[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OBSD Bridge Help



Hello:
Can someone look and see what I have done wrong with
my pf.conf rules. I gathered alot of info from
multiple sites but I can't connect out from my
nat/dhcp router. I have not setup the fw/vpn server
yet. My setup is like:
Internet--Cable Modem---Bridge---Switch---nat/dhcp--
router---FW/VPN---Internal
1. The cable modem has an public ip (xxx.xxx.xxx.121)
2. I have three interfaces on the bridge with one ip
(192.168.1.100) as a management.
3. The servers on the switch have public ips
(xxx.xxx.xxx.123, xxx.xxx.xxx.124). They
run www, mail, and dns
4. The nat/dhcp router is a linksys router with
external ip (xxx.xxx.xxx.122) and
internal ip (192.168.1.1).
5. The management interface on the bridge is connected
to the internal port of the
router
6. The firewall/vpn server has external ip
(192.168.1.2) and internal ip (192.168.2.1)
My pf.conf rules are: (Disregard the Table.. It is
formatted right on my system)
#########INITIALIZE VARIABLES
#### Define the Network Interfaces
ext_if="xl0" # Untrusted (from WAN ISP) side
int_if="xl1" # Internal to application servers
mgt_if="fxp0" # Management Interface
loop_if="lo0" # LoopBack Device
all_if="{ xl0, xl1, fxp0, lo0 }"
#### Tables
table <RFC1918> const
{!192.168.0.0/24,0.0.0.0/8,1.0.0.0/8,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,10.0.0.0/8,23.0.0.0/8,
27.0.0.0/8,31.0.0.0/8,36.0.0.0/8,37.0.0.0/8,39.0.0.0/8,41.0.0.0/8,42.0.0.0/8,49.0.0.0/8,
50.0.0.0/8,58.0.0.0/8,59.0.0.0/8,73.0.0.0/8,74.0.0.0/8,75.0.0.0/8,76.0.0.0/8,77.0.0.0/8,
78.0.0.0/8,79.0.0.0/8,89.0.0.0/8,90.0.0.0/8,91.0.0.0/8,92.0.0.0/8,93.0.0.0/8,94.0.0.0/8,
95.0.0.0/8,96.0.0.0/8,97.0.0.0/8,98.0.0.0/8,99.0.0.0/8,100.0.0.0/8,101.0.0.0/8,
102.0.0.0/8,103.0.0.0/8,104.0.0.0/8,105.0.0.0/8,106.0.0.0/8,107.0.0.0/8,108.0.0.0/8,
109.0.0.0/8,110.0.0.0/8,111.0.0.0/8,112.0.0.0/8,113.0.0.0/8,114.0.0.0/8,115.0.0.0/8,
116.0.0.0/8,117.0.0.0/8,118.0.0.0/8,119.0.0.0/8,120.0.0.0/8,121.0.0.0/8,122.0.0.0/8,
123.0.0.0/8,124.0.0.0/8,125.0.0.0/8,126.0.0.0/8,127.0.0.0/8,169.254.0.0/16,
172.16.0.0/12,173.0.0.0/8,174.0.0.0/8,175.0.0.0/8,176.0.0.0/8,177.0.0.0/8,178.0.0.0/8,
179.0.0.0/8,180.0.0.0/8,181.0.0.0/8,182.0.0.0/8,183.0.0.0/8,184.0.0.0/8,185.0.0.0/8,
186.0.0.0/8,187.0.0.0/8,189.0.0.0/8,190.0.0.0/8,192.0.2.0/24,192.168.0.0/16,
197.0.0.0/8,198.18.0.0/15,223.0.0.0/8,224.0.0.0/3,255.255.255.255/32}
#### OPTIONS
set require-order yes
set block-policy return
set optimization normal
set loginterface $ext_if
#### Public Services
# -------------------------
# WWW : Web Server
# -------------------------
web_servers="{ xxx.xxx.xxx.123, xxx.xxx.xxx.124}"
web_ports="{ 80, 443, 20, 21, 8080, 8443, 55000, >
49151 }"
web_proto="{ tcp, udp }"
# -------------------------
# DNS : Public access resolvers
# -------------------------
dns_servers="{ xxx.xxx.xxx.123, xxx.xxx.xxx.124 }"
dns_ports="{ 53 }"
dns_proto="{ tcp, udp }"
# -------------------------
# MAIL : Public mail server
# -------------------------
mx_servers="{ xxx.xxx.xxx.123, xxx.xxx.xxx.124 }"
mx_ports="{ 80, 143, 443, 25, 110, 943, 995 }"
mx_proto="{ tcp }"
# -------------------------
# SSH : Allow remote login
# -------------------------
ssh_servers="{ xxx.xxx.xxx.123, xxx.xxx.xxx.124,
xxx.xxx.xxx.125, xxx.xxx.xxx.126, \ 192.168.1/24,
192.168.2/24 }"
ssh_ports="{ 22 }"
ssh_proto="{ tcp }"
# ------------------------------
# Rsync : Allow rsync to inside
# ------------------------------
rsync_ports="{ 873 }"
rsync_proto="{ tcp, udp }"
# -------------------------
# SQL : MySQL
# -------------------------
sql_servers=""
sql_ports="{ 3306 }"
sql_proto=""
# -------------------------
# LDAP : Future Use
# -------------------------
ldp_servers=""
ldp_ports=""
ldp_proto=""
#### Illegal Ports
illegal_ports="{ 67, 68, 135, 137, 138, 139, 161, 427,
1433, 1434, 3389 }"
####START FILTER RULES
#### Clean up fragmented and abnormal packets
scrub on $ext_if all random-id min-ttl 255 max-mss
1492 fragment reassemble
#
#
pass quick on $loop_if all
antispoof log for $all_if
# silently drop broadcasts cable modem noise
block in quick on $ext_if from any to 255.255.255.255
# Block bad tcp flags from malicious people and nmap
scans
block in log quick on $ext_if proto tcp from any to
any flags /S
block in log quick on $ext_if proto tcp from any to
any flags /SFRA
block in log quick on $ext_if proto tcp from any to
any flags /SFRAU
block in log quick on $ext_if proto tcp from any to
any flags A/A
block in log quick on $ext_if proto tcp from any to
any flags F/SFRA
block in log quick on $ext_if proto tcp from any to
any flags U/SFRAU
block in log quick on $ext_if proto tcp from any to
any flags SF/SF
block in log quick on $ext_if proto tcp from any to
any flags SF/SFRA
block in log quick on $ext_if proto tcp from any to
any flags SR/SR
block in log quick on $ext_if proto tcp from any to
any flags FUP/FUP
block in log quick on $ext_if proto tcp from any to
any flags FUP/SFRAUPEW
block in log quick on $ext_if proto tcp from any to
any flags SFRAU/SFRAU
block in log quick on $ext_if proto tcp from any to
any flags SFRAUP/SFRAUP
# Drop spoofed packets IP blocks
block in log quick on $ext_if from { <RFC1918> } to
any
block out log quick on $ext_if from any to { <RFC1918>
}
# block and log everything by default
block return log on $ext_if all
# block anything coming from source we have no back
routes for
block in from no-route to any
# block and log outgoing packets that don't have our
address as source,
# they are either spoofed or something is
misconfigured NAT disabled,
# (for instance), we want to be nice and don't send
out garbage.
block out log quick on $ext_if from ! $ext_if to any
#### Allow internal interface in (block on the
external)
pass in quick on $int_if inet proto { tcp, udp } from
any to any keep state
pass in quick on $int_if inet proto { icmp } from any
to any keep state
#### Allow internal interface out (block on the
external)
pass out quick on $int_if inet proto { tcp, udp } from
any to any keep state
pass out quick on $int_if inet proto { icmp } from any
to any keep state
#### Allow internal interface out (block on the
external)
pass out quick on $mgt_if inet proto { tcp, udp } from
any to any keep state
pass out quick on $mgt_if inet proto { icmp } from any
to any keep state
#### Don't allow anyone to spoof non-routeable
addresses or broadcasts
#### also block traffic on restricted ports
block in log quick on $ext_if inet proto { tcp, udp }
from any to any port $illegal_ports
block out log quick on $ext_if inet proto { tcp, udp }
from any to any port $illegal_ports
#### IN RULES
#### WWW Server Traffic
pass in on $ext_if inet proto $web_proto from any to
$web_servers port $web_ports keep state
#### DNS Traffic
pass in on $ext_if inet proto $dns_proto from any to
$dns_servers port $dns_ports keep state
#### MAIL Traffic
pass in on $ext_if inet proto $mx_proto from any to
$mx_servers port $mx_ports keep state
#### SSH Traffic
pass in on $ext_if inet proto $ssh_proto from any to
$ssh_servers port $ssh_ports keep state
#### Allow ICMP (ping) IN
pass in on $ext_if inet proto icmp all icmp-type 8
code 0 keep state
#### Allow RSYNC IN
pass in on $ext_if inet proto $rsync_proto from any to
any port $rsync_ports keep state
#### OUT RULES
#### Pass (Allow) all UDP/TCP OUT and keep state
pass out on $ext_if proto udp all keep state
pass out on $ext_if proto tcp all modulate state
#### Allow rsync
pass out on $ext_if proto $rsync_proto from port
$rsync_ports to any
#### Allow ICMP (ping) OUT
pass out on $ext_if inet proto icmp all icmp-type 8
code 0 keep state
----------------------
Thank you,
Tony