[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

optimizing pf firewall



Hello,
I'm a new member and am trying to make the most effective and efficient firewall for my current configuration. I'm going to use it on three different networks so i'm trying for portability, rules are below. I'm following the howto at:
http://www.papamike.ca/tutorials/pub/obsd_pf.html
I'm using freebsd 5.4 routers at each site.
My first question is given my below ruleset is it the most optimized, does it make any unnecessary rule processing?
My box is acting as firewall/router for a natted lan, almost everything is working fine. My first problem is active ftp. I've got three clients that can not go passive, even though passive is working great! For the first time i don't have to open up the firewall just to get anything. But trying to go active doesn't work.
My second problem, i'm trying to do mpd vpn, which relies on gre. I've got a natted vpn server at 192.168.1.3 but when an external connection happens, that is one outside my firewall from a windows box i get an error 619, which after googling and asking, have determined that gre isn't natting to the box. Does anyone have this working?
Any help appreciated.
Thanks.
Dave.


pf.conf
# pf.conf
# for use on gateway box

# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.


# define the two network interfaces
ext_if = "rl0"
int_if = "rl1"

# define some address macros
lan_server = "192.168.1.3"
# define services
int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 1194, 1723, 8000 }"
lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3, nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 2401, 4000, 4662, 4711,
5000, 5001, 5190, cvsup, 6112, 6667, 8000, 8021, 8080, 8505, 8880, 9102 }"
lan_to_fw_services = "{ ssh }"
fw_to_lan_services = "{ ssh, 9101, 9102, 9103 }"
nameservers = "{ xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx }"
isp_dhcp_server = "10.40.224.1"


# options
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

# normalize packets to prevent fragmentation attacks
scrub on $ext_if all random-id reassemble tcp
scrub on $int_if inet no-df

# queue band width limiting
#altq on $ext_if cbq bandwidth 768Kb queue { std, ssh, ftp, pop3 }
#queue std bandwidth 50% cbq(default)
#queue ssh bandwidth 25% { ssh_login, ssh_bulk }
 #queue ssh_login bandwidth 25% priority 4 cbq(ecn)
 #queue ssh_bulk bandwidth 75% cbq(ecn)
#queue ftp bandwidth 50Kb priority 3 cbq(borrow red)
#queue pop3 bandwidth 100Kb priority 3 cbq(borrow red)

# translate lan client addresses to that of the external interface
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $ext_if inet proto tcp from any to any port $int_to_lan_services -> $lan_server
rdr on $ext_if inet proto udp from any to any port 1194 -> $lan_server port 1194
# Redirect lan client FTP requests (to an FTP server's control port 21)
# to the ftp-proxy running on the firewall host (via inetd on port 8021)
rdr on $int_if inet proto tcp from $int_if:network to any port 21 -> 127.0.0.1 port 8021
rdr on $int_if inet proto tcp from $int_if:network to any port www -> 127.0.0.1 port 8080
# redirect gre traffic
rdr on $ext_if inet proto gre from any to any -> $lan_server


# pass all loopback traffic
pass quick on lo0 all

# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all

# Thwart nmap scans
block in log quick on $ext_if proto tcp all flags FUP/FUP

# prevent lan originated spoofing from occurring
antispoof for $ext_if inet

# block everything from entering EXT
block in log on $ext_if all

# allow WAN requests from the internet to enter EXT
# in order to contact our web server (keep state on this connection)
pass in on $ext_if inet proto tcp from any to $lan_server port $int_to_lan_services flags S/SA modulate state
# UDP 1194 for openvpn
pass in on $ext_if inet proto udp from any to $lan_server port 1194 keep state
# Gre traffic for mpd
pass in on $ext_if inet proto gre from any to $lan_server keep state


# Allow dhcp in
pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to 255.255.255.255 port bootpc keep state


# Allow remote FTP servers (on data port 20) to respond to the proxy's
# active FTP requests by contacting it on the port range specified in inetd.conf
pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port 55000 >< 57000 user proxy flags S/SA keep state


# block everything from exiting EXT
block out log on $ext_if all

# allow UDP requests to port 53 from firewall to exit EXT
# in order to contact internet nameservers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port 53 keep state


# allow UDP requests to port 123 from firewall to exit ext_if_if
# in order to contact internet ntp servers
# (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep state


# Allow UDP requests to port 67 from firewall to exit ext_if
# in order to contact internet dhcp servers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port bootps keep state


# allow lan requests from lan clients to exit EXT
# (after natting is performed) in order to contact internet servers
# (keep state on this connection)
pass out quick on $ext_if inet proto tcp from $ext_if to any port $lan_to_int_services flags S/SA modulate state


# allow ICMP requests from firewall to exit EXT (after natting is performed)
# in order to ping/traceroute internet hosts on the behalf of lan clients
pass out on $ext_if inet proto icmp from $ext_if to any icmp-type 8 keep state


# Allow ftp-proxy packets destined to port 20 to exit $ext_if
# in order to maintain communications with the ftp server
pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 flags S/SA modulate state


# Allow firewall to contact ftp server on behalf of passive ftp client
pass out quick on $ext_if inet proto tcp from $ext_if port 55000:57000 to any user proxy flags S/SA keep state


# block everything from entering LAN
block in log on $int_if all

# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall (keep state on this connection)
pass in quick on $int_if inet proto udp from $int_if:network to $int_if port 53 keep state


# allow UDP requests to ports 67, 68, and 123 from int_if clients to enter int_if
# in order to perform dhcp and ntp queries on the firewall
# ( Keep state on this connection)
pass in quick on $int_if inet proto udp from $int_if:network to $int_if port { 67, 68, 123, 6112 } keep state


# allow LAN requests from lan clients to enter LAN
# in order to contact internet servers (keep state on this connection)
pass in quick on $int_if inet proto tcp from $int_if:network to any port $lan_to_int_services flags S/SA modulate state


# lan network connects to firewall via ssh for administrative purposes
pass in on $int_if inet proto tcp from $int_if:network to $int_if port $lan_to_fw_services modulate state


# allow requests from lan network to enter LAN
# in order to ping/traceroute any system (firewall, dmz server, and internet hosts)
pass in quick on $int_if inet proto icmp from $int_if:network to any icmp-type 8 keep state


# allow lan broadcasts
pass in quick on $int_if proto { tcp, udp } from $int_if:network to $int_if:broadcast keep state


# allow squid connections from lan to proxy
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 8080 keep state


# allow ftp connections from lan to proxy
pass quick on $int_if inet proto tcp from $int_if:network to lo0 port 8021 flags S/SA keep state
pass in quick on $int_if inet proto tcp from $int_if:network to $ext_if port 55000:57000 flags S/SA keep state


# block everything from exiting LAN
block out log on $int_if all

# allow WAN requests from the internet to exit LAN
# in order to contact our lan server (keep state on this connection)
pass out quick on $int_if inet proto tcp from any to $lan_server port $int_to_lan_services flags S/SA modulate state
# UDP 1194
pass out quick on $int_if inet proto udp from any to $lan_server port 1194 keep state
# GRE traffic out
pass out quick on $int_if inet proto gre from any to $lan_server keep state


# firewall connects to the lan server via scp/ssh for backup purposes
pass out quick on $int_if inet proto tcp from $int_if to $lan_server port $fw_to_lan_services flags S/SA modulate state