[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RDR for internal machine



Here is how I have my box at home setup, also I have used this for many
other services ranging from Winblows Remote Desktop as well as SSH to
internal machine and FTP. Just about any tcp/udp service should work.
$int_srv = "192.168.1.5" ##internal server IP
rdr on $ext_if proto tcp from any to $ext_if port $http_port -> $int_srv port $http_port
rdr on $ext_if proto tcp from any to $ext_if port $https_port -> $int_srv port $https_port
pass in quick log-all on $ext_if inet proto tcp from any to $int_srv port $http_port keep state
pass in quick log-all on $ext_if inet proto tcp from any to $int_srv port $https_port keep state
This should allow icmp to be blocked on your external interface but allow
your internal interface to ping anything.
block in log-all  on $ext_if inet proto icmp all icmp-type 8 code 0
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in log quick on $int_if inet proto icmp all icmp-type 8 code 0 keep state
Obviously you can turn the added logging off if you arent worried about
security tracking. ;-)
-----------------------------------------------
Mike Mentges
blowfishsecurity.net ## Still in development ##
www.mentges.org
-----------------------------------------------
On Mon, 31 Mar 2003, Darley Ware wrote:
> Hello,
>
> I have been lurking on the list for many months now.  I was hoping that I
> would learn enough that when the time came I would not need to asking any
> stupid question, However my cunning plan has failed and here is my first
> (hopefully last?) stupid question.
>
> I set up a new OpenBSD 3.2 box this weekend.  It has three interfaces.
> Internal, External and wireless.  The external interface is connected to a
> cable modem as a dhcp client.
>
> I have (it seems) gotten everything to work except for two items.  The first
> being important, the second just a nicety.
>
> 1.  I have webserver on the internal LAN which listens on port 8000.  I can
> view the webserver internally by IP and by name (using LMHOST records).  I
> have not however been able to access the internal webserver from the
> outside.  I saw a post the weekend about name based virtualhosting on web
> servers.  This does not seem to apply to me as I have the server setup to
> respond to IP and have no virtualdomains configured.  So I guess my question
> is do I have my redirect setup correctly, and if so where lies the problem?
>
> 2.  (and this one really is not that important)  I can not seem to get a
> response to ICMP to outside addresses.  I can ping both directions from the
> firewall and I believe my pings are getting out, but the responses to not
> return to the internal clients.
>
>
> Thanks,
>
> Darley
>
>
> # OpenBSD: pf.conf,v 1.6 2002/06/27 07:00:43 fgsch Exp $
> #
> #
> ###----------------------------------------------------------------------
> ### MACROS  - define interfaces: internet, intranet, wireless net
> ###
>
> if_ext = "dc0"
> if_int = "fxp0"
> if_wir = "an0"
>
> INT_Net="192.168.XX.XX/27"
> WIFI_Net="192.168.YY.YY/27"
>
> bad_ports = "69,135,137,138,139,445,524,548,1433,6000,31337,666,12345"
>
> no_route = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \
>               255.255.255.255/32 }"
>
> ###----------------------------------------------------------------------
> ### Optimization
> ###
>
> #set optimization aggressive
> #set timeout tcp.established 3600
> #set timeout { tcp.opening 30, tcp.closing 120 }
> #set limit { states 20000, frags 5000 }
>
> ###----------------------------------------------------------------------
> ### statistics logging on external interface
> ###
>
> set loginterface $if_ext
> set loginterface $if_wir
>
> ###----------------------------------------------------------------------
> ### NAT Gateways
> ###
>
> nat on $if_ext from $INT_Net to any -> $if_ext
> nat on $if_ext from $WIFI_Net to any -> $if_ext
>
> # Redirect outside ports to internal servers
> rdr on dc0 proto tcp from any to (dc0) port 8000 -> 192.168.XX.71 port 8000
> rdr on dc0 proto udp from any to (dc0) port 8000 -> 192.168.XX.71 port 8000
>
> ###----------------------------------------------------------------------
> ### DEFAULT RULES
> ###
>
> # INCOMING DEFAULT: block and normalize all
> #scrub in on all
> block in log all
>
> # OUTGOING DEFAULT: block all
> block out log all
>
> # SPECIAL IMMEDIATE BLOCKS:
>
> # block bad ports and external broadcasts
> block in quick proto { udp,tcp } from any to any port { = $bad_ports }
> block in quick on $if_ext from any to 255.255.255.255
> block in quick on $if_wir from any to 255.255.255.255
>
> # block weird tcp packets on WAN:
> block in quick on $if_ext inet proto tcp from any to any flags FUP/FUP
> block in quick on $if_ext inet proto tcp from any to any flags SF/SFRA
> block in quick on $if_ext inet proto tcp from any to any flags /SFRA
>
> # block weird tcp packets on WiFi:
> block in quick on $if_wir inet proto tcp from any to any flags FUP/FUP
> block in quick on $if_wir inet proto tcp from any to any flags SF/SFRA
> block in quick on $if_wir inet proto tcp from any to any flags /SFRA
>
> # don't allow anyone to spoof non-routeable addresses
> block in  quick on $if_ext from $no_route to any
> block out quick on $if_ext from any to $no_route
>
> ###----------------------------------------------------------------------
> ### LOOPBACK
> ###
>
> pass in quick on lo0 all
> pass out quick on lo0 all
>
> ###----------------------------------------------------------------------
> ### EXTERNAL INTERFACE
> ###
>
>
> # INCOMING: accept ssh
> pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 22 flags
> S/SA keep state
> pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 8000
>
> # INCOMING DEFAULT: block all incoming
>
> # OUTGOING: block non nated packets, pass the others
> block out quick on $if_ext from !$if_ext/24 to any
> pass out quick on $if_ext proto tcp from $if_ext/24 to any flags S/SA keep
> state
> pass out quick on $if_ext proto { udp } from $if_ext/24 to any keep state
>
> # ICMP: ping
> # remove next to block ping from Internet
> pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state
> pass out on $if_ext inet proto icmp all icmp-type 8 code 0 keep state
>
> # OUTGOING DEFAULT: block all outgoing
>
> ###----------------------------------------------------------------------
> ### INTERNAL INTERFACE
> ###
>
> # INCOMING: traffic to fw, accept ssh & dhcp only, block the rest
> pass in quick on $if_int proto tcp from $if_int/27 to $if_int/27 port = 22
> flags S/SA keep state
> pass in quick on $if_int proto { tcp,udp } from $if_int/27 to $if_int/27
> port = 67 keep state
> block in quick on $if_int from any to $if_int/27
>
> # INCOMING: frwd traffic to all destinations (except bad ports & broadcasts)
> pass in quick on $if_int from $if_int/27 to any
>
> # INCOMING DEFAULT: block the rest (spoofed packets...)
>
> # OUTGOING: pass all.
> pass out quick on $if_int proto { tcp,udp } from any to $if_int/27 keep
> state
>
> # ICMP: ping
> pass out on $if_int inet proto icmp all icmp-type 8 code 0 keep state
>
> ###----------------------------------------------------------------------
> ### WIRELESS INTERFACE
> ###
>
> # INCOMING: traffic to fw, accept ssh & dhcp only, block the rest
> pass in quick on $if_wir proto tcp from $if_wir/27 to $if_wir/27 port = 22
> flags S/SA keep state
> pass in quick on $if_wir proto { tcp,udp } from $if_wir/27 to $if_wir/27
> port = 67 keep state
> block in quick on $if_wir from any to $if_wir/27
>
> # INCOMING: frwd traffic to all destinations (except bad ports & broadcasts)
> pass in quick on $if_wir from $if_wir/27 to any
>
> # INCOMING DEFAULT: block the rest (spoofed packets...)
>
> # OUTGOING: pass all.
> pass out quick on $if_wir proto { tcp,udp } from any to $if_wir/27 keep
> state
>
> # ICMP: ping
>