[TriLUG] Re: OpenBSD firewall

Jon Carnes jonc at trilug.org
Tue Jan 6 23:41:41 EST 2004


Wow!  Now that is what I call a *real* firewall!
Fantastic use of almost every OpenBSD firewalling function. 

Just out of curiosity, what kind of processor and RAM do you have on the
server?  What added latency do you get when passing thorough?

Jon Carnes

On Tue, 2004-01-06 at 22:42, ljacobs wrote:
> Folks --
> 
> I have attached a longish file that is the rule set of an OpenBSD based packet filter firewall. Those of you who are experienced with these systems might find it interesting. And I would particularly appreciate any comments and suggestions, criticisms and recommendations to improve on this firewall.
> 
> I am basically supporting a number of Win2K servers, a FreeeBSD postfix server and several linux servers. All the servers are really in a DMZ and the OpenBSD system is only dual-homed, i.e., 2 NICs.
> 
> Thanks for any comments you might provide, especially as it relates to the requirement for the FTP servers to be available.
> 
> IPs have been changed to protect the innocent.
> 
> Thanks. 
> 
>  
> ________________________________________________________________
> Sent via the WebMessaging system at mandala-designs.com
> 
> 
>  
>                    
> 
> ______________________________________________________________________
> 
> # /etc/pf.conf
> # essential reading: http://www.inebriated.demon.nl/pf-howto
> #                    man pf.conf
> #                    man pf
> #
> #
> # To view the logfiles:
> #       tcpdump -n -e -ttt -r /var/log/pflog
> #
> # To tail -f the logfile: (well not really but...)
> #       tcpdump -n -e -ttt -i pflog0
> #
> # To watch the blocked packets
> # 	tcpdump -n -e -tt -i pflog0 action block
> #
> # Use pfctl -t spamd -T replace -f /etc/spamd to update spammer table
> # Use pfctl -t tablename -T show -v to show stats on each address in table
> # Use pfctl -s nat   to show the effective nat-rules.
> # Use pfctl -s rules to show your effective pf-rules.
> # Use pfctl -vvs rules to show even more
> #
> # PF rule base, to get read into the PF script
> #
> # Version 0.60: August, 2003
> #
> # Interface:
> #    fxp1 - internal to private network
> #    fxp0 - external to T1
> #
> # rule keywords
> #    * set
> #    * scrub
> #    * rdr
> #    * nat
> #    * binat
> #    * block
> #    * pass
> #
> # Order of Rules
> # 1. Options
> # 2. Scrub
> # 3. NAT & RDR
> # 4. Filter
> #
> # HOW TO FIREWALL A NEW IPADDRESS
> # 1. add a new entry to "FIREWALLED SERVERS" for the 
> #    external address and the internal address 
> # 2. add internal server name to appropriate service providers
> # 3. add a new binat entry
> # 4. restart the firewall: pfctl -F all;pfctl -f /etc/pf.conf
> 
> #####################################################
> # DEFINE INTERFACES
> #####################################################
> ext_if="fxp0"
> int_if="fxp1"
> Lo_if="lo0"
> 
> #####################################################
> # DEFINE SERVERS
> #####################################################
> # DEFINE ADDRESS RANGES
> int_ad = "192.168.1.0/24"
> ext_ad = "143.23.199.128/27"
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # KNOWN REMOTE SERVERS
> dorje = "234.139.229.177"
> bodhi = "234.139.229.179"
> dharma = "66.30.190.48"
> kalapa = "168.103.60.107"
> vajra = "66.30.190.106"
> ursa_major = "245.140.80.3"
> shambhala_firewall = "168.103.60.105"
> redwing_home = "56.211.161.136"
> redwing_office = "261.148.40.155"
> 
> #
> # REMOTE SERVER GROUPS
> trusted_ssh = $bodhi $dorje $vajra $dharma $kalapa
> trusted_dns = $bodhi $ursa_major $dharma
> trusted_db = $dorje $kalapa 
> trusted_nagios = $dharma
> trusted_tb2 = $bodhi $dorje $vajra $dharma $kalapa $shambhala_firewall
> trusted_apc = $bodhi $dorje $vajra $dharma $kalapa
> trusted_coyote = $bodhi $dorje $vajra $dharma $kalapa
> trusted_switch = $bodhi $dorje $vajra $dharma $kalapa
> trusted_rcp = $bodhi $dorje $vajra $dharma $kalapa $redwing_home $redwing_office
> # ------------------------------------------------- #
> #####################################################
> 
> #####################################################
> # ------------------------------------------------- #
> # FIREWALLED SERVERS
> switch_136_ext = 	"226.327.93.136"
> switch_136_int = 	"192.168.1.136"
> 
> rinpoche_131_ext =	"226.327.93.131"
> rinpoche_131_int =	"192.168.1.131"
> rinpoche_140_ext =	"226.327.93.140"
> rinpoche_140_int =	"192.168.1.140"
> rinpoche_141_ext =	"226.327.93.141"
> rinpoche_141_int =	"192.168.1.141"
> rinpoche_143_ext =	"226.327.93.143"
> rinpoche_143_int =	"192.168.1.143"
> rinpoche_149_ext =	"226.327.93.149"
> rinpoche_149_int =	"192.168.1.131"
> rinpoche_150_ext =	"226.327.93.150"
> rinpoche_150_int =	"192.168.1.150"
> rinpoche_153_ext =	"226.327.93.153"
> rinpoche_153_int =	"192.168.1.153"
> rinpoche_154_ext =	"226.327.93.154"
> rinpoche_154_int =	"192.168.1.154"
> rinpoche_155_ext =	"226.327.93.155"
> rinpoche_155_int =	"192.168.1.155"
> rinpoche_158_ext =	"226.327.93.158"
> rinpoche_158_int =	"192.168.1.158"
> 
> rinpoche_all_int =	$rinpoche_131_int \
> 			$rinpoche_140_int \
> 			$rinpoche_141_int \
> 			$rinpoche_143_int \
> 			$rinpoche_149_int \
> 			$rinpoche_154_int \
> 			$rinpoche_150_int \
> 			$rinpoche_153_int \
> 			$rinpoche_155_int \
> 			$rinpoche_158_int 
> 
> 
> tao_130_ext = "226.327.93.130"
> tao_130_int = "192.168.1.130"
> 
> tao_135_ext = "226.327.93.135"
> tao_135_int = "192.168.1.135"
> tao_all = $tao_130_int \
> 	  $tao_135_int
> 
> pema_ext = "226.327.93.132"
> pema_int = "192.168.1.132"
> 
> karma_ext = "226.327.93.133"
> karma_int = "192.168.1.133"
> 
> shiva_ext = "226.327.93.138"
> shiva_int = "192.168.1.1"
> 
> guru_ext = "226.327.93.157"
> guru_int = "192.168.1.157"
> 
> prajna_137_ext = "226.327.93.137"
> prajna_137_int = "192.168.1.137"
> prajna_139_ext = "226.327.93.139"
> prajna_139_int = "192.168.1.137"
> prajna_all_int = $prajna_137_int \
> 		 $prajna_139_int
> 
> tulku_134_ext = "226.327.93.134"
> tulku_134_int = "192.168.1.134"
> tulku_156_ext = "226.327.93.156"
> tulku_156_int = "192.168.1.156"
> tulku_all_int = $tulku_134_int \
> 		$tulku_156_int
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # DEFINE SERVICE PROVIDERS
> apc_providers = 	$guru_int
> 
> switch_providers = 	$switch_136_int
> 
> coyote_providers = 	$tao_all
> 
> ssh_providers = 	$shiva_int \
> 			$prajna_all_int \
> 			$tulku_all_int
> 
> dns_providers = 	$prajna_all_int \
> 			$tulku_all_int \
> 			$rinpoche_all_int
> 
> webct_providers = 	$tulku_all_int 
> 
> email_providers = 	$rinpoche_all_int \
> 			$pema_int
> 
> smtp_providers = 	$rinpoche_all_int \
> 			$pema_int \
> 			$tulku_all_int \
> 			$prajna_all_int 
> 
> ftp_providers = 	$rinpoche_all_int \
> 			$karma_int \
> 			$tulku_all_int \
> 			$prajna_all_int \
> 			$pema_int
> 
> www_providers = 	$rinpoche_all_int \
> 			$karma_int \
> 			$tulku_all_int \
> 			$prajna_all_int \
> 			$pema_int \
> 			$karma_int \
> 			$switch_136_int
> 
> telnet_providers = 	$switch_136_int
> 
> real_providers = 	$rinpoche_all_int
> 
> tb2_providers = 	$rinpoche_all_int \
> 			$pema_int \
> 			$karma_int
> 
> rcp_providers =     $rinpoche_all_int
> 
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # DEFINE ALLOWED SERVICES 
> #####################################################
> 
> #####################################################
> # ------------------------------------------------- #
> # REMOTE CONTROL
> # SSH
> ssh_tcp = "22"
> #
> # TB2 SERVICES
> tb2_udp = "407"
> tb2_tcp = "445 1417 1418 1419 1420"
> #
> # VNC
> # DON'T ALLOW! 
> # It's unencrypted, so only allow via SSH port forwarding
> # ------------------------------------------------- #
> #####################################################
> 
> #####################################################
> # ------------------------------------------------- #
> # NAME SERVICES
> dns_tcp = "53"
> dns_udp = "53"
> # ------------------------------------------------- #
> #####################################################
> 
> #####################################################
> # ------------------------------------------------- #
> # APC SWITCH SERVICES
> apc_tcp = "8300"
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # NETWORK MONITORING SERVICES
> nagios_tcp = "5666"
> # ------------------------------------------------- #
> #####################################################
> 
> #####################################################
> # ------------------------------------------------- #
> # GENERIC WEB SERVICES
> http_tcp = "80"
> https_tcp = "443"
> log_analyzer_tcp = "888"
> #
> # ALL WWW
> all_www_tcp = $http_tcp $https_tcp $log_analyzer_tcp
> # ------------------------------------------------- #
> #####################################################
> 
> #####################################################
> # ------------------------------------------------- #
> # 3COM SWITCH SERVICES
> all_switch_tcp = "23" $http_tcp $https_tcp
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # REAL NETWORKS SERVICES
> real_tcp = "554 7070"
> real_low_udp = "6969"
> real_hi_udp = "7169"
> # ------------------------------------------------- #
> #####################################################
> 
> #####################################################
> # ------------------------------------------------- #
> # EMAIL SERVICES
> web_msg_tcp = "8383"
> pop_tcp = "110"
> imap_tcp = "143"
> smtp_tcp = "25"
> #
> # ALL EMAIL
> all_send_email_tcp = $smtp_tcp
> all_receive_email_tcp = $web_msg_tcp $http_tcp $https_tcp $pop_tcp $imap_tcp
> # ------------------------------------------------- #
> #####################################################
> 
> #####################################################
> # ------------------------------------------------- #
> # WEBCT SERVICES
> chat_4_tcp = "44454"
> chat_4_udp = "44454"
> whiteboard_4_tcp = "45674"
> whiteboard_4_udp = "45674"
> webct_http_tcp = "8900"
> 
> chat_tcp = "4445"
> chat_udp = "4445"
> whiteboard_tcp = "4567"
> whiteboard_udp = "4567"
> license_tcp = "5555"
> #
> # ALL WEBCT TCP
> all_webct_tcp = $http_tcp $https_tcp $chat_tcp $whiteboard_tcp $license_tcp \
> 		$chat_4_tcp $whiteboard_4_tcp $webct_http_tcp
> #
> # ALL WEBCT UDP
> all_webct_udp = $chat_udp $whiteboard_udp $chat_4_udp $whiteboard_4_udp 
> #
> # ------------------------------------------------- #
> #####################################################
> 
> #####################################################
> # ------------------------------------------------- #
> # FTP SERVICES
> ftp_tcp = "21"
> ftp_data_tcp = "20"
> ftp_rand_tcp = ">1024"
> 
> all_ftp_tcp = $ftp_tcp $ftp_data_tcp 
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # RCP SERVICES
> rcp_tcp = "514"
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # DEINE BEHAVIORS
> #####################################################
> set limit { frags 40000, states 35000 }
> set loginterface $ext_if
> set optimization normal
> set block-policy return
> 
> #####################################################
> # DEFINE TABLES (for speed)
> #####################################################
> table <mandala> { 192.168.1.0/255, 143.23.199.128/27 }
> 
> table <noroute> { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32, \
>           	  169.254.0.0/16, 127.0.0.0/8, 0.0.0.0/8, 192.0.2.0/24, \
>           	  204.152.64.0/23, 224.0.0.0/3, 127.0.0.0/8 }
> 
> table <spamd> persist file "/etc/spamd"
> 
> #####################################################
> # DEFINE FIREWALL RULES
> #####################################################
> scrub in all
> scrub out all
> 
> #####################################################
> # REDIRECTION CONFIGURATION: BINAT & RDR
> #
> # tarpit for spammers
> # rdr inet proto tcp from <spamd> to any port 25 -> 127.0.0.1 port 8025
> # rdr for email redirection of rinpoche to pema
> rdr on $ext_if proto tcp from any to $rinpoche_131_ext port 25 -> $pema_int port 25
> rdr on $ext_if proto tcp from any to $rinpoche_131_ext port 110 -> $pema_int port 110
> rdr on $ext_if proto tcp from any to $rinpoche_131_ext port 8383 -> $pema_int port 8383
> 
> # All internal traffice will look like it's coming from the external address
> # BINAT SERVERS
> binat on $ext_if from $rinpoche_131_int to any -> $rinpoche_131_ext
> binat on $ext_if from $rinpoche_140_int to any -> $rinpoche_140_ext
> binat on $ext_if from $rinpoche_141_int to any -> $rinpoche_141_ext
> binat on $ext_if from $rinpoche_143_int to any -> $rinpoche_143_ext
> binat on $ext_if from $rinpoche_149_int to any -> $rinpoche_149_ext
> binat on $ext_if from $rinpoche_150_int to any -> $rinpoche_150_ext
> binat on $ext_if from $rinpoche_153_int to any -> $rinpoche_153_ext
> binat on $ext_if from $rinpoche_154_int to any -> $rinpoche_154_ext
> binat on $ext_if from $rinpoche_155_int to any -> $rinpoche_155_ext
> binat on $ext_if from $rinpoche_158_int to any -> $rinpoche_158_ext
> binat on $ext_if from $pema_int to any -> $pema_ext
> binat on $ext_if from $karma_int to any -> $karma_ext
> binat on $ext_if from $prajna_137_int to any -> $prajna_137_ext
> binat on $ext_if from $prajna_139_int to any -> $prajna_139_ext
> binat on $ext_if from $tulku_134_int to any -> $tulku_134_ext
> binat on $ext_if from $tulku_156_int to any -> $tulku_156_ext
> binat on $ext_if from $tao_130_int to any -> $tao_130_ext
> binat on $ext_if from $tao_135_int to any -> $tao_135_ext
> binat on $ext_if from $switch_136_int to any -> $switch_136_ext
> 
> # Translate outgoing ftp control connections to send them to localhost
> # for proxying with ftp-proxy(8) running on port 8081
> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8081
> rdr on $int_if proto tcp from any to any port 20 -> 127.0.0.1 port 8081
> 
> #####################################################
> # FILTERING
> #
> #####################################################
> # ------------------------------------------------- #
> # DEFAULT "IN" AND "OUT"
> # Note: "block in all" is required to make this config operate as a true firewall
> block in log all
> pass out all
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # UNFILTERED INTERFACES
> pass out quick on { $Lo_if $int_if } all
> pass in  quick on { $Lo_if $int_if } all
> pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep state
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # BLOCK SPOOFERS AND SPAMMERS
> # block drop in log quick on $ext_if from { <noroute>, <spammers> } to any
> # block drop out log quick on $ext_if from any to { <noroute>, <spammers> }
> block drop in log quick on $ext_if from <noroute> to any
> block drop out log quick on $ext_if from any to <noroute>
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # RCP SERVICES
> pass in log on $ext_if proto tcp from {$trusted_rcp} to {$rcp_providers} port {$rcp_tcp} keep state
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # ALLOW SSH 
> pass in log on $ext_if proto tcp from any to any port {$ssh_tcp} keep state
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # ALLOW SWITCH CONNECTIONS 
> pass in log on $ext_if proto tcp from {$trusted_switch} to {$switch_providers} port {$all_switch_tcp} keep state
> # ------------------------------------------------- #
> #####################################################
> 
> #####################################################
> # ------------------------------------------------- #
> # ALLOW APC CONNECTIONS 
> pass in log on $ext_if proto tcp from {$trusted_apc} to {$apc_providers} port {$apc_tcp} keep state
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # ALLOW REAL NETWORKS SERVICES
> pass in log on $ext_if inet proto tcp from any to {$real_providers} port {$real_tcp} keep state
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # NAGIOS NRPE SERVICES
> pass in log on $ext_if inet proto tcp from {$trusted_nagios} to any port {$nagios_tcp} keep state
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # DNS RULES
> pass in log on $ext_if inet proto udp from any to {$dns_providers} port {$dns_udp} keep state
> pass in log on $ext_if inet proto tcp from any to {$dns_providers} port {$dns_tcp} keep state
> pass out log on $ext_if inet proto udp from any to any port = 53 keep state
> pass out log on $ext_if inet proto tcp from any to any port = 53 modulate state
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # FTP RULES
> pass in log on $ext_if proto tcp from any to {$ftp_providers} port {$all_ftp_tcp >1024} keep state
> pass out log on $ext_if from {$ftp_providers} to any keep state
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # REMOTE CONTROL RULESET
> # Allow tb2 for Rinpoche
> pass in log on $ext_if inet proto tcp from {$trusted_tb2} to {$tb2_providers} port {$tb2_tcp} keep state
> pass in log on $ext_if inet proto udp from {$trusted_tb2} to {$tb2_providers} port {$tb2_udp} keep state
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # ALLOW EMAIL
> pass in log on $ext_if proto tcp from any to {$email_providers} port {$all_receive_email_tcp} keep state label "smtp-IN:$dstaddr"
> pass in log on $ext_if proto tcp from any to {$smtp_providers} port {$all_send_email_tcp} keep state label "smtp-OUT:$dstaddr"
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # ALLOW COYOTE
> pass in log on $ext_if proto tcp from {$trusted_coyote} to {$coyote_providers} port {$all_www_tcp} keep state
> # ------------------------------------------------- #
> #####################################################
> 
> #####################################################
> # ------------------------------------------------- #
> # ALLOW WEB TRAFFIC
> pass in log on $ext_if proto tcp from any to {$www_providers} port {$all_www_tcp} keep state label "www:$dstaddr"
> # ------------------------------------------------- #
> #####################################################
> 
> #####################################################
> # ------------------------------------------------- #
> # ALLOW WEBCT TRAFFIC
> pass in log on $ext_if proto tcp from any to {$webct_providers} port {$all_webct_tcp} keep state label "webct:$dstaddr"
> pass in log on $ext_if proto udp from any to {$webct_providers} port {$all_webct_udp} keep state label "webct:$dstaddr"
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # OUTBOUND TRAFFIC
> # Allow return traffic and connection from firewall
> # pass tcp, udp, and icmp out on the external (Internet) interface. 
> # keep state on udp and icmp and modulate state on tcp.
> pass out log on $ext_if proto tcp all modulate state flags S/SA
> pass out log on $ext_if proto { udp, icmp } all keep state
> # ------------------------------------------------- #
> #####################################################
> 
> 
> #####################################################
> # ------------------------------------------------- #
> # ICMP
> pass out on $ext_if inet proto icmp from any to any icmp-type 8 code 0 keep state
> pass in  on $ext_if inet proto icmp from any to any icmp-type 8 code 0 keep state
> # ------------------------------------------------- #
> #####################################################
> 
> 
> ############################
> #--------------------------#
> # Protect against antispoofing
> # antispoof log for fxp0
> # antispoof log for fxp1
> #--------------------------#
> ############################
> 




More information about the TriLUG mailing list