I need to protect a somewhat fragile document scanner with a embeded OS. (A good blast from Nessus or nmap and the system needs a reset to factory defaults, followed by in-depth configuring, before the device is working again.)
I wanted to look into OpenBSD and PF (Pacekt Filter) for this to get a little experience with BSD, but I'm having trouble with my pf.conf.
I've already got OpenBSD running with 2 nic cards with static IPs.
The only other device that needs access to the protected document scanner is a document server based on windows 2000.
I don't want to split the protected side (the doc scanner) into a new subnet (may need to quickly revert to previous un-protected system)
So, what should my pf.conf look like given the following?:
192.168.0.195 is the document scanner
192.168.0.196 is the document server. The only other device that should access the above scanner.
192.168.0.193 is xl0 : OpenBSD NIC card 1 - external
192.168.0.194 is xl1 : OpenBSD NIC card 2 - internal (goes to mini-hub then to 192.168.0.195)
what I got so far, but no dice:
# Start by allowing the normal remote management access to BSD server.
# Port 22 for SSH.
pass in quick on xl0 proto tcp from 192.168.0.0 to 192.168.0.193 port 22 keep state
# Allow loopback packets
pass in quick on lo0 all
pass out quick on lo0 all
# allow traffic between document scanner and document server only
pass in any from 192.168.0.196 to 192.168.0.195
pass out any from 192.168.0.195 to 192.168.0.196
# Block everything else.
block in all
block out all