NAT/Firewall

NAT

Network address translation is handled by the OpenBSD packet filter, 'pf'. Enable pf by editing /etc/rc.conf.

The packet filter is configured by editing the config file, /etc/pf.conf. To translate our internal network addresses to the address negotiated for our PPP connection we configure some macros in /etc/pf.conf. There are some commented out macros that define the internal and external interfaces and networks. 

# Macros: define common values, so they can be referenced and changed easily.
ext_if="ppp0"   # replace with actual external interface name i.e., dc0
int_if="le0"    # replace with actual internal interface name i.e., dc1
internal_net="192.168.33.0/24"
#external_addr="192.168.1.1"

You can see here we have set the ppp interface as the external interface, and the ethernet interface as the internal. We know the internal network addresses, so we set thos too. We don't know what the external network numbers will be, so these are left undefined.

Further down the config file we find the section that does the NAT. All we need to do is uncomment the line that specifies what to NAT. 

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
nat on $ext_if from $internal_net to any -> ($ext_if)

That's it. When the ppp connection is up pf will nat the internal network addresses to whatever is allocated on the external interface by the ISP.

Firewall

For simple firewalling, we can block incoming connections while allowing outgoing connections. There is already an example that does nearly what we want. Just edit the section like this: 

# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
block in on $ext_if all
#pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
pass  out on $ext_if proto { tcp, udp } all keep state

Enabling pf

For pf to work, the system must be configured to allow it to route IP packets. This is controlled by sysctl, and is configured in /etc/sysctl.conf. Uncomment the line in /etc/sysctl.conf that controls IP forwarding: 

net.inet.ip.forwarding=1

The man pages for sysctl, pfctl, and pppd can be referred to for additional information.