[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sample ruleset for dividing LANs



--- Steven Bowers <[email protected]> wrote:
>  I have a ruleset that is partially working, but
> I've hit a wall
> trying to figure out why a few parts do not work.
> The wifi is intended
> to be a hot-spot here in the apt complex, but I'm
> having trouble
> restricting them to their assigned services and I am
> not 100% certain
> that they do not have access to the wired LAN.
> 
> Would someone please look over this ruleset and help
> me understand
> where I went wrong? Any additional comments or ideas
> would be
> appreciated.
>
I can you point where exactly is problem.
 
> 
> ## Macros##############
> ## Interfaces##########
> ext_if   = "fxp0"
> wire_if  = "fxp1"
> wlan_if  = "fxp2"
> 
> external_addr   = "x.x.x.x"
> wire_network    = "192.168.1.0/24"
> wire_gw         = "192.168.1.1/32"
> wlan_network    = "192.168.2.0/24"
> wlan_gw         = "192.168.2.1/32"
> 
> icmp_types    = "echoreq"
> nbt           = "{ 135, 137 >< 139, 445 }"
> voip_tcp      = "5060"
> voip_udp      = "{ 5060, 4569, 5036, 9999 >< 20001,
> 2727 }"
> wlan_svcs     = "{ pop3, ssh, www, https }"
> 
> ## Tables##############
> # IANA reserved IP blocks as of 4/5/2005
> #
> http://www.completewhois.com/iana-ipv4-addresses.txt
> table <reserved> persist file "/etc/reserved.txt"
> 
> # restrict IP traffic to the wired LAN #
> table <smballow> const { $wire_if:network,
> 255.255.255.255 }
> 
> ## Options#############
> set loginterface $ext_if
> set block-policy return
> set optimization normal
> set state-policy if-bound
> set timeout tcp.closed 1
> 
> ## Scrub###############
> scrub out all no-df random-id max-mss 1440
> scrub in  all no-df fragment reassemble min-ttl 2
> 
> ## Queueing rules######
> ## to be developed after filtering is functional
> 
> ## NAT/RDR Translation#
> nat on $ext_if from $wire_if:network  to any ->
> ($ext_if)
> nat on $ext_if from $wlan_if:network  to any ->
> ($ext_if)
> rdr on $wire_if proto tcp from any to any port 21 ->
> 127.0.0.1 port 8021
> 
> ## Filter rules########
> block in log all
> 
> ## Pass loopback traffic ##
> pass in  quick on lo0 all
> pass out quick on lo0 all
> 
> ## drop DSL noise/broadcast packets ##
> block in quick on $ext_if inet from any to {
> 255.255.255.255 }
> block in quick on $ext_if inet from {
> 255.255.255.255 } to any
> 
> ## drop TCP non-Syn packets (not-working) ##
> #block return-rst quick inet proto tcp all flags /S
> #block return-rst quick inet proto tcp all flags A/A
> 
> ## block SLP multicast (RFC 2608, 2365) ##
> block in quick proto igmp from any to
> 239.255.255.253
> block in quick proto udp from any to 239.255.255.253
> port 427
> 
> ## block IGMP multicast (RFC 1112, 2236) ##
> block in quick proto icmp from any to 224.0.0.0/4
> 
> ## Block all reserved private IP addresses ##
> block in log quick on $ext_if inet from <reserved>
> to any
> block in log       on $wire_if from {
> !$wire_if:network, <reserved> } to any
> block in log       on $wlan_if from {
> !$wlan_if:network, <reserved> } to any
> 
> ## prevent spoofing from this host ##
> block out log quick on $ext_if from !$ext_if to any
> 
> ## prevent spoofing on all interfaces ##
> antispoof log quick for $ext_if  inet
> antispoof log quick for $wire_if inet
> antispoof log quick for $wlan_if inet
> 
> # block extra DNS replies ##
> block return in on $ext_if inet proto udp from
> port=domain to port=domain
> 
> # Block NetBIOS traffic to the local LAN ##
> block in  quick on $ext_if inet proto tcp from any
> to any port $nbt 
> block out quick on $ext_if inet proto tcp from any
> to any port $nbt
> 
> # Restrick SMB traffic to the internal network
> (needs more testing) ##
> block return in log quick on $wire_if proto udp to
> !<smballow> port
> {137 139 445 }
> block return in log quick on $wire_if proto tcp to
> !<smballow> port
> {137 139 445 }
> 
> # block nmap attempts ##
> block in log quick on $ext_if inet proto tcp from
> any to any flags FUP/FUP
> block in log quick on $ext_if inet proto tcp from
> any to any flags SF/SFRA
> block in log quick on $ext_if inet proto tcp from
> any to any flags /SFRA
> 
> # block wlan access to wire lan (not working) ##
> #block in all on $wire_if from $wlan_if:network to
> any
> 
> # pass SSH traffic ##
> pass in on $ext_if inet proto tcp from any to any
> port 222 flags S/SA keep state
> 
> # pass VoIP traffic ##
> pass in  on $ext_if inet proto tcp from any to any
> port $voip_tcp
> flags S/SA keep state
> pass out on $ext_if inet proto tcp all flags S/SA
> keep state
> pass in  on $ext_if inet proto udp from any to any
> port $voip_udp keep state
> pass out on $ext_if proto udp all keep state
> 
Note that above 2 pass out rules are the same as the
last 2 rules.You can remove them.
> # allow internally generated traffic to pass ##
> pass in inet proto icmp all icmp-type $icmp_types
> keep state
> pass in  on $wire_if  from $wire_if:network to any 
> pass out on $wire_if  from any to $wire_if:network
> pass in  on $wlan_if  from $wlan_if:network to any 
> pass out on $wlan_if  proto { tcp, udp } from any to
> $wlan_if:network
> port $wlan_svcs
> pass in  on $ext_if proto tcp from any to $ext_if
> flags S/SA keep state
> pass out on $ext_if proto tcp from $ext_if to any
> flags S/SA keep state
> pass out on $ext_if proto { udp, icmp } all keep
> state
> 
I can't see where you are trying to assign services.My
advice is to write new pf.conf.
If you want to allow only 
wlan_svcs     = "{ pop3, ssh, www, https, domain }"
add and "dns"
just block all traffic on wlan_if and then allow
specific services.
block all on $wlan_if
pass in on $wlan_if from $wlan_if:network to any port
$wlan_svcs keep state
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655
__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com