[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf newbee stuff..



Hey, that looks remarkably like the ruleset I posted on the pf wiki a
couple weeks back!  :-)  
*looks harder*  It is!
I couldn't see anything wrong with it.  Just by scanning it with my eyes
it seems fine.  If you enable it on a test machine does it give you and
errors?
--Bryan
On Mon, 2003-03-17 at 17:47, Cris Harrison wrote:
> sorry for this but as I am Very New to OpenBSD/pf (most of our servers are 
> Sun/Solaris boxes) I was wondering I you could please take a look at my 
> rule set and make suggestions, etc...
> 
> My firewall is built on a Sun SPARC 5 with OpenBSD... I have the following 
> connections to the box:
> 
> 1. le0 base address for the box 192..168.0.n this is not part of the bridge
> 2. qe0		WAN for the bridge this goes to DSL or T1 router / modem
> 3. qe1		DMZ  most of the servers,  WWW, SMTP, POP3, NTP, FTP
> 4. qe2		LAN internal house lan goes to a NAT router ( ICQ must pass)
> 5. qe3		LAN backend  lan goes to a NAT router (so I can load boxes....)
> 
> on the web server there are two nic one to the switch for the DMZ, and the 
> other
> to a switched backend (192.168.0.x) this is the only way the web server can 
> talk to the mysql   server....
> 
>     ######################
>    # INTERFACE SETTINGS #
>   ######################
> WAN  ="qe0"
> DMZ  ="qe1"
> NAT  ="qe2"
> LAN  ="qe3a"
> 
>     ######################
>    # IP ADDRESSs        #
>   ######################
> supportweb = "64.90.45.82"
> mail       = "64.90.45.70"
> pop        = "64.90.45.70"
> ns2        = "64.90.45.69"
> tick1      = "64.90.45.69"
> tick2      = "64.90.45.82"
> 
>    ###############################
>   #   SPOOFED ADDRESS BLOCLKS   #
> ##############################
> spoofed = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 
> 255.255.255.255/32, \
>               64.90.45.65/26 }"
> 
> 
>     ############################
>    # Unwanted list.           #
>   #  Keep these people away! #
> ############################
> 
> 
>    ##################################
>   # normalize all incoming traffic #
> ##################################
> scrub in on $WAN all fragment reassemble
> 
> 
>    ##################################
>   # Block everything IN by default #
> ##################################
> block in all
> antispoof for $WAN
> 
> 
>    ###########################
>   # DISCARD SPOOFED ATACKS  #
> ###########################
> block in log quick on $WAN from $spoofed to any
> 
> 
>    ##############
>   # ROUTE RULE #
> ##############
> pass in on { $WAN, $DMZ, $NAT, $LAN } proto udp to any keep state
> pass in on { $WAN, $DMZ, $NAT, $LAN } proto tcp to any keep state
> pass in on { $WAN, $DMZ, $NAT, $LAN } proto icmp all icmp-type 8 code 
> 0  keep state
> 
> 
>    ########################
>   #   DNS SERVERS        #
> ########################
> pass in on $WAN proto tcp from any to $ns2 port dns flags S/SA keep state
> pass in on $WAN proto udp from any to $ns2 port dns  keep state
> 
> 
>    ########################
>   # MAIL SERVER SETTINGS #
> ########################
> pass in on $WAN proto tcp from any to $mail port smtp keep state
> pass in on $WAN proto tcp from any to $pop port pop3  keep state
> pass in on $WAN proto udp from any to $pop port pop3  keep state
> 
> 
>    #######################
>   # WEB SERVER SETTINGS #
> #######################
> pass in on $WAN proto tcp from any to $supportweb port www keep state
> pass in on $WAN proto udp from any to $supportweb port www keep state
> 
>    #######################
>   # FTP SERVER SETTINGS #
> #######################
> pass in on $WAN proto tcp from any to $supportweb port ftp flags S keep state
> pass in on $WAN proto udp from any to $supportweb port ftp keep state
> 
> 
>    ##############################
>   #  MISCELLANEOUS CONNECTIONS #
> #############################
> tick = { $tick1, $tick2 }
> pass in on $WAN proto tcp from any to $tick port ntp keep state
> pass in on $WAN proto udp from any to $tick port ntp keep state
> 
> 
>     ##################################
>    #  MISCELLANEOUS SSH CONNECTIONS #
>   ##################################
> pass in log on $WAN proto tcp from any to $supportweb port ssh keep state
> pass in log on $WAN proto tcp from any to $ns2 port ssh keep state
> 
> 
> 
>     ################################
>    # Pass everying out by default #
>   ################################
>   pass out on $WAN all
> 
> Thank you
> Cris Harrison
> "Sex, Drugs and UNIX"
> www.phoenixcomm.net
>