OoOoh

i just made my first packet filter with OpenBSD. it's cool cause it's a bridge so it's transparent. it has no ip so you can't ping it, it doesn't make traffic, etc. i got bad instructions from some guy on the internet. most of what he did worked, but his rulesets were bunk. luckily we figured it out and it ended up being a lot shorter than the guy's. and the top of my pf.conf has a cute little face. he looks like this:

                                 \\\//
                                 (o o)
----------------------------oo0o--(_)--o0oo----------------------

hooray for ascii creativity. So if anyone is a nerd/geek/computerperson/interested-in-transparent-filters, read on. if not, stop now for the next bit will be boring and nonunderstandable.

### Enable IP forwarding
# edit /etc/sysctl.conf
# uncomment the line: net.inet.ip.forwarding=1
###

### Bridge interfaces em0 and em1
# ifconfig em0 delete
# echo 'up' > /etc/hostname.em0

# ifconfig em1 delete
# echo 'up' > /etc/hostname.em1

# echo 'add em0 add em1 up' > /etc/bridgename.bridge0

# Verify bridge by running ifconfig -a. Output should include:
# bridge0: flags=41 mtu 1500
###

### Enable packet filtering
# edit /etc/rc.conf
# pf is disabled by default. change to:
# pf=YES
###

### Ruleset for transparent firewall on bridged interfaces
# /etc/pf.conf
#-------------------------------------------------------------------------
# Interface aliases

ext_if="em0"
int_if="em1"

# Block and log all incoming traffic
block in log on $ext_if all

# Pass in SSH (22), SMB over TCP (445), and Microsoft RDP (3389)
# Pass in bootpc advertisements for DHCP
# keep state allows quicker packet handling
pass in on $ext_if proto tcp to any port { ssh, 445, 3389} keep state
pass in on $ext_if proto udp from any to any port { bootpc }

# Pass out all traffic with SYN flags and keep state
pass out on $ext_if all flags S/SA keep state

### End ruleset