OpenBSD pf Egress Filtering

0

I am attempting to build a simple pf.conf which includes NAT allowing traffic out of the network from all systems on a select series of ports. In my basic configuration I have an internal server that hosts HTTP/HTTPS which will be accessible from the outside via the NATed IP. From the inside I would only like clients to leave the network on DNS/HTTP/HTTPS.

int_if="eth0"
ext_if="eth1"
localnet=$int_if:network

nat on $ext_if from $localnet to any -> ($ext_if)
comp1="172.16.0.1"
rdr on $ext_if proto tcp from any -> $comp1 port http
rdr on $ext_if proto tcp from any -> $comp1 port https

client_out_tcp = "{ http, https}"
client_out_udp = "{ 53 }"
pass inet proto tcp from $localnet to port $client_out_tcp
pass inet proto tcp from $localnet to port $client_out_udp

With this configuration my server is contacted on the proper ports as I designed however my clients can always leave the network no matter what.

Blackninja543

Posted 2014-01-02T22:55:53.240

Reputation: 101

Answers

0

The default action is to pass the packet if no rules are matched.

If you don't want that, the first packet filtering rule should be

block all

If you want to regulate outgoing traffic, you should specify it as such:

# Block by default. (pass rules should follow later).
block out log on $ext_if all label "outblock"
# What to pass
client_out_tcp = "{ http, https}"
client_out_udp = "{ 53 }"
pass out inet proto tcp from $localnet to port $client_out_tcp
pass out inet proto tcp from $localnet to port $client_out_udp

Roland Smith

Posted 2014-01-02T22:55:53.240

Reputation: 1 712

Asked: 2014-01-02T22:55:53.240

Viewed: 469 times

Active: 2014-01-24T10:04:43.977