pf based nat gateway for office network

Tonight i replace old FreeBSD based NAT gateway to OpenBSD based NAT gateway and firewall. This is short article about pf configuration.

I use Intel Celeron 500MHz based server with two network cards (vr0 and vr1). Here is configuration steps:

1. buy more beer and pizza!
2. install openbsd
3. set net.inet.ip.forwarding sysctl value to “1” and add string net.inet.ip.forwarding=1 to /etc/sysctl.conf file
4. activate pf. add pf=YES line to /etc/rc.conf.local file
5. let’s edit /etc/pf.conf file:

   # macros
   ext_if="vr0"
   int_if="vr1"
   
   # options
   set block-policy return
   set loginterface $ext_if
   set skip on lo
   
   # scrub
   scrub in
   
   # network address translation (NAT)
   nat on $ext_if from !($ext_if) to any -> ($ext_if)
   
   #filter
   block in
   pass out keep state
   antispoof quick for { lo $int_if }
   pass quick on $int_if

6. load config file. pfctl -f /etc/pf.conf

…and read “The OpenBSD Packet Filter”.