[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf.conf feedback,critique...



Monday, December 20
Hello, I am replacing my old [basementcloset] firwall/router box which
still runs ipchains < 2.2 kernel :-). 
After a couple of months gathering enough info on all current available
options I decided [to some of my friends horror ;-)] to go for a openbsd
pf config on the new router/pc.
I try'd to read as much as possible about the subject and came up
with a pf.conf . 
Before I `go live' with the box I would like some feedback from more
experienced users. At this moment I have tested the firewall within a
test-setting in my internal network and it seems to work fine.
At least that is what I think upon till your reply's..?
Appreciate the effort. Thnkx.. J.
# $OpenBSD: pf.conf,v 1.28 OpenBSD 3.5-current (GENERIC)
#
# taken care of:
# /etc/sysctl.conf [net.inet.ip.forwarding=1]
# ftp server is listening to the right [passive] ports, 
# and is masqing it's address to the gateways address.
# ftp-proxy is running etc.. all secundary, works..
###########
# variable, macros, tables
# internet [top card]
ext_if = "xl1"
# intranet [bottom card]
int_if = "xl0"
# sister's pc
fam = "{ 192.168.1.40 }"
# internal ftp server
ftp_server = "{ 192.168.1.30 }"
###########
# OPTIONS, the default response for block filter rules
set block-policy return
# turn on statistics logging
set loginterface $ext_if
###########
# SCRUB, traffic normalization, rebuild fragments etc..
scrub in log all
scrub out on $ext_if all random-id
###########
# NAT/RDR
# perform NAT for the entire internal network
nat on $ext_if from $int_if:network to any -> $ext_if
# ftp clients [internal] `from local to the internet'
# redirection rule is needed for ftp-proxy(8) so that FTP clients on the 
# local network can connect to FTP servers on the Internet.
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# 1. ftp clients [external,incomming] 
rdr on $ext_if proto tcp from any to any port 21 -> $ftp_server port 21
rdr on $ext_if proto tcp from any to any port 49152:65535 -> $ftp_server port 49152:65535
###########
# Filter Rules
# Start with the default deny:
block log-all all
# At this point nothing will go through the firewall! Not even from the 
# internal network. The following rules will open up the firewall as per 
# objectives [above].
# pass all trafic on the loopback device
pass quick on lo0 all
# filter out addresses that can't come from the internet <RFC1918>
antispoof log for { $ext_if, $int_if }
# block 192.168.1.40 to 224.0.0.22 , winXP IGMP-2 SPAM
# block in log quick on $int_if from $fam to 224.0.0.22
# 2. ftp clients [external,incomming] requests [in]
pass in quick on $ext_if proto tcp from any to $ftp_server port 21 keep state
pass in quick on $ext_if proto tcp from any to $ftp_server port > 49152 keep state
# 3. ftp clients [external,incomming] requests [out]
pass out quick on $int_if proto tcp from any to $ftp_server port 21 keep state
pass out quick on $int_if proto tcp from any to $ftp_server port > 49152 keep state
# ftp clients [internal] have to use ftp proxy for active FTP.
# Allow remote FTP servers (on data port 20) to respond to the proxy's active FTP 
# requests by contacting it on the port range specified in inetd.conf
pass in on $ext_if inet proto tcp from any port 20 \
  to $ext_if port 55000 >< 57000 user proxy flags S/SA keep state
# allow them out of the external interface again..
pass out on $ext_if inet proto tcp from $ext_if to any port 20 \
  flags S/AUPRFS modulate state
# Traffic must also be passed to and from the internal network
pass in on $int_if from $int_if:network to any keep state
# Enable the firewall itself to initiate connections to the internal network
pass out on $int_if from any to $int_if:network keep state 
############
# Last, pass all traffic out on the external interface: 
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state