[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: pf rules advice



I'm seting up a OpenBSD 3.4 machine to replace an older OpenBSD machine as my
firewall for the home LAN. I'm conected via a cablemodem which seesm to be
quite a hostile environment these days. So I'd like some advice on my pf
ruleset.
Here is what I have on the old machine:
ipf.rules
# Accept anything on the loopback interface
pass in on lo0
pass out on lo0
#
#  Block any inherently bad packets coming in from the outside world.
#  These include ICMP redirect packets, IP fragments so short the
#  filtering rules won't be able to examine the whole UDP/TCP header,
#  and anything with IP options.
#
block in quick on ep1 proto igmp from any to any 
block in log quick on ep1 proto icmp from any to any icmp-type redir
block in log quick on ep1 proto tcp/udp all with short
block in log quick on ep1 from any to any with ipopts
#
#  Block any IP spoofing atempts.  (Packets "from" our network
#  shouldn't be coming in from outside).
#
block in log quick on ep1 from 192.168.4.0/24 to any
block in log quick on ep1 from localhost to any
block in log quick on ep1 from 0.0.0.0/32 to any
block in log quick on ep1 from 255.255.255.255/32 to any
#
#  Block all incoming UDP traffic except talk and DNS traffic.  NFS
#  and portmap are special-cased and logged.
#
block in log on ep1 proto udp from any to any
block in log on ep1 proto udp from any to any port = sunrpc
block in log on ep1 proto udp from any to any port = 2049
pass in on ep1 proto udp from any to any port = domain
# For dcc client
pass in on ep1 proto udp from any to any port = 6277
pass in on ep1 proto udp from any to any port = talk
pass in on ep1 proto udp from any to any port = ntalk
pass in on ep1 proto udp from 192.5.41.41 to any port = ntp
pass in on ep1 proto udp from 192.5.41.40 to any port = ntp
pass in on ep1 proto udp from 128.115.14.97 to any port = ntp
#
#  Block all incoming TCP traffic connections to known services,
#  returning a connection reset so things like ident don't take
#  forever timing out.  Don't log ident (auth port) as it's so common.
#
block return-rst in log on ep1 proto tcp from any to any flags S/SA
block return-rst in on ep1 proto tcp from any to any port = auth flags S/SA
#
#  Allow incoming TCP connections to ports between 1024 and 5000, as
#  these don't have daemons listening but are used by outgoing
#  services like ftp and talk.  For slightly more obscurity (though
#  not much more security), the second commented out rule can chosen
#  instead.
#
pass in on ep1 proto tcp from any to any port 1024 >< 5000
#pass in on ep1 proto tcp from any port = ftp-data to any port 1024 >< 5000
#
#  Now allow various incoming TCP connections to particular hosts, TCP
#  to the main nameserver so secondaries can do zone transfers, SMTP
#  to the mail host, www to the web server (which really should be
#  outside the firewall if you care about security), and ssh to a
#  hypothetical machine caled 'gatekeeper' that can be used to gain
#  access to the protected network from the outside world.
#
pass in on ep1 proto tcp from any to 68.58.176.69 port = www
pass in on ep1 proto tcp from any to 205.159.77.224 port = www
pass in on ep1 proto tcp from any to 68.58.176.69 port = sftp
pass in on ep1 proto tcp from any to 205.159.77.224 port = sftp
pass in on ep1 proto tcp from any to 68.58.176.69 port = ssh
pass in on ep1 proto tcp from any to 205.159.77.224 port = ssh
pass in on ep1 proto tcp from any to 68.58.176.69 port = 8022
# pass in on ep1 proto tcp from 166.84.0.227 to 205.159.77.240 port = 6000
# pass in on ep1 proto tcp from 166.84.0.228 to 205.159.77.240 port = 6000
# pass in on ep1 proto tcp from 166.84.0.231 to 205.159.77.240 port = 6000
and the nat config file
# $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $
#
# See /usr/share/ipf/nat.1 for examples.
# edit the ipnat= line in /etc/rc.conf to enable Network Address Translation
#map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000
rdr ep1 68.58.176.69/32 port http -> 205.159.77.224 port http
rdr ep1 68.58.176.69/32 port 8022 -> 205.159.77.224 port 22
rdr ep1 68.58.176.69/32 port sftp -> 205.159.77.224 port sftp
rdr ep1 68.58.176.69/32 port 6000 -> 205.159.77.240 port 6000
map ep1 205.159.77.0/24 -> ep1/32 proxy port ftp ftp/tcp
map ep1 205.159.77.0/24 -> ep1/32 portmap tcp/udp 10000:20000
map ep1 205.159.77.0/24 -> ep1/32 
# map ep1 192.168.1.0/24 -> ep1/32 proxy port ftp ftp/tcp
# map ep1 192.168.1.0/24 -> ep1/32 portmap tcp/udp 10000:20000
# map ep1 192.168.1.0/24 -> ep1/32 
Now, I have a pf.conf that moslty works. The one issue I am aware of on it,
is that it seems to prevent the new machien from ftp'ing to any machine on
the local network.
#	$OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# Macros: define common values, so they can be referenced and changed easily.
ext_if="fxp0"	# replace with actual external interface name i.e., dc0
int_if="fxp1"	# replace with actual internal interface name i.e., dc1
internal_net="205.159.77.0/24"
#external_addr="192.168.1.1"
black="205.159.77.224"
teddy="205.159.77.231"
koala="205.159.77.234"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
rdr on $ext_if proto tcp from any to $ext_if port {22 25 80} -> $black
# Filtering: the implicit first two rules are
#pass in all
#pass out all
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
#block in log all
#pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
#pass  in  on $ext_if proto tcp from any to $ext_if port {22 25 80} keep state
pass  out on $ext_if proto { tcp, udp } all keep state
# pass incoming ports for ftp-proxy
pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
# For DNS server
pass in on $ext_if proto udp from any to any port domain keep state
# Fro DCC client
pass in on $ext_if proto udp from any to any port 6277 keep state
However, I think this one is probably to open to deploy "in the wild" Can
anyone offer some advice here?
-- 
"They that would give up essential liberty for temporary safety deserve
neither liberty nor safety."
						-- Benjamin Franklin