With the host locked down, the firewall rules must be configured and tested. In our example, there is an external interface, a DMZ interface, and an interface that faces the wireless network. The following firewall rules are very aggressive at limiting communication. The gateway must protect the DMZ from attacks coming from both the Internet and the wireless network. It must also protect the wireless network from attacks originating on the Internet. These requirements lead to a restrictive ruleset that errs on the side of caution.
The firewall rules on an OpenBSD host are normally stored in
/etc/pf.conf. We will examine our firewall
script in sections to help explain the thought process that led to
These four variables correspond to your outside interface, network, number of bits in the netmask, and IP address, respectively. Change these to the correct values.
# set these to your outside interface network and netmask and ip o_if = "
dc0" o_net = "
192.0.2.0" o_mask = "
24" o_ip = "
These variables do the same thing for the wireless network (variables starting with “w”) and for the internal wired network (variables starting with “i”). Change these if you are going to use different IP ranges on these networks.
# set these to your inside interface networks, netmasks, and IPs w_if = "
dc1" w_net = "
192.168.0.0" w_mask = "
24" w_ip = "
192.168.0.1" i_if = "
dc2" i_net = "
192.168.1.0" i_mask = "
24" i_ip = "
The parsing of OpenBSD’s ...