometimes another problem happen , users can browse web pages , but they
can not chat with paltalk messnger and I have to reboot server or
disable and enable PF.

my knowledege about PF is not a lot
and I find this pf.conf from internet and  make it with many test .

I want only do NAT with PF and I do not want block ports or other policy
. I want only PF for NAT.
please help me to solve this problem.


after search  google I understand PF version in FreeBSD 8.2 is very old
, and after that I want use OpenBSD 5 for NAT server. and I want use it
, but after search in google I understand NAT config in old PF is much
different with new PF , and I know we can find new PF in OpenBSD 5

please help me to use my pf.conf in OpenBSD 5 ?
can I use this pf.conf in OpenBSD 5 or no ?
do I make mistake in my pf.conf ?



please help me to make best pf for NAT with OpenBSD 5

thanks

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

Theo de Raadt
> In work place , we have over 24 computer and all of them are windows and
> , I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and I use
> PF for NAT with FreeBSD 8.2 . after many search in google , I find this
> pf.conf
>
> ====================================================
> ns# cat  /usr/local/pf/pf.conf
> # $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18
> mlaier Exp $
> # $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $

You want to start with a monster pf example written in 2003, and
attempt to use today -- after another 8 years of development has
happened to pf.

Good luck.  You'll need it.

Your approach towards using stuff is totally wrong.

And this is not the FreeBSD mailing lists.  Their version of pf is years
old and quite different.

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

Peter Nicolai Mathias Hansteen
In reply to this post by mostafa faridi-2
Gholam Mostafa Faridi <[hidden email]> writes:

> In work place , we have over 24 computer and all of them are windows
> and , I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and
> I use PF for NAT with FreeBSD 8.2 . after many search in google , I
> find this pf.conf

FreeBSD 8's PF uses the old NAT and scrub syntax, so you will have to
change those.  


This block is superfluous (assuming you do not actually tweak, only
stating defaults)

> ############################### OPTIONS
> ############################################################
> #Default behaviour
> set timeout { interval 10, frag 30 }
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> set timeout { icmp.first 20, icmp.error 10 }
> set timeout { other.first 60, other.single 30, other.multiple 60 }
> set timeout { adaptive.start 0, adaptive.end 0 }
> set limit { states 10000, frags 5000 }
> set loginterface $ext_if
> set optimization normal
> set block-policy drop
> set require-order yes
> set fingerprints "/etc/pf.os"
> set skip on lo0
> #set state-policy if-bound

> #Filter traffic for unusual packets
> scrub in all

match in all (no-df max-mss 1440) # or whatever fits your setup

> #NAT for the external traffic
> #Mask internal ip addresses with actual external ip address
> #nat pass on $ext_if from $Local_net to any -> $SERVER
>
> nat pass on $ext_if from $paltalk1 to any -> $NAT1

all of these would be in the new syntax something like

pass on $ext_if from $theonething nat-to $NATtheother

or you could rewrite to use match rules.

- Peter

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

mostafa faridi-2
On 11/07/2011 02:47 AM, Peter N. M. Hansteen wrote:

> Gholam Mostafa Faridi<[hidden email]>  writes:
>
>> In work place , we have over 24 computer and all of them are windows
>> and , I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and
>> I use PF for NAT with FreeBSD 8.2 . after many search in google , I
>> find this pf.conf
> FreeBSD 8's PF uses the old NAT and scrub syntax, so you will have to
> change those.
>
>
> This block is superfluous (assuming you do not actually tweak, only
> stating defaults)
>
>> ############################### OPTIONS
>> ############################################################
>> #Default behaviour
>> set timeout { interval 10, frag 30 }
>> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
>> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
>> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
>> set timeout { icmp.first 20, icmp.error 10 }
>> set timeout { other.first 60, other.single 30, other.multiple 60 }
>> set timeout { adaptive.start 0, adaptive.end 0 }
>> set limit { states 10000, frags 5000 }
>> set loginterface $ext_if
>> set optimization normal
>> set block-policy drop
>> set require-order yes
>> set fingerprints "/etc/pf.os"
>> set skip on lo0
>> #set state-policy if-bound
>> #Filter traffic for unusual packets
>> scrub in all
> match in all (no-df max-mss 1440) # or whatever fits your setup
>
>> #NAT for the external traffic
>> #Mask internal ip addresses with actual external ip address
>> #nat pass on $ext_if from $Local_net to any ->  $SERVER
>>
>> nat pass on $ext_if from $paltalk1 to any ->  $NAT1
> all of these would be in the new syntax something like
>
> pass on $ext_if from $theonething nat-to $NATtheother
>
> or you could rewrite to use match rules.
>
> - Peter
>
thanks
all guys.
So I must change my pf.conf like this

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

cat  /usr/local/pf/pf.conf
# $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18
mlaier Exp $
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
# Edited by: mfaridi

################################ MACROS
############################################################

ext_if          = "sk0"
int_if          = "re0"
External_net    = "10.10.10.192/27"
Local_net       = "192.168.0.0/24"
Local_Web       = "192.168.0.10"
Local_Srv       = "192.168.0.1"
Prtcol          = "{ tcp, udp }"
Admin_IP        = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types      = "{ echorep, unreach, squench, echoreq, timex }"

#Define ports for common internet services
#TCP_SRV         = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995,
8443 }"
#UDP_SRV         = "{ 53 }"
TCP_SRV         = "{ 80, 443 }"
UDP_SRV         = "{ }"
Samba_TCP       = "{ 139, 445 }"
Samba_UDP       = "{ 137, 138 }"


SERVER          = "10.10.10.200"
NAT1            = "10.10.10.194"
NAT2            = "10.10.10.195"
NAT3            = "10.10.10.196"
NAT4            = "10.10.10.197"
NAT5            = "10.10.10.198"
NAT6            = "10.10.10.199"
NAT7            = "10.10.10.201"
NAT8            = "10.10.10.202"
NAT9            = "10.10.10.203"
NAT10           = "10.10.10.204"
NAT11           = "10.10.10.205"
NAT12           = "10.10.10.206"
NAT13           = "10.10.10.207"
NAT14           = "10.10.10.208"
NAT15           = "10.10.10.209"
NAT16           = "10.10.10.210"
NAT17           = "10.10.10.211"
NAT18           = "10.10.10.212"
NAT19           = "10.10.10.213"
NAT20           = "10.10.10.214"
NAT21           = "10.10.10.215"
NAT22           = "10.10.10.216"
NAT23           = "10.10.10.217"
NAT24           = "10.10.10.218"
NAT25           = "10.10.10.219"

#### All IP of Groups which can be connect to Internet
paltalk1        = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
paltalk2        = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
paltalk3        = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28,
192.168.0.29 }"
webdsgn1        = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
webdsgn2        = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
webdsgn3        = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
webdsgn4        = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
webdsgn5        = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
webdsgn6        = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
webdsgn7        = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
webdsgn8        = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53,
192.168.0.54 }"
rased1          = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
rased2          = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
rased3          = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
rased4          = "{ 192.168.0.69, 192.168.0.70 }"
rased5          = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202,
192.168.0.203, 192.168.0.204, 192.168.0.205 }"
rased6          = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208,
192.168.0.209, 192.168.0.210, 192.168.0.211 }"
rased7          = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214,
192.168.0.215, 192.168.0.216, 192.168.0.217 }"
rased8          = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220,
192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224,
192.168.0.225  }"
admin1          = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
admin2          = "{ 192.168.0.58, 192.168.0.59 }"

############################### TABLES
############################################################

#Define privileged network address sets
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12,
10.0.0.0/8, 0.0.0.0/8, \
                           14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23,
224.0.0.0/3 }
table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
table <hackers> persist file "/usr/local/pf/Network/hackers.lst"

#Define Favoured client hosts
table <Admin>   persist file "/usr/local/pf/Network/Admin.lst"
table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
table <Rased>   persist file "/usr/local/pf/Network/Rased.lst"
table <LocalHost> const { self }



############################### OPTIONS
############################################################
#Default behaviour
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
#set state-policy if-bound

############################### TRAFFIC NORMALIZATION
##############################################
#Filter traffic for unusual packets
scrub in all


############################### TRANSLATION
######################################################

#NAT for the external traffic
#Mask internal ip addresses with actual external ip address
#nat pass on $ext_if from $Local_net to any -> $SERVER

pass on $ext_if from $theonething nat-to $NATtheother



  pass on $ext_if from $paltalk1 nat-to  $NAT1
  pass on $ext_if from $paltalk2 nat-to  $NAT2
  pass on $ext_if from $paltalk3 nat-to  $NAT3
  pass on $ext_if from $webdsgn1 nat-to  $NAT4
  pass on $ext_if from $webdsgn2 nat-to  $NAT5
  pass on $ext_if from $webdsgn3 nat-to  $NAT6
  pass on $ext_if from $webdsgn4 nat-to  $NAT7
  pass on $ext_if from $webdsgn5 nat-to  $NAT8
  pass on $ext_if from $webdsgn6 nat-to  $NAT9
  pass on $ext_if from $webdsgn7 nat-to   $NAT10
  pass on $ext_if from $webdsgn8  nat-to  $NAT11
  pass on $ext_if from $rased1   nat-to  $NAT12
  pass on $ext_if from $rased2   nat-to $NAT13
  pass on $ext_if from $rased3   nat-to $NAT14
  pass on $ext_if from $rased4   nat-to $NAT15
  pass on $ext_if from $rased5   nat-to  $NAT16
  pass on $ext_if from $rased6   nat-to  $NAT17
  pass on $ext_if from $rased7   nat-to  $NAT18
  pass on $ext_if from $rased8   nat-to  $NAT19
  pass on $ext_if from $admin1   nat-to  $NAT20
  pass on $ext_if from $admin2   nat-to $NAT21


#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 5900 ->
192.168.0.100 port 5900
#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 2222 ->
192.168.0.50 port 22

############################### PACKET FILTERING
#################################################

# Default Rule
pass quick on { $ext_if, $int_if } all keep state




# End of File: pf.conf

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5555




is my pf.conf correct right now and work in openbsd 5 without problem ?

thanks

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

Stuart Henderson
In reply to this post by Peter Nicolai Mathias Hansteen
On 2011-11-06, Peter N. M. Hansteen <[hidden email]> wrote:
> This block is superfluous (assuming you do not actually tweak, only
> stating defaults)

most of it, yes, but this could be important

>> set skip on lo0

this may be wanted too

>> set loginterface $ext_if

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

Rod Whitworth-3
In reply to this post by mostafa faridi-2
On Thu, 03 Nov 2011 03:16:52 +0330, Gholam Mostafa Faridi wrote:

>> Gholam Mostafa Faridi<[hidden email]>  writes:

Fix your clock. You are several days slow and it fux up mailers that
sort by date/time as they all should.
OpenBSD has ntpd to do it for you.


R/

Rod/

"Write a wise saying and your name will live on forever."  - Anonymous

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

Kevin Chadwick-2
On Mon, 07 Nov 2011 21:53:20 +1100
"Rod Whitworth" wrote:

> as they all should.
          ^^^

His clock of course should be right but what's wrong with sorting by
Maildir number (occassional mis-order but guaranteed aproximate
order/receipt order vs spammers or forged messages floating to the top)

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

John Tate-8
In reply to this post by mostafa faridi-2
There is only one way to do a job like this: Write down what it does in
clear English (or your own language), and do the whole thing from scratch.
It will only be tediously slow for the first half of the job.

On Wed, Nov 2, 2011 at 10:29 AM, Gholam Mostafa Faridi <
[hidden email]> wrote:

> Hi
> In work place , we have over 24 computer and all of them are windows and ,
> I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and I use PF
> for NAT with FreeBSD 8.2 . after many search in google , I find this pf.conf
>
> ====================================================
> ns# cat  /usr/local/pf/pf.conf
> # $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18
> mlaier Exp $
> # $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
> # Edited by: mfaridi
>
> ################################ MACROS
> ############################################################
>
> ext_if          = "sk0"
> int_if          = "re0"
> External_net    = "10.10.10.192/27"
> Local_net       = "192.168.0.0/24"
> Local_Web       = "192.168.0.10"
> Local_Srv       = "192.168.0.1"
> Prtcol          = "{ tcp, udp }"
> Admin_IP        = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
> ICMP_Types      = "{ echorep, unreach, squench, echoreq, timex }"
>
> #Define ports for common internet services
> #TCP_SRV         = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443
> }"
> #UDP_SRV         = "{ 53 }"
> TCP_SRV         = "{ 80, 443 }"
> UDP_SRV         = "{ }"
> Samba_TCP       = "{ 139, 445 }"
> Samba_UDP       = "{ 137, 138 }"
>
>
> SERVER          = "10.10.10.200"
> NAT1            = "10.10.10.194"
> NAT2            = "10.10.10.195"
> NAT3            = "10.10.10.196"
> NAT4            = "10.10.10.197"
> NAT5            = "10.10.10.198"
> NAT6            = "10.10.10.199"
> NAT7            = "10.10.10.201"
> NAT8            = "10.10.10.202"
> NAT9            = "10.10.10.203"
> NAT10           = "10.10.10.204"
> NAT11           = "10.10.10.205"
> NAT12           = "10.10.10.206"
> NAT13           = "10.10.10.207"
> NAT14           = "10.10.10.208"
> NAT15           = "10.10.10.209"
> NAT16           = "10.10.10.210"
> NAT17           = "10.10.10.211"
> NAT18           = "10.10.10.212"
> NAT19           = "10.10.10.213"
> NAT20           = "10.10.10.214"
> NAT21           = "10.10.10.215"
> NAT22           = "10.10.10.216"
> NAT23           = "10.10.10.217"
> NAT24           = "10.10.10.218"
> NAT25           = "10.10.10.219"
>
> #### All IP of Groups which can be connect to Internet
> paltalk1        = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
> paltalk2        = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
> paltalk3        = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28,
> 192.168.0.29 }"
> webdsgn1        = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
> webdsgn2        = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
> webdsgn3        = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
> webdsgn4        = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
> webdsgn5        = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
> webdsgn6        = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
> webdsgn7        = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
> webdsgn8        = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53,
> 192.168.0.54 }"
> rased1          = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
> rased2          = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
> rased3          = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
> rased4          = "{ 192.168.0.69, 192.168.0.70 }"
> rased5          = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202,
> 192.168.0.203, 192.168.0.204, 192.168.0.205 }"
> rased6          = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208,
> 192.168.0.209, 192.168.0.210, 192.168.0.211 }"
> rased7          = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214,
> 192.168.0.215, 192.168.0.216, 192.168.0.217 }"
> rased8          = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220,
> 192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224, 192.168.0.225
>  }"
> admin1          = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
> admin2          = "{ 192.168.0.58, 192.168.0.59 }"
>
> ############################### TABLES
> ############################################################
>
> #Define privileged network address sets
> table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12,
> 10.0.0.0/8, 0.0.0.0/8, \
>                          14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23,
> 224.0.0.0/3 }
> table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
> table <hackers> persist file "/usr/local/pf/Network/hackers.lst"
>
> #Define Favoured client hosts
> table <Admin>   persist file "/usr/local/pf/Network/Admin.lst"
> table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
> table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
> table <Rased>   persist file "/usr/local/pf/Network/Rased.lst"
> table <LocalHost> const { self }
>
> ############################### OPTIONS
> ############################################################
> #Default behaviour
> set timeout { interval 10, frag 30 }
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> set timeout { icmp.first 20, icmp.error 10 }
> set timeout { other.first 60, other.single 30, other.multiple 60 }
> set timeout { adaptive.start 0, adaptive.end 0 }
> set limit { states 10000, frags 5000 }
> set loginterface $ext_if
> set optimization normal
> set block-policy drop
> set require-order yes
> set fingerprints "/etc/pf.os"
> set skip on lo0
> #set state-policy if-bound
>
>
> ############################### TRAFFIC NORMALIZATION
> ##############################################
> #Filter traffic for unusual packets
> scrub in all
>
>
> ############################### TRANSLATION
> ######################################################
>
> #NAT for the external traffic
> #Mask internal ip addresses with actual external ip address
> #nat pass on $ext_if from $Local_net to any -> $SERVER
>
> nat pass on $ext_if from $paltalk1 to any -> $NAT1
> nat pass on $ext_if from $paltalk2 to any -> $NAT2
> nat pass on $ext_if from $paltalk3 to any -> $NAT3
> nat pass on $ext_if from $webdsgn1 to any -> $NAT4
> nat pass on $ext_if from $webdsgn2 to any -> $NAT5
> nat pass on $ext_if from $webdsgn3 to any -> $NAT6
> nat pass on $ext_if from $webdsgn4 to any -> $NAT7
> nat pass on $ext_if from $webdsgn5 to any -> $NAT8
> nat pass on $ext_if from $webdsgn6 to any -> $NAT9
> nat pass on $ext_if from $webdsgn7 to any -> $NAT10
> nat pass on $ext_if from $webdsgn8 to any -> $NAT11
> nat pass on $ext_if from $rased1   to any -> $NAT12
> nat pass on $ext_if from $rased2   to any -> $NAT13
> nat pass on $ext_if from $rased3   to any -> $NAT14
> nat pass on $ext_if from $rased4   to any -> $NAT15
> nat pass on $ext_if from $rased5   to any -> $NAT16
> nat pass on $ext_if from $rased6   to any -> $NAT17
> nat pass on $ext_if from $rased7   to any -> $NAT18
> nat pass on $ext_if from $rased8   to any -> $NAT19
> nat pass on $ext_if from $admin1   to any -> $NAT20
> nat pass on $ext_if from $admin2   to any -> $NAT21
>
>
> #rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 5900 ->
> 192.168.0.100 port 5900
> #rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 2222 ->
> 192.168.0.50 port 22
>
> ############################### PACKET FILTERING
> #################################################
>
> # Default Rule
> pass quick on { $ext_if, $int_if } all keep state
>
>
>
>
> # End of File: pf.conf
>
> ===========================================================================================================================
> I have 27 valid or static IPs,
> all users  in my work place use paltalk , paltalk is messenger like yahoo
> messenger and use for voice chat , and paltalk like yahoo has many rooms
> for voice chat , but paltalk servers do not let users login with three
> different room from one valid IP or static IP . or paltalk server only let
> user login to three room from only one IP , and from one IP only three
> computer can login to paltalk server and use it . so we get 27 valid or
> static IPs from ISP ,and I put all of them in my pf.conf .and set many NAT
> line in my pf.conf.
> but I think my pf.conf has problem and I do not know why sometimes some
> users in work place can not use internet , when they open firefox and start
> browse web pages ,they see error , but when they can not browse web pages ,
> their paltalk messenger is ON and they have voice chat , but they can not
> browse webpages , this problem can solve when I reboot server or disable
> and enable PF. but after one days or more this problem happen again , and
> some user can not browse web pages with firefox and other browser but they
> can voice chat
> sometimes another problem happen , users can browse web pages , but they
> can not chat with paltalk messnger and I have to reboot server or disable
> and enable PF.
>
> my knowledege about PF is not a lot
> and I find this pf.conf from internet and  make it with many test .
>
> I want only do NAT with PF and I do not want block ports or other policy .
> I want only PF for NAT.
> please help me to solve this problem.
>
>
> after search  google I understand PF version in FreeBSD 8.2 is very old ,
> and after that I want use OpenBSD 5 for NAT server. and I want use it , but
> after search in google I understand NAT config in old PF is much different
> with new PF , and I know we can find new PF in OpenBSD 5
>
> please help me to use my pf.conf in OpenBSD 5 ?
> can I use this pf.conf in OpenBSD 5 or no ?
> do I make mistake in my pf.conf ?
>
>
>
> please help me to make best pf for NAT with OpenBSD 5
>
> thanks

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

mostafa faridi-2
Thanks all guys
Sorry for my bad English I , only understand is this pf.conf work in
openbsd 5 or no .? Which part I must edit and change it
Is this pf.conf is correct ?
Thanks in advance
On Nov 8, 2011 7:35 AM, "John Tate" <[hidden email]> wrote:

> There is only one way to do a job like this: Write down what it does in
> clear English (or your own language), and do the whole thing from scratch.
> It will only be tediously slow for the first half of the job.
>
> On Wed, Nov 2, 2011 at 10:29 AM, Gholam Mostafa Faridi <
> [hidden email]> wrote:
>
>> Hi
>> In work place , we have over 24 computer and all of them are windows and
>> , I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and I use PF
>> for NAT with FreeBSD 8.2 . after many search in google , I find this pf.conf
>>
>> ====================================================
>> ns# cat  /usr/local/pf/pf.conf
>> # $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18
>> mlaier Exp $
>> # $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
>> # Edited by: mfaridi
>>
>> ################################ MACROS
>> ############################################################
>>
>> ext_if          = "sk0"
>> int_if          = "re0"
>> External_net    = "10.10.10.192/27"
>> Local_net       = "192.168.0.0/24"
>> Local_Web       = "192.168.0.10"
>> Local_Srv       = "192.168.0.1"
>> Prtcol          = "{ tcp, udp }"
>> Admin_IP        = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
>> ICMP_Types      = "{ echorep, unreach, squench, echoreq, timex }"
>>
>> #Define ports for common internet services
>> #TCP_SRV         = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443
>> }"
>> #UDP_SRV         = "{ 53 }"
>> TCP_SRV         = "{ 80, 443 }"
>> UDP_SRV         = "{ }"
>> Samba_TCP       = "{ 139, 445 }"
>> Samba_UDP       = "{ 137, 138 }"
>>
>>
>> SERVER          = "10.10.10.200"
>> NAT1            = "10.10.10.194"
>> NAT2            = "10.10.10.195"
>> NAT3            = "10.10.10.196"
>> NAT4            = "10.10.10.197"
>> NAT5            = "10.10.10.198"
>> NAT6            = "10.10.10.199"
>> NAT7            = "10.10.10.201"
>> NAT8            = "10.10.10.202"
>> NAT9            = "10.10.10.203"
>> NAT10           = "10.10.10.204"
>> NAT11           = "10.10.10.205"
>> NAT12           = "10.10.10.206"
>> NAT13           = "10.10.10.207"
>> NAT14           = "10.10.10.208"
>> NAT15           = "10.10.10.209"
>> NAT16           = "10.10.10.210"
>> NAT17           = "10.10.10.211"
>> NAT18           = "10.10.10.212"
>> NAT19           = "10.10.10.213"
>> NAT20           = "10.10.10.214"
>> NAT21           = "10.10.10.215"
>> NAT22           = "10.10.10.216"
>> NAT23           = "10.10.10.217"
>> NAT24           = "10.10.10.218"
>> NAT25           = "10.10.10.219"
>>
>> #### All IP of Groups which can be connect to Internet
>> paltalk1        = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
>> paltalk2        = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
>> paltalk3        = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28,
>> 192.168.0.29 }"
>> webdsgn1        = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
>> webdsgn2        = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
>> webdsgn3        = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
>> webdsgn4        = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
>> webdsgn5        = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
>> webdsgn6        = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
>> webdsgn7        = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
>> webdsgn8        = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53,
>> 192.168.0.54 }"
>> rased1          = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
>> rased2          = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
>> rased3          = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
>> rased4          = "{ 192.168.0.69, 192.168.0.70 }"
>> rased5          = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202,
>> 192.168.0.203, 192.168.0.204, 192.168.0.205 }"
>> rased6          = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208,
>> 192.168.0.209, 192.168.0.210, 192.168.0.211 }"
>> rased7          = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214,
>> 192.168.0.215, 192.168.0.216, 192.168.0.217 }"
>> rased8          = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220,
>> 192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224, 192.168.0.225
>>  }"
>> admin1          = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
>> admin2          = "{ 192.168.0.58, 192.168.0.59 }"
>>
>> ############################### TABLES
>> ############################################################
>>
>> #Define privileged network address sets
>> table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12,
>> 10.0.0.0/8, 0.0.0.0/8, \
>>                          14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23,
>> 224.0.0.0/3 }
>> table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
>> table <hackers> persist file "/usr/local/pf/Network/hackers.lst"
>>
>> #Define Favoured client hosts
>> table <Admin>   persist file "/usr/local/pf/Network/Admin.lst"
>> table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
>> table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
>> table <Rased>   persist file "/usr/local/pf/Network/Rased.lst"
>> table <LocalHost> const { self }
>>
>> ############################### OPTIONS
>> ############################################################
>> #Default behaviour
>> set timeout { interval 10, frag 30 }
>> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
>> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
>> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
>> set timeout { icmp.first 20, icmp.error 10 }
>> set timeout { other.first 60, other.single 30, other.multiple 60 }
>> set timeout { adaptive.start 0, adaptive.end 0 }
>> set limit { states 10000, frags 5000 }
>> set loginterface $ext_if
>> set optimization normal
>> set block-policy drop
>> set require-order yes
>> set fingerprints "/etc/pf.os"
>> set skip on lo0
>> #set state-policy if-bound
>>
>>
>> ############################### TRAFFIC NORMALIZATION
>> ##############################################
>> #Filter traffic for unusual packets
>> scrub in all
>>
>>
>> ############################### TRANSLATION
>> ######################################################
>>
>> #NAT for the external traffic
>> #Mask internal ip addresses with actual external ip address
>> #nat pass on $ext_if from $Local_net to any -> $SERVER
>>
>> nat pass on $ext_if from $paltalk1 to any -> $NAT1
>> nat pass on $ext_if from $paltalk2 to any -> $NAT2
>> nat pass on $ext_if from $paltalk3 to any -> $NAT3
>> nat pass on $ext_if from $webdsgn1 to any -> $NAT4
>> nat pass on $ext_if from $webdsgn2 to any -> $NAT5
>> nat pass on $ext_if from $webdsgn3 to any -> $NAT6
>> nat pass on $ext_if from $webdsgn4 to any -> $NAT7
>> nat pass on $ext_if from $webdsgn5 to any -> $NAT8
>> nat pass on $ext_if from $webdsgn6 to any -> $NAT9
>> nat pass on $ext_if from $webdsgn7 to any -> $NAT10
>> nat pass on $ext_if from $webdsgn8 to any -> $NAT11
>> nat pass on $ext_if from $rased1   to any -> $NAT12
>> nat pass on $ext_if from $rased2   to any -> $NAT13
>> nat pass on $ext_if from $rased3   to any -> $NAT14
>> nat pass on $ext_if from $rased4   to any -> $NAT15
>> nat pass on $ext_if from $rased5   to any -> $NAT16
>> nat pass on $ext_if from $rased6   to any -> $NAT17
>> nat pass on $ext_if from $rased7   to any -> $NAT18
>> nat pass on $ext_if from $rased8   to any -> $NAT19
>> nat pass on $ext_if from $admin1   to any -> $NAT20
>> nat pass on $ext_if from $admin2   to any -> $NAT21
>>
>>
>> #rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 5900 ->
>> 192.168.0.100 port 5900
>> #rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 2222 ->
>> 192.168.0.50 port 22
>>
>> ############################### PACKET FILTERING
>> #################################################
>>
>> # Default Rule
>> pass quick on { $ext_if, $int_if } all keep state
>>
>>
>>
>>
>> # End of File: pf.conf
>>
>> ===========================================================================================================================
>> I have 27 valid or static IPs,
>> all users  in my work place use paltalk , paltalk is messenger like yahoo
>> messenger and use for voice chat , and paltalk like yahoo has many rooms
>> for voice chat , but paltalk servers do not let users login with three
>> different room from one valid IP or static IP . or paltalk server only let
>> user login to three room from only one IP , and from one IP only three
>> computer can login to paltalk server and use it . so we get 27 valid or
>> static IPs from ISP ,and I put all of them in my pf.conf .and set many NAT
>> line in my pf.conf.
>> but I think my pf.conf has problem and I do not know why sometimes some
>> users in work place can not use internet , when they open firefox and start
>> browse web pages ,they see error , but when they can not browse web pages ,
>> their paltalk messenger is ON and they have voice chat , but they can not
>> browse webpages , this problem can solve when I reboot server or disable
>> and enable PF. but after one days or more this problem happen again , and
>> some user can not browse web pages with firefox and other browser but they
>> can voice chat
>> sometimes another problem happen , users can browse web pages , but they
>> can not chat with paltalk messnger and I have to reboot server or disable
>> and enable PF.
>>
>> my knowledege about PF is not a lot
>> and I find this pf.conf from internet and  make it with many test .
>>
>> I want only do NAT with PF and I do not want block ports or other policy
>> . I want only PF for NAT.
>> please help me to solve this problem.
>>
>>
>> after search  google I understand PF version in FreeBSD 8.2 is very old ,
>> and after that I want use OpenBSD 5 for NAT server. and I want use it , but
>> after search in google I understand NAT config in old PF is much different
>> with new PF , and I know we can find new PF in OpenBSD 5
>>
>> please help me to use my pf.conf in OpenBSD 5 ?
>> can I use this pf.conf in OpenBSD 5 or no ?
>> do I make mistake in my pf.conf ?
>>
>>
>>
>> please help me to make best pf for NAT with OpenBSD 5
>>
>> thanks

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

Janne Johansson-3
2011/11/8 Mostaf Faridi <[hidden email]>

> Sorry for my bad English I , only understand is this pf.conf work in
> openbsd 5 or no .? Which part I must edit and change it
>

The part where you hope someone else will do the work so you don't have to
know what your own firewall is doing, and why.

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

David Walker-16
In reply to this post by mostafa faridi-2
Mostaf Faridi <mostafafaridi () gmail ! com> wrote:
> Thanks all guys
> Sorry for my bad English I , only understand is this pf.conf work in
> openbsd 5 or no .? Which part I must edit and change it
> Is this pf.conf is correct ?
> Thanks in advance

You're doing it wrong.

Three ways you could write a pf.conf for OpenBSD ...

1.
... start from scratch (start from nothing).
Read the documentation that comes with that release, in this case the
pf.conf man page for OpenBSD 5.0 ...
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+5.0
Read a vendor supplied FAQ ... for additional help ... if it relates
to that release.
In this case:
http://www.openbsd.org/faq/pf/index.html
If you are careful and do your homework you might have the odd
question and then you can search the archives, do a Google, post to
misc@ and so on. See here:
http://www.openbsd.org/mail.html
Dumping an entire pf.conf isn't part of this process.

2.
... you go from one OpenBSD release to another OpenBSD release.
For example OpenBSD 4.9 to OpenBSD 5.0 ... and use this:
http://www.openbsd.org/plus50.html
Everything to do with pf.conf (e.g. the first item on that page)
should prompt you to examine your existing rules and see if they need
modifying ... referring to the pf.conf man page, which is probably
good practice anyway.
Note, that requires a working pf.conf from the same vendor (e.g. an
existing ruleset from OpenBSD) and a willingness to follow the dots
(i.e. the plus pages) ...
Dumping an entire pf.conf isn't part of this process either.

3.
Use a pf.conf from a different release ... and a different operating system ...
You either have to track between FreeBSD then and OpenBSD now ... two
different trees over however many years ...
... or track between FreeBSD then, whatever pf they imported from
OpenBSD then and do method 2 over any number of OpenBSD releases ...

Sometimes starting from scratch is the way to go.

If you can get a new pf.conf from a FreeBSD one without too much
confusion you should still understand it anyway to apply it to your
real ruleset as opposed to your copy paste example ... see method 1.

Regardless, dumping a large conf and asking people to "fix" it for you
without any evidence you've tried yourself won't fly around here.
Copy and paste administration will only lead to misery or reading man
pages anyway or both ...

Apart from the lack of paragraphs in your first mail your english is fine.

Best wishes.

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

mostafa faridi-2
Thanks
Your 3 way is good . I choose number 3 . I have pf.conf from FreeBSD and it
work good for me over 3 months. But sometimes it dose not work good , I
said my problem in first email .
I want only understand : is this pf.conf work great in opnbsd or no ?
And I want find my  mistake if I have in pf.conf
I want know is this pf.conf has problems or no ?
Thanks all guys help me to solve this problem
On Nov 8, 2011 1:18 PM, "David Walker" <[hidden email]> wrote:

> Mostaf Faridi <mostafafaridi () gmail ! com> wrote:
> > Thanks all guys
> > Sorry for my bad English I , only understand is this pf.conf work in
> > openbsd 5 or no .? Which part I must edit and change it
> > Is this pf.conf is correct ?
> > Thanks in advance
>
> You're doing it wrong.
>
> Three ways you could write a pf.conf for OpenBSD ...
>
> 1.
> ... start from scratch (start from nothing).
> Read the documentation that comes with that release, in this case the
> pf.conf man page for OpenBSD 5.0 ...
>
> http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+5.0
> Read a vendor supplied FAQ ... for additional help ... if it relates
> to that release.
> In this case:
> http://www.openbsd.org/faq/pf/index.html
> If you are careful and do your homework you might have the odd
> question and then you can search the archives, do a Google, post to
> misc@ and so on. See here:
> http://www.openbsd.org/mail.html
> Dumping an entire pf.conf isn't part of this process.
>
> 2.
> ... you go from one OpenBSD release to another OpenBSD release.
> For example OpenBSD 4.9 to OpenBSD 5.0 ... and use this:
> http://www.openbsd.org/plus50.html
> Everything to do with pf.conf (e.g. the first item on that page)
> should prompt you to examine your existing rules and see if they need
> modifying ... referring to the pf.conf man page, which is probably
> good practice anyway.
> Note, that requires a working pf.conf from the same vendor (e.g. an
> existing ruleset from OpenBSD) and a willingness to follow the dots
> (i.e. the plus pages) ...
> Dumping an entire pf.conf isn't part of this process either.
>
> 3.
> Use a pf.conf from a different release ... and a different operating
> system ...
> You either have to track between FreeBSD then and OpenBSD now ... two
> different trees over however many years ...
> ... or track between FreeBSD then, whatever pf they imported from
> OpenBSD then and do method 2 over any number of OpenBSD releases ...
>
> Sometimes starting from scratch is the way to go.
>
> If you can get a new pf.conf from a FreeBSD one without too much
> confusion you should still understand it anyway to apply it to your
> real ruleset as opposed to your copy paste example ... see method 1.
>
> Regardless, dumping a large conf and asking people to "fix" it for you
> without any evidence you've tried yourself won't fly around here.
> Copy and paste administration will only lead to misery or reading man
> pages anyway or both ...
>
> Apart from the lack of paragraphs in your first mail your english is fine.
>
> Best wishes.

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

David Walker-16
In reply to this post by mostafa faridi-2
Mostaf Faridi <mostafafaridi () gmail ! com> wrote:
> Thanks
> Your 3 way is good . I choose number 3 .

Please note carefully how number 3 works ...

*You* either have to track between FreeBSD then and OpenBSD now ... two
different trees over however many years ...
... or track between FreeBSD then, whatever pf they imported from
OpenBSD then and do method 2 over any number of OpenBSD releases ...

Note the asterisks - *You*
Please let me know how it goes.
... method 1 is far simpler and better suited to your circumstances.
If you *try* method 1 (asterisks) you'll probably get pretty far on
your own and get enough help after that to get it working.
One rule at a time ...

Trying to do method 3 by yourself or asking others to help you or
asking others to do it all for you ... is not as good as method 1 ...

> I have pf.conf from FreeBSD and it
> work good for me over 3 months. But sometimes it dose not work good , I
> said my problem in first email .

I avoided that bit. It was the lack of paragraphs.
Yet you want to use it as a foundation for an OpenBSD pf.conf ...
This is problematic ... maybe you could start again from scratch?
See method 1 ...

> I want only understand : is this pf.conf work great in opnbsd or no ?

If it's designed for FreeBSD ... and doesn't work in FreeBSD ... it's
not realistic to think it might somehow work in OpenBSD.

I'm not sure if your english is a problem for you but you're way off course.

Best wishes.

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

mostafa faridi-2
Thanks
My problem is this I do not enough time to start from scratch and make new
rule .in my work place , my boss find another person can do internet
sharing with Windows 2008 and ISA and this person say he can make best
internet sharing server ,
I said before my my pf.conf in FreeBSD work good , but sometimes some user
lost internet and they can not browse web pages , but they can chat with
paltalk , after reboot or disbable or enable PF this problem solve . I
think I have mistakes or problems in my PF.conf . So after search in Google
, I see PF version in FreeBSD is so old , so I decided move from FreeBSD to
openBSD .
I wish my PF work good in OpenBSD
Thanks in advance.
On Nov 8, 2011 3:38 PM, "David Walker" <[hidden email]> wrote:

> Mostaf Faridi <mostafafaridi () gmail ! com> wrote:
> > Thanks
> > Your 3 way is good . I choose number 3 .
>
> Please note carefully how number 3 works ...
>
> *You* either have to track between FreeBSD then and OpenBSD now ... two
> different trees over however many years ...
> ... or track between FreeBSD then, whatever pf they imported from
> OpenBSD then and do method 2 over any number of OpenBSD releases ...
>
> Note the asterisks - *You*
> Please let me know how it goes.
> ... method 1 is far simpler and better suited to your circumstances.
> If you *try* method 1 (asterisks) you'll probably get pretty far on
> your own and get enough help after that to get it working.
> One rule at a time ...
>
> Trying to do method 3 by yourself or asking others to help you or
> asking others to do it all for you ... is not as good as method 1 ...
>
> > I have pf.conf from FreeBSD and it
> > work good for me over 3 months. But sometimes it dose not work good , I
> > said my problem in first email .
>
> I avoided that bit. It was the lack of paragraphs.
> Yet you want to use it as a foundation for an OpenBSD pf.conf ...
> This is problematic ... maybe you could start again from scratch?
> See method 1 ...
>
> > I want only understand : is this pf.conf work great in opnbsd or no ?
>
> If it's designed for FreeBSD ... and doesn't work in FreeBSD ... it's
> not realistic to think it might somehow work in OpenBSD.
>
> I'm not sure if your english is a problem for you but you're way off
> course.
>
> Best wishes.

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

David Walker-16
In reply to this post by mostafa faridi-2
Mostaf Faridi <mostafafaridi () gmail ! com> wrote:
> My problem is this I do not enough time to start from scratch and make new
> rule .

If you were moderately familiar with OpenBSD you could have, in the
time between the start of this thread and now, read pf.conf for
OpenBSD 5.0 and written on paper or wherever a complex ruleset.
If your boss won't allocate time for this and expects you to outsource
it to the web and whatever then he's doing it wrong.
You don't have a good enough familiarity with OpenBSD (or FreeBSD) to
know where to start. Right?

If you do plan to migrate then you should build a machine, install
OpenBSD 5.0, write a ruleset and test it.
In your workplace, testing may mean swapping the machines until
everyone complains and you swap them back and try again but doing it
the way you're doing it now (no experience, asking for copy and paste
administration, no testing) is wrong.

> in my work place , my boss find another person can do internet
> sharing with Windows 2008 and ISA and this person say he can make best
> internet sharing server

So you want pf on OpenBSD and don't want to see a Windows machine ...
... but you're not interested in reading about pf on OpenBSD ...

Who's running the current FreeBSD machine?
How come they can't understand it?
Why not troubleshoot that?
Etcetera ...
How will swapping to a new operating system be better than using the
current one which almost works?

If you want to stay with FreeBSD you should at a minimum understand
your current ruleset (removing any non-essential lines might be a good
start) if you want to get help on it. Again though you're in the wrong
place.
Can you explain what every line in the pf.conf you sent is for?
If not, find out, if it does nothing, delete it, whatever.

Describe your network, do you have issues with DNS, do you have a http
proxy, what tests have you done from clients, etcetera ...
Have you looked here:
http://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8&manpath=FreeBSD+8.2-RELEASE
So on and so forth.

Under those circumstances, maybe Windows is the better choice.
Certainly without any relevant OpenBSD experience you're better off
with FreeBSD right?

> I said before my my pf.conf in FreeBSD work good , but sometimes some user
> lost internet and they can not browse web pages , but they can chat with
> paltalk , after reboot or disbable or enable PF this problem solve .

Fine.
You have choices.

Fix your current setup which should involve reading the FreeBSD
pf.conf documentation and talking to people on the FreeBSD lists.
Goodbye.

Build an OpenBSD machine, in which case, talk to you when you've got a
machine running and you have some more appropriate questions. People
will help you.

Either way you're should be willing to invest time and if you won't do
that on your own and your boss doesn't want you to do it in work time
then let the Windows people worry about it. Good times.

Best wishes.

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

mehma sarja
In reply to this post by mostafa faridi-2
On 11/8/11 4:25 AM, Mostaf Faridi wrote:

> Thanks
> My problem is this I do not enough time to start from scratch and make new
> rule .in my work place , my boss find another person can do internet
> sharing with Windows 2008 and ISA and this person say he can make best
> internet sharing server ,
> I said before my my pf.conf in FreeBSD work good , but sometimes some user
> lost internet and they can not browse web pages , but they can chat with
> paltalk , after reboot or disbable or enable PF this problem solve . I
> think I have mistakes or problems in my PF.conf . So after search in Google
> , I see PF version in FreeBSD is so old , so I decided move from FreeBSD to
> openBSD .
> I wish my PF work good in OpenBSD
> Thanks in advance.
>
Yo Most...

You have selected the wrong product for your little project. If you
don't have the time, don't have a lot of expertise - don't select a
high-end system to implement. Let me suggest a smoother path for you...
pfSense. It is pf, based on FreeBSD and is web-based. It should ease you
into this pf world and get you going fairly fast. Throw away the pf.conf
you keep wagging and start from scratch ... even in pfSense. It gets you
going very fast. And the pfSense community (mailing list) is much more
aligned to help a newbie such as yourself.

Mehma

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

mostafa faridi-2
In reply to this post by David Walker-16
Thanks
Your guide learn me many thing .my experience with FreeBSD and OpenBSD is
good .but my experience with FreeBSD is much better . In work place I run
FreeBSD server for Samba and NAT and this server work good and work like
charm , but I do not know why PF does not work good , if you see my conf ,
you see my conf does not has problem , but I do not know why this conf does
not work good , and sometimes some users do not have internet and can not
browse webpage but they can chat with messenger .
I want migrate from FreeBSD to OpenBSD , yesterday I install OpenBSD 5
amd64 and run samba server with OpenBSD and it work good . In first step I
run samba server with OpenBSD , and after this I want run NAT server with
OpenBSD . And for start I want understand , is my PF.conf work in OpenBSD
or no ?
I hate Windows OS , and want only run all of my servers with BSD, specially
OpenBSD.
Thanks in advance
On Nov 8, 2011 5:32 PM, "David Walker" <[hidden email]> wrote:

> Mostaf Faridi <mostafafaridi () gmail ! com> wrote:
> > My problem is this I do not enough time to start from scratch and make
> new
> > rule .
>
> If you were moderately familiar with OpenBSD you could have, in the
> time between the start of this thread and now, read pf.conf for
> OpenBSD 5.0 and written on paper or wherever a complex ruleset.
> If your boss won't allocate time for this and expects you to outsource
> it to the web and whatever then he's doing it wrong.
> You don't have a good enough familiarity with OpenBSD (or FreeBSD) to
> know where to start. Right?
>
> If you do plan to migrate then you should build a machine, install
> OpenBSD 5.0, write a ruleset and test it.
> In your workplace, testing may mean swapping the machines until
> everyone complains and you swap them back and try again but doing it
> the way you're doing it now (no experience, asking for copy and paste
> administration, no testing) is wrong.
>
> > in my work place , my boss find another person can do internet
> > sharing with Windows 2008 and ISA and this person say he can make best
> > internet sharing server
>
> So you want pf on OpenBSD and don't want to see a Windows machine ...
> ... but you're not interested in reading about pf on OpenBSD ...
>
> Who's running the current FreeBSD machine?
> How come they can't understand it?
> Why not troubleshoot that?
> Etcetera ...
> How will swapping to a new operating system be better than using the
> current one which almost works?
>
> If you want to stay with FreeBSD you should at a minimum understand
> your current ruleset (removing any non-essential lines might be a good
> start) if you want to get help on it. Again though you're in the wrong
> place.
> Can you explain what every line in the pf.conf you sent is for?
> If not, find out, if it does nothing, delete it, whatever.
>
> Describe your network, do you have issues with DNS, do you have a http
> proxy, what tests have you done from clients, etcetera ...
> Have you looked here:
>
> http://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8&manpath=FreeBSD+8.2-RELEASE
> So on and so forth.
>
> Under those circumstances, maybe Windows is the better choice.
> Certainly without any relevant OpenBSD experience you're better off
> with FreeBSD right?
>
> > I said before my my pf.conf in FreeBSD work good , but sometimes some
> user
> > lost internet and they can not browse web pages , but they can chat with
> > paltalk , after reboot or disbable or enable PF this problem solve .
>
> Fine.
> You have choices.
>
> Fix your current setup which should involve reading the FreeBSD
> pf.conf documentation and talking to people on the FreeBSD lists.
> Goodbye.
>
> Build an OpenBSD machine, in which case, talk to you when you've got a
> machine running and you have some more appropriate questions. People
> will help you.
>
> Either way you're should be willing to invest time and if you won't do
> that on your own and your boss doesn't want you to do it in work time
> then let the Windows people worry about it. Good times.
>
> Best wishes.

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

Bentley, Dain
In reply to this post by mostafa faridi-2
No it will not. The version in FreeBSD is older and thus the syntax has
changed. Read the pf faq on the OpenBSD website. Also why are you running
samba on your firewall?

Sent from my Android phone using TouchDown (www.nitrodesk.com)

-----Original Message-----
From: Mostaf Faridi [[hidden email]]
Received: Tuesday, 08 Nov 2011, 1:46pm
To: David Walker [[hidden email]]
CC: [hidden email] [[hidden email]]
Subject: Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

Thanks
Your guide learn me many thing .my experience with FreeBSD and OpenBSD is
good .but my experience with FreeBSD is much better . In work place I run
FreeBSD server for Samba and NAT and this server work good and work like
charm , but I do not know why PF does not work good , if you see my conf ,
you see my conf does not has problem , but I do not know why this conf does
not work good , and sometimes some users do not have internet and can not
browse webpage but they can chat with messenger .
I want migrate from FreeBSD to OpenBSD , yesterday I install OpenBSD 5
amd64 and run samba server with OpenBSD and it work good . In first step I
run samba server with OpenBSD , and after this I want run NAT server with
OpenBSD . And for start I want understand , is my PF.conf work in OpenBSD
or no ?
I hate Windows OS , and want only run all of my servers with BSD, specially
OpenBSD.
Thanks in advance
On Nov 8, 2011 5:32 PM, "David Walker" <[hidden email]> wrote:

> Mostaf Faridi <mostafafaridi () gmail ! com> wrote:
> > My problem is this I do not enough time to start from scratch and make
> new
> > rule .
>
> If you were moderately familiar with OpenBSD you could have, in the
> time between the start of this thread and now, read pf.conf for
> OpenBSD 5.0 and written on paper or wherever a complex ruleset.
> If your boss won't allocate time for this and expects you to outsource
> it to the web and whatever then he's doing it wrong.
> You don't have a good enough familiarity with OpenBSD (or FreeBSD) to
> know where to start. Right?
>
> If you do plan to migrate then you should build a machine, install
> OpenBSD 5.0, write a ruleset and test it.
> In your workplace, testing may mean swapping the machines until
> everyone complains and you swap them back and try again but doing it
> the way you're doing it now (no experience, asking for copy and paste
> administration, no testing) is wrong.
>
> > in my work place , my boss find another person can do internet
> > sharing with Windows 2008 and ISA and this person say he can make best
> > internet sharing server
>
> So you want pf on OpenBSD and don't want to see a Windows machine ...
> ... but you're not interested in reading about pf on OpenBSD ...
>
> Who's running the current FreeBSD machine?
> How come they can't understand it?
> Why not troubleshoot that?
> Etcetera ...
> How will swapping to a new operating system be better than using the
> current one which almost works?
>
> If you want to stay with FreeBSD you should at a minimum understand
> your current ruleset (removing any non-essential lines might be a good
> start) if you want to get help on it. Again though you're in the wrong
> place.
> Can you explain what every line in the pf.conf you sent is for?
> If not, find out, if it does nothing, delete it, whatever.
>
> Describe your network, do you have issues with DNS, do you have a http
> proxy, what tests have you done from clients, etcetera ...
> Have you looked here:
>
>
http://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8&manpath=FreeBSD+8.2-
RELEASE

> So on and so forth.
>
> Under those circumstances, maybe Windows is the better choice.
> Certainly without any relevant OpenBSD experience you're better off
> with FreeBSD right?
>
> > I said before my my pf.conf in FreeBSD work good , but sometimes some
> user
> > lost internet and they can not browse web pages , but they can chat with
> > paltalk , after reboot or disbable or enable PF this problem solve .
>
> Fine.
> You have choices.
>
> Fix your current setup which should involve reading the FreeBSD
> pf.conf documentation and talking to people on the FreeBSD lists.
> Goodbye.
>
> Build an OpenBSD machine, in which case, talk to you when you've got a
> machine running and you have some more appropriate questions. People
> will help you.
>
> Either way you're should be willing to invest time and if you won't do
> that on your own and your boss doesn't want you to do it in work time
> then let the Windows people worry about it. Good times.
>
> Best wishes.

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

David Walker-16
In reply to this post by mostafa faridi-2
Mostaf Faridi <mostafafaridi () gmail ! com> wrote:
> I want migrate from FreeBSD to OpenBSD , yesterday I install OpenBSD 5
> amd64 and run samba server with OpenBSD and it work good . In first step I
> run samba server with OpenBSD , and after this I want run NAT server with
> OpenBSD .

Great.

> And for start I want understand , is my PF.conf work in OpenBSD
> or no ?

No.

Next question ...
What's the best way to get from there to OpenBSD 5.0 pf.conf?

Start from scratch.
If you can do all the other things (install, samba, etcetera) you can
start writing a pf.conf from scratch.
You should be writing one for the Samba server ... so you should look
upon this as an essential skill.
Besides, if somebody moves the network in the future (add a few
machines maybe) what will you do?

Follow the dots.
Get the pf.conf man page ...

Work out your macros ...
Hint, that's all the stuff from the old pf.conf with an "=".

Another hint, this is the entire macro text as it applies to you:

     Macros can be defined that will later be expanded in context.  Macro
     names must start with a letter, and may contain letters, digits and
     underscores.  Macro names may not be reserved words (for example pass,
     in, out).  Macros are not expanded inside quotes.

     For example:

           ext_if = "kue0"
           all_ifs = "{" $ext_if lo0 "}"
           pass out on $ext_if from any to any
           pass in  on $ext_if proto tcp from any to any port 25

Next hint, the only difficult bit about that is "Macros are not
expanded inside quotes." and the use of quotes inside the braces ...
The $ should help you work that out.

Happy hint, that's half your work done in five minutes by copying and
pasting from your old pf.conf ...
In this case it's okay if you follow the dots - read the man page, if
it's the same syntax then it's the same syntax.

Work out your OPTIONS ...
Keep it really simple, for example in your old pf.conf you load
fingerprints but don't appear to use them.
Hint, you probably don't need any options at all to start (i.e.
default will be fine).
Do you understand your timeouts and limit? If not, don't use them.

Work out your TABLES ...
Or better yet don't use them until you have a working NAT system.
Hint, as near as I can tell ... you're not using any of the tables in
your pf.conf ...
Check that and then ... get rid of them.

Read the small section in the man page on "Translation" under PACKET
FILTERING - its a few pages down.
Look at the EXAMPLES for some ideas.
Write one NAT rule and one RDR rule, using your macros.
If you get stuck go here:
http://www.openbsd.org/faq/pf/nat.html#config
http://www.openbsd.org/faq/pf/rdr.html#filter

If you're still stuck go here:
http://www.openbsd.org/faq/pf/example1.html

Bear in mind that parts of the PF FAQ might be still in 4.9 and you want 5.0 ...
Someone else should be able to answer that but ... the man page will
give you an answer.

Once you've got that worked out ...
Do NAT and RDR for all your other macros ...

Test.

Then worry about all the other stuff.

If you can install and use OpenBSD you can learn pf or at least if you
won't learn pf you shouldn't be installing and using OpenBSD at least
not in a packet filtering role. :]

> I hate Windows OS , and want only run all of my servers with BSD, specially
> OpenBSD.

I only want my servers to run OpenBSD but I'm happy to use Windows on
the desktop.

Best wishes.

Reply | Threaded
Open this post in threaded view
|

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

mostafa faridi-2
On 11/09/2011 02:30 AM, David Walker wrote:

> Mostaf Faridi<mostafafaridi () gmail ! com>  wrote:
>> I want migrate from FreeBSD to OpenBSD , yesterday I install OpenBSD 5
>> amd64 and run samba server with OpenBSD and it work good . In first step I
>> run samba server with OpenBSD , and after this I want run NAT server with
>> OpenBSD .
> Great.
>
>> And for start I want understand , is my PF.conf work in OpenBSD
>> or no ?
> No.
>
> Next question ...
> What's the best way to get from there to OpenBSD 5.0 pf.conf?
>
> Start from scratch.
> If you can do all the other things (install, samba, etcetera) you can
> start writing a pf.conf from scratch.
> You should be writing one for the Samba server ... so you should look
> upon this as an essential skill.
> Besides, if somebody moves the network in the future (add a few
> machines maybe) what will you do?
>
> Follow the dots.
> Get the pf.conf man page ...
>
> Work out your macros ...
> Hint, that's all the stuff from the old pf.conf with an "=".
>
> Another hint, this is the entire macro text as it applies to you:
>
>       Macros can be defined that will later be expanded in context.  Macro
>       names must start with a letter, and may contain letters, digits and
>       underscores.  Macro names may not be reserved words (for example pass,
>       in, out).  Macros are not expanded inside quotes.
>
>       For example:
>
>             ext_if = "kue0"
>             all_ifs = "{" $ext_if lo0 "}"
>             pass out on $ext_if from any to any
>             pass in  on $ext_if proto tcp from any to any port 25
>
> Next hint, the only difficult bit about that is "Macros are not
> expanded inside quotes." and the use of quotes inside the braces ...
> The $ should help you work that out.
>
> Happy hint, that's half your work done in five minutes by copying and
> pasting from your old pf.conf ...
> In this case it's okay if you follow the dots - read the man page, if
> it's the same syntax then it's the same syntax.
>
> Work out your OPTIONS ...
> Keep it really simple, for example in your old pf.conf you load
> fingerprints but don't appear to use them.
> Hint, you probably don't need any options at all to start (i.e.
> default will be fine).
> Do you understand your timeouts and limit? If not, don't use them.
>
> Work out your TABLES ...
> Or better yet don't use them until you have a working NAT system.
> Hint, as near as I can tell ... you're not using any of the tables in
> your pf.conf ...
> Check that and then ... get rid of them.
>
> Read the small section in the man page on "Translation" under PACKET
> FILTERING - its a few pages down.
> Look at the EXAMPLES for some ideas.
> Write one NAT rule and one RDR rule, using your macros.
> If you get stuck go here:
> http://www.openbsd.org/faq/pf/nat.html#config
> http://www.openbsd.org/faq/pf/rdr.html#filter
>
> If you're still stuck go here:
> http://www.openbsd.org/faq/pf/example1.html
>
> Bear in mind that parts of the PF FAQ might be still in 4.9 and you want 5.0 ...
> Someone else should be able to answer that but ... the man page will
> give you an answer.
>
> Once you've got that worked out ...
> Do NAT and RDR for all your other macros ...
>
> Test.
>
> Then worry about all the other stuff.
>
> If you can install and use OpenBSD you can learn pf or at least if you
> won't learn pf you shouldn't be installing and using OpenBSD at least
> not in a packet filtering role. :]
>
>> I hate Windows OS , and want only run all of my servers with BSD, specially
>> OpenBSD.
> I only want my servers to run OpenBSD but I'm happy to use Windows on
> the desktop.
>
> Best wishes.
>
>
Thanks
all guys ,
I read documents about pf  in  OpenBSD  and I think . when I want my
pf.conf work in OpenBSD 5 , I have to change it . and I change my pf
like this :



@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


############################### MACROS
############################################################

ext_if          = "sk0"
int_if          = "re0"
External_net    = "10.10.10.192/27"
Local_net       = "192.168.0.0/24"
Local_Web       = "192.168.0.10"
Local_Srv       = "192.168.0.1"
Prtcol          = "{ tcp, udp }"
Admin_IP        = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types      = "{ echorep, unreach, squench, echoreq, timex }"

#Define ports for common internet services
#TCP_SRV         = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443 }"
#UDP_SRV         = "{ 53 }"
TCP_SRV         = "{ 80, 443 }"
UDP_SRV         = "{ }"
Samba_TCP       = "{ 139, 445 }"
Samba_UDP       = "{ 137, 138 }"


SERVER          = "10.10.10.200"
NAT1            = "10.10.10.194"
NAT2            = "10.10.10.195"
NAT3            = "10.10.10.196"
NAT4            = "10.10.10.197"
NAT5            = "10.10.10.198"
NAT6            = "10.10.10.199"
NAT7            = "10.10.10.201"
NAT8            = "10.10.10.202"
NAT9            = "10.10.10.203"
NAT10           = "10.10.10.204"
NAT11           = "10.10.10.205"
NAT12           = "10.10.10.206"
NAT13           = "10.10.10.207"
NAT14           = "10.10.10.208"
NAT15           = "10.10.10.209"
NAT16           = "10.10.10.210"
NAT17           = "10.10.10.211"
NAT18           = "10.10.10.212"
NAT19           = "10.10.10.213"
NAT20           = "10.10.10.214"
NAT21           = "10.10.10.215"
NAT22           = "10.10.10.216"
NAT23           = "10.10.10.217"
NAT24           = "10.10.10.218"
NAT25           = "10.10.10.219"

#### All IP of Groups which can be connect to Internet
paltalk1        = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
paltalk2        = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
paltalk3        = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28,
192.168.0.29 }"
webdsgn1        = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
webdsgn2        = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
webdsgn3        = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
webdsgn4        = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
webdsgn5        = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
webdsgn6        = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
webdsgn7        = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
webdsgn8        = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53,
192.168.0.54 }"
rased1          = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
rased2          = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
rased3          = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
rased4          = "{ 192.168.0.69, 192.168.0.70 }"
rased5          = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202,
192.168.0.203, 192.168.0.204, 192.168.0.205 }"
rased6          = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208,
192.168.0.209, 192.168.0.210, 192.168.0.211 }"
rased7          = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214,
192.168.0.215, 192.168.0.216, 192.168.0.217 }"
rased8          = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220,
192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224,
192.168.0.225  }"
admin1          = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
admin2          = "{ 192.168.0.58, 192.168.0.59 }"

############################### TABLES
############################################################

#Define privileged network address sets
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12,
10.0.0.0/8, 0.0.0.0/8, \
                           14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23,
224.0.0.0/3 }
table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
table <hackers> persist file "/usr/local/pf/Network/hackers.lst"

#Define Favoured client hosts
table <Admin>   persist file "/usr/local/pf/Network/Admin.lst"
table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
table <Rased>   persist file "/usr/local/pf/Network/Rased.lst"
table <LocalHost> const { self }

############################### OPTIONS
############################################################
#Default behaviour
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
#set state-policy if-bound


############################### TRAFFIC NORMALIZATION
##############################################
#Filter traffic for unusual packets
scrub in all


############################### TRANSLATION
######################################################

#NAT for the external traffic
#Mask internal ip addresses with actual external ip address
#nat pass on $ext_if from $Local_net to any -> $SERVER


match out on egress inet from !(paltalk1) to any nat-to (NAT1)

match out on egress inet from !(paltalk2) to any nat-to (NAT2)

match out on egress inet from !(paltalk3) to any nat-to (NAT3)

match out on egress inet from !(webdsgn1) to any nat-to (NAT4)

match out on egress inet from !(webdsgn2) to any nat-to (NAT5)

match out on egress inet from !(webdsgn3) to any nat-to (NAT6)

match out on egress inet from !(webdsgn4) to any nat-to (NAT7)

match out on egress inet from !(webdsgn5) to any nat-to (NAT8)

match out on egress inet from !(webdsgn6) to any nat-to (NAT9)

match out on egress inet from !(webdsgn7) to any nat-to (NAT10)

match out on egress inet from !(webdsgn8) to any nat-to (NAT11)

match out on egress inet from !(rased1) to any nat-to (NAT12:0)

match out on egress inet from !(rased2) to any nat-to (NAT13)

match out on egress inet from !(rased3) to any nat-to (NAT14)

match out on egress inet from !(rased4) to any nat-to (NAT15)

match out on egress inet from !(rased5) to any nat-to (NAT16)

match out on egress inet from !(rased6) to any nat-to (NAT17)

match out on egress inet from !(rased7) to any nat-to (NAT18)

match out on egress inet from !(rased8) to any nat-to (NAT19)

match out on egress inet from !(admin1) to any nat-to (NAT20)

match out on egress inet from !(admin2) to any nat-to (NAT21)



############################### PACKET FILTERING
#################################################

# Default Rule
pass quick on { $ext_if, $int_if } all keep state




@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@








much different is in NAT rule , and other things is simillar old pf.

I have 27 valid IPs or static IPs , and I have to put many lines in my
pf.conf


I want three invalid IPs  assigned to one Valid or static IP.  for example
if my valid IP is 10.10.10.1 , I need these IPs 192.168.0.1 ,
192.168.0.2 , 192.168.0.3 assigned to 10.10.10.1


this is my net work digram
|
             |
             |
------------|------------
      10.10.10.192/27
          external

    OpenBSD pf firewall

         internal
      192.168.168.0.1/24
------------|------------
             |
             |
             |


please help me to find my mistakes in this new pf.conf
I will use it OpenBSD 5 server .

if I have mistake or error in this pf.conf , please help me .


best wishes,
mfaridi

12