[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sample ruleset for dividing LANs



 I have a ruleset that is partially working, but I've hit a wall
trying to figure out why a few parts do not work. The wifi is intended
to be a hot-spot here in the apt complex, but I'm having trouble
restricting them to their assigned services and I am not 100% certain
that they do not have access to the wired LAN.
Would someone please look over this ruleset and help me understand
where I went wrong? Any additional comments or ideas would be
appreciated.
## Macros##############
## Interfaces##########
ext_if   = "fxp0"
wire_if  = "fxp1"
wlan_if  = "fxp2"
external_addr   = "x.x.x.x"
wire_network    = "192.168.1.0/24"
wire_gw         = "192.168.1.1/32"
wlan_network    = "192.168.2.0/24"
wlan_gw         = "192.168.2.1/32"
icmp_types    = "echoreq"
nbt           = "{ 135, 137 >< 139, 445 }"
voip_tcp      = "5060"
voip_udp      = "{ 5060, 4569, 5036, 9999 >< 20001, 2727 }"
wlan_svcs     = "{ pop3, ssh, www, https }"
## Tables##############
# IANA reserved IP blocks as of 4/5/2005
# http://www.completewhois.com/iana-ipv4-addresses.txt
table <reserved> persist file "/etc/reserved.txt"
# restrict IP traffic to the wired LAN #
table <smballow> const { $wire_if:network, 255.255.255.255 }
## Options#############
set loginterface $ext_if
set block-policy return
set optimization normal
set state-policy if-bound
set timeout tcp.closed 1
## Scrub###############
scrub out all no-df random-id max-mss 1440
scrub in  all no-df fragment reassemble min-ttl 2
## Queueing rules######
## to be developed after filtering is functional
## NAT/RDR Translation#
nat on $ext_if from $wire_if:network  to any -> ($ext_if)
nat on $ext_if from $wlan_if:network  to any -> ($ext_if)
rdr on $wire_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
## Filter rules########
block in log all
## Pass loopback traffic ##
pass in  quick on lo0 all
pass out quick on lo0 all
## drop DSL noise/broadcast packets ##
block in quick on $ext_if inet from any to { 255.255.255.255 }
block in quick on $ext_if inet from { 255.255.255.255 } to any
## drop TCP non-Syn packets (not-working) ##
#block return-rst quick inet proto tcp all flags /S
#block return-rst quick inet proto tcp all flags A/A
## block SLP multicast (RFC 2608, 2365) ##
block in quick proto igmp from any to 239.255.255.253
block in quick proto udp from any to 239.255.255.253 port 427
## block IGMP multicast (RFC 1112, 2236) ##
block in quick proto icmp from any to 224.0.0.0/4
## Block all reserved private IP addresses ##
block in log quick on $ext_if inet from <reserved> to any
block in log       on $wire_if from { !$wire_if:network, <reserved> } to any
block in log       on $wlan_if from { !$wlan_if:network, <reserved> } to any
## prevent spoofing from this host ##
block out log quick on $ext_if from !$ext_if to any
## prevent spoofing on all interfaces ##
antispoof log quick for $ext_if  inet
antispoof log quick for $wire_if inet
antispoof log quick for $wlan_if inet
# block extra DNS replies ##
block return in on $ext_if inet proto udp from port=domain to port=domain
# Block NetBIOS traffic to the local LAN ##
block in  quick on $ext_if inet proto tcp from any to any port $nbt 
block out quick on $ext_if inet proto tcp from any to any port $nbt
# Restrick SMB traffic to the internal network (needs more testing) ##
block return in log quick on $wire_if proto udp to !<smballow> port
{137 139 445 }
block return in log quick on $wire_if proto tcp to !<smballow> port
{137 139 445 }
# block nmap attempts ##
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
# block wlan access to wire lan (not working) ##
#block in all on $wire_if from $wlan_if:network to any
# pass SSH traffic ##
pass in on $ext_if inet proto tcp from any to any port 222 flags S/SA keep state
# pass VoIP traffic ##
pass in  on $ext_if inet proto tcp from any to any port $voip_tcp
flags S/SA keep state
pass out on $ext_if inet proto tcp all flags S/SA keep state
pass in  on $ext_if inet proto udp from any to any port $voip_udp keep state
pass out on $ext_if proto udp all keep state
# allow internally generated traffic to pass ##
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in  on $wire_if  from $wire_if:network to any 
pass out on $wire_if  from any to $wire_if:network
pass in  on $wlan_if  from $wlan_if:network to any 
pass out on $wlan_if  proto { tcp, udp } from any to $wlan_if:network
port $wlan_svcs
pass in  on $ext_if proto tcp from any to $ext_if flags S/SA keep state
pass out on $ext_if proto tcp from $ext_if to any flags S/SA keep state
pass out on $ext_if proto { udp, icmp } all keep state