[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Need a bit of help on my PF



take a look here, it may help
http://www.xscanners.org/cgi-bin/index.cgi?action=viewnews&id=9
David Jobes - CISSP
djobes@xscanners.org
> Jason Williams wrote:
> 
> Evening everyone. Well, I wont beat around the bush. I'll get right to
> the point.
> I'm pretty new to OpenBSD and PF but i'm having a blast learning it
> all. It's a lot of fun, but I have much to learn. I've read as much
> documentation as I can find on both PF and IPF. I've gone through the
> How-To as well as the archives and Man Pages.
> I feel like it's slowly sinking in, but I still have some questions. I
> wanted to post my rules here and have some people take a look at it,
> tell me what im missing, what I need/dont need and some good all
> around advice. I just want to make sure i'm understanding the concept.
> So if someone could give me some tips, i'd be very greatful.
> 
> So here goes:
> My network:
> 
> Cable Modem that issues Dynamic IP
> OpenBSD 3.1 Firewall/Gateway, running PF and NAT.
> Internal LAN has 4 boxes, running private IP address of 192.168.1.0/16
> No internal webservers, email servers or DNS servers.
> I want no internet/outside world access to my firewall or my internal
> LAN.
> Want the internal LAN to have access to the internet, FTP and ISP's
> mail server.
> 
> The rules:
> 
> #Declare interfaces and the works
> ExtIf = "dc0"        #Untrusted (from cable modem) side
> IntIf = "dc1"        #Trusted (to switch) side
> Loop  = "lo0"
> 
> #Scrub/Normalize packets
> scrub out all
> scrub in  all
> 
> 
> #BLOCK SPOOFED/PRIVATE IP ADDRESSES:
> block in     all
> block in     quick on $ExtIf from 192.168.0.0/16 to any
> block in     quick on $ExtIf from 172.16.0.0/12 to any
> block in     quick on $ExtIf from 10.0.0.0/8 to any
> block in     quick on $ExtIf from 0.0.0.0/8 to any
> block in     quick on $ExtIf from 169.254.0.0/16 to any
> block in     quick on $ExtIf from 192.0.2.0/24 to any
> block in     quick on $ExtIf from 224.0.0.0/3 to any
> block in log quick on $ExtIf from 20.20.20.0/24 to any
> block in log quick on $ExtIf from any to 20.20.20.0/32
> block in log quick on $ExtIf from any to 20.20.20.255/32
> pass  out    quick on $ExtIf proto tcp/udp from 192.168.1.0/16 to any
> keep state
> pass  out    quick on $ExtIf proto icmp    from 192.168.1.0/16 to any
> keep state
> 
> #silently drop broadcasts (cable modem noise)
> block in quick on $ExtIf from any to 255.255.255.255
> 
> #TO BLOCK SPOOFED TRAFFIC FROM LAN!!
> 
> block out log quick on $ExtIf from any to 192.0.2.0/24
> block out log quick on $ExtIf from any to 172.16.0.0/12
> block out log quick on $ExtIf from any to 169.254.0.0/16
> block out log quick on $ExtIf from any to 0.0.0.0/8
> block out log quick on $ExtIf from any to 204.152.64.0/23
> block out log quick on $ExtIf from any to 224.0.0.0/3
> pass  out quick on $ExtIf proto icmp from 192.168.1.0/16 to any
> icmp-type 8 keep state
> block out log quick on $ExtIf from any to any
> 
> 
> I'm pretty sure i left out a lot. But that's why Im asking. Seeking
> help to fine tune my rules and get a better grasp.
> Also would like my internal LAN to be able to PING, DIG, NSLOOKUP etc.
> etc on the outside world.
> 
> I appreciate everyones help. Looking forward to see how my work is so
> far.
> 
> Thanks everyone.
> 
> Jason
> 
> 
>