After issuing the pfctl –e command or rebooting the system your OpenBSD box will begin forward ethernet frames from one NIC (rl0) to the other (rl2) and also filter packets according to the rules found in /etc/pf.conf. The rules in this file are, as is to be expected, very open allowing all traffic to pass through.
Unfortunately it is outside the scope of this guide to give you a detailed explanation on how packet filtering, TCP/IP and such work. Hence we assume that you have a basic understanding of the OSI model, TCP/IP and internet applications.
We will create a simple ruleset later that will disallow the following:
·
incoming SSH traffic from the outside is blocked (with one exception)
·
incoming NetBIOS traffic to protect our Windows boxes
·
outgoing traffic to file sharing services
and allow everything else. Please note that PF rules are read sequentially and rules appearing last will take priority previously matched rules.
Usually firewall rulesets will block everything by default and only allow certain services, however we will take a different approach and only block services known to cause trouble. Feel free to change our default rules to block everything by default instead.