How to Configure OpenBSD Routing with PF
PF is a powerful and flexible firewall system that can also be used to perform network address translation (NAT), traffic redirection, load balancing, and routing functions. In this article, we will show you how to configure OpenBSD routing with PF, using a simple example of turning an OpenBSD system into a router that connects two networks and provides internet access to the clients.
OpenBSD Routing With PF
Prerequisites
To follow this tutorial, you will need:
An OpenBSD system with at least two network interfaces, one connected to the internet (egress) and one connected to the local network (lan).
A basic understanding of PF syntax and rules. You can refer to the [PF User's Guide] for more information.
A text editor of your choice, such as vi or nano.
Step 1: Enable IP Forwarding
The first step is to enable IP forwarding on the OpenBSD system, which allows it to forward packets between different networks. To do this, edit the /etc/sysctl.conf file and add the following line:
net.inet.ip.forwarding=1
Save and close the file, and then run the following command to apply the change:
sysctl net.inet.ip.forwarding=1
Step 2: Configure Network Interfaces
The next step is to configure the network interfaces on the OpenBSD system. In this example, we will use em0 as the egress interface and em1 as the lan interface. You can use any interface names that match your system. Edit the /etc/hostname.em0 file and add the following line:
inet autoconf
This will enable DHCP on the egress interface and obtain an IP address from the internet service provider. Alternatively, you can use a static IP address if you prefer. Edit the /etc/hostname.em1 file and add the following line:
inet 192.168.1.1 255.255.255.0 192.168.1.255
This will assign a static IP address of 192.168.1.1/24 to the lan interface and act as the default gateway for the local network. You can use any private IP address range that suits your needs. Save and close the files, and then run the following command to apply the changes:
sh /etc/netstart
Step 3: Configure PF Rules
The final step is to configure PF rules that will perform NAT, firewall, and routing functions. Edit the /etc/pf.conf file and add the following lines:
ext_if="em0" int_if="em1"
Define a table of private IP addresses that should not be routed
table <privnets> 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Enable NAT for outgoing traffic from lan interface
match out on $ext_if from $int_if:network nat-to ($ext_if)
Block incoming traffic from private IP addresses
block in quick on $ext_if from <privnets> to any
Block outgoing traffic to private IP addresses
block out quick on $ext_if from any to <privnets>
Allow all traffic on loopback interface
set skip on lo
Allow all outgoing traffic on egress interface
pass out quick on $ext_if
Allow all incoming traffic on lan interface
pass in quick on $int_if
Allow ping and traceroute from lan interface
pass in on $int_if inet proto icmp icmp-type echoreq, timex
Allow DNS queries from lan interface
pass in on $int_if inet proto udp from $int_if:network to port domain
Allow HTTP and HTTPS requests from lan interface
pass in on $int_if inet proto tcp from $int_if:network to port http https
These are some basic rules that will allow internet access for the clients on the local network, while blocking unwanted traffic from the internet. You can modify or add more rules according to your needs. For more information on PF syntax and options, please refer to the [pf.conf] man page. Save and close the file, and then run the following command to load the rules:
pfctl -f /etc/pf.conf
Congratulations! You have successfully configured OpenBSD routing with PF. You can now test your setup by pinging or browsing the internet from a client machine on the local network. You can also use the [pfctl] command to monitor and control PF, such as viewing the status, statistics, tables, and rules.
We hope you have found this article helpful and informative. Thank you for reading and happy routing! ?
524038ac18