[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf newbee stuff..



sorry for this but as I am Very New to OpenBSD/pf (most of our servers are Sun/Solaris boxes) I was wondering I you could please take a look at my rule set and make suggestions, etc...

My firewall is built on a Sun SPARC 5 with OpenBSD... I have the following connections to the box:

1. le0 base address for the box 192..168.0.n this is not part of the bridge
2. qe0		WAN for the bridge this goes to DSL or T1 router / modem
3. qe1		DMZ  most of the servers,  WWW, SMTP, POP3, NTP, FTP
4. qe2		LAN internal house lan goes to a NAT router ( ICQ must pass)
5. qe3		LAN backend  lan goes to a NAT router (so I can load boxes....)

on the web server there are two nic one to the switch for the DMZ, and the other
to a switched backend (192.168.0.x) this is the only way the web server can talk to the mysql server....


   ######################
  # INTERFACE SETTINGS #
 ######################
WAN  ="qe0"
DMZ  ="qe1"
NAT  ="qe2"
LAN  ="qe3a"

   ######################
  # IP ADDRESSs        #
 ######################
supportweb = "64.90.45.82"
mail       = "64.90.45.70"
pop        = "64.90.45.70"
ns2        = "64.90.45.69"
tick1      = "64.90.45.69"
tick2      = "64.90.45.82"

###############################
# SPOOFED ADDRESS BLOCLKS #
##############################
spoofed = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 255.255.255.255/32, \
64.90.45.65/26 }"



############################ # Unwanted list. # # Keep these people away! # ############################


################################## # normalize all incoming traffic # ################################## scrub in on $WAN all fragment reassemble


################################## # Block everything IN by default # ################################## block in all antispoof for $WAN


########################### # DISCARD SPOOFED ATACKS # ########################### block in log quick on $WAN from $spoofed to any


##############
# ROUTE RULE #
##############
pass in on { $WAN, $DMZ, $NAT, $LAN } proto udp to any keep state
pass in on { $WAN, $DMZ, $NAT, $LAN } proto tcp to any keep state
pass in on { $WAN, $DMZ, $NAT, $LAN } proto icmp all icmp-type 8 code 0 keep state



######################## # DNS SERVERS # ######################## pass in on $WAN proto tcp from any to $ns2 port dns flags S/SA keep state pass in on $WAN proto udp from any to $ns2 port dns keep state


######################## # MAIL SERVER SETTINGS # ######################## pass in on $WAN proto tcp from any to $mail port smtp keep state pass in on $WAN proto tcp from any to $pop port pop3 keep state pass in on $WAN proto udp from any to $pop port pop3 keep state


####################### # WEB SERVER SETTINGS # ####################### pass in on $WAN proto tcp from any to $supportweb port www keep state pass in on $WAN proto udp from any to $supportweb port www keep state

  #######################
 # FTP SERVER SETTINGS #
#######################
pass in on $WAN proto tcp from any to $supportweb port ftp flags S keep state
pass in on $WAN proto udp from any to $supportweb port ftp keep state


############################## # MISCELLANEOUS CONNECTIONS # ############################# tick = { $tick1, $tick2 } pass in on $WAN proto tcp from any to $tick port ntp keep state pass in on $WAN proto udp from any to $tick port ntp keep state


################################## # MISCELLANEOUS SSH CONNECTIONS # ################################## pass in log on $WAN proto tcp from any to $supportweb port ssh keep state pass in log on $WAN proto tcp from any to $ns2 port ssh keep state



   ################################
  # Pass everying out by default #
 ################################
 pass out on $WAN all

Thank you
Cris Harrison
"Sex, Drugs and UNIX"
www.phoenixcomm.net