Home Firewall

In this example, we are using OpenBSD to provide very basic NAT, routing, and firewall protection services to a home user with a DSL connection. This home network is not providing any services to the outside world; it's literally as simple as you can get with NAT.

Here, we have an 3 OpenBSD machine attached to the 1 public Internet via a 2 DHCP connection. Our internal network is on the private IP addresses 5 192.168.0.0/24, routing through the 4 default gateway of 192.168.1.1. We don't want anyone to come in from the outside world normally, but we will leave port 22 open so we can SSH to home from other locations.

 #set our macros ext_if="fxp1"           #the external interface int_if="fxp0"           #the internal interface internal_net="192.168.1.0/24" #first, normalize packets we transmit and receive scrub in all #then, give NAT to our internal addresses nat on $ext_if from $internal_net to any -> ($ext_if) #We want outbound FTP to work properly, so let's enable the #FTP proxy.  Be sure you have ftp-proxy running out of inetd(8)! rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 #We're not doing any packet shaping, so let's go directly to the #packet filtering.  We'll block everything first, and then only #explicitly allow desirable traffic. block in log all #As our client operating systems may be running some godforsaken #operating system with poor ISN selection, we'll use state modulation. pass in on $int_if inet from $internal_net to any modulate state #I'd like to be able to SSH to my network from anywhere pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh keep state #and, don't forget to allow our ftp-proxy program to connect back to #the firewall! pass in on $ext_if inet proto tcp from any to ($ext_if) user proxy keep state