[TriLUG] OpenBSD firewall
ljacobs
lj at mandala-designs.com
Tue Jan 6 22:42:46 EST 2004
Folks --
I have attached a longish file that is the rule set of an OpenBSD based packet filter firewall. Those of you who are experienced with these systems might find it interesting. And I would particularly appreciate any comments and suggestions, criticisms and recommendations to improve on this firewall.
I am basically supporting a number of Win2K servers, a FreeeBSD postfix server and several linux servers. All the servers are really in a DMZ and the OpenBSD system is only dual-homed, i.e., 2 NICs.
Thanks for any comments you might provide, especially as it relates to the requirement for the FTP servers to be available.
IPs have been changed to protect the innocent.
Thanks.
________________________________________________________________
Sent via the WebMessaging system at mandala-designs.com
-------------- next part --------------
# /etc/pf.conf
# essential reading: http://www.inebriated.demon.nl/pf-howto
# man pf.conf
# man pf
#
#
# To view the logfiles:
# tcpdump -n -e -ttt -r /var/log/pflog
#
# To tail -f the logfile: (well not really but...)
# tcpdump -n -e -ttt -i pflog0
#
# To watch the blocked packets
# tcpdump -n -e -tt -i pflog0 action block
#
# Use pfctl -t spamd -T replace -f /etc/spamd to update spammer table
# Use pfctl -t tablename -T show -v to show stats on each address in table
# Use pfctl -s nat to show the effective nat-rules.
# Use pfctl -s rules to show your effective pf-rules.
# Use pfctl -vvs rules to show even more
#
# PF rule base, to get read into the PF script
#
# Version 0.60: August, 2003
#
# Interface:
# fxp1 - internal to private network
# fxp0 - external to T1
#
# rule keywords
# * set
# * scrub
# * rdr
# * nat
# * binat
# * block
# * pass
#
# Order of Rules
# 1. Options
# 2. Scrub
# 3. NAT & RDR
# 4. Filter
#
# HOW TO FIREWALL A NEW IPADDRESS
# 1. add a new entry to "FIREWALLED SERVERS" for the
# external address and the internal address
# 2. add internal server name to appropriate service providers
# 3. add a new binat entry
# 4. restart the firewall: pfctl -F all;pfctl -f /etc/pf.conf
#####################################################
# DEFINE INTERFACES
#####################################################
ext_if="fxp0"
int_if="fxp1"
Lo_if="lo0"
#####################################################
# DEFINE SERVERS
#####################################################
# DEFINE ADDRESS RANGES
int_ad = "192.168.1.0/24"
ext_ad = "143.23.199.128/27"
#####################################################
# ------------------------------------------------- #
# KNOWN REMOTE SERVERS
dorje = "234.139.229.177"
bodhi = "234.139.229.179"
dharma = "66.30.190.48"
kalapa = "168.103.60.107"
vajra = "66.30.190.106"
ursa_major = "245.140.80.3"
shambhala_firewall = "168.103.60.105"
redwing_home = "56.211.161.136"
redwing_office = "261.148.40.155"
#
# REMOTE SERVER GROUPS
trusted_ssh = $bodhi $dorje $vajra $dharma $kalapa
trusted_dns = $bodhi $ursa_major $dharma
trusted_db = $dorje $kalapa
trusted_nagios = $dharma
trusted_tb2 = $bodhi $dorje $vajra $dharma $kalapa $shambhala_firewall
trusted_apc = $bodhi $dorje $vajra $dharma $kalapa
trusted_coyote = $bodhi $dorje $vajra $dharma $kalapa
trusted_switch = $bodhi $dorje $vajra $dharma $kalapa
trusted_rcp = $bodhi $dorje $vajra $dharma $kalapa $redwing_home $redwing_office
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# FIREWALLED SERVERS
switch_136_ext = "226.327.93.136"
switch_136_int = "192.168.1.136"
rinpoche_131_ext = "226.327.93.131"
rinpoche_131_int = "192.168.1.131"
rinpoche_140_ext = "226.327.93.140"
rinpoche_140_int = "192.168.1.140"
rinpoche_141_ext = "226.327.93.141"
rinpoche_141_int = "192.168.1.141"
rinpoche_143_ext = "226.327.93.143"
rinpoche_143_int = "192.168.1.143"
rinpoche_149_ext = "226.327.93.149"
rinpoche_149_int = "192.168.1.131"
rinpoche_150_ext = "226.327.93.150"
rinpoche_150_int = "192.168.1.150"
rinpoche_153_ext = "226.327.93.153"
rinpoche_153_int = "192.168.1.153"
rinpoche_154_ext = "226.327.93.154"
rinpoche_154_int = "192.168.1.154"
rinpoche_155_ext = "226.327.93.155"
rinpoche_155_int = "192.168.1.155"
rinpoche_158_ext = "226.327.93.158"
rinpoche_158_int = "192.168.1.158"
rinpoche_all_int = $rinpoche_131_int \
$rinpoche_140_int \
$rinpoche_141_int \
$rinpoche_143_int \
$rinpoche_149_int \
$rinpoche_154_int \
$rinpoche_150_int \
$rinpoche_153_int \
$rinpoche_155_int \
$rinpoche_158_int
tao_130_ext = "226.327.93.130"
tao_130_int = "192.168.1.130"
tao_135_ext = "226.327.93.135"
tao_135_int = "192.168.1.135"
tao_all = $tao_130_int \
$tao_135_int
pema_ext = "226.327.93.132"
pema_int = "192.168.1.132"
karma_ext = "226.327.93.133"
karma_int = "192.168.1.133"
shiva_ext = "226.327.93.138"
shiva_int = "192.168.1.1"
guru_ext = "226.327.93.157"
guru_int = "192.168.1.157"
prajna_137_ext = "226.327.93.137"
prajna_137_int = "192.168.1.137"
prajna_139_ext = "226.327.93.139"
prajna_139_int = "192.168.1.137"
prajna_all_int = $prajna_137_int \
$prajna_139_int
tulku_134_ext = "226.327.93.134"
tulku_134_int = "192.168.1.134"
tulku_156_ext = "226.327.93.156"
tulku_156_int = "192.168.1.156"
tulku_all_int = $tulku_134_int \
$tulku_156_int
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# DEFINE SERVICE PROVIDERS
apc_providers = $guru_int
switch_providers = $switch_136_int
coyote_providers = $tao_all
ssh_providers = $shiva_int \
$prajna_all_int \
$tulku_all_int
dns_providers = $prajna_all_int \
$tulku_all_int \
$rinpoche_all_int
webct_providers = $tulku_all_int
email_providers = $rinpoche_all_int \
$pema_int
smtp_providers = $rinpoche_all_int \
$pema_int \
$tulku_all_int \
$prajna_all_int
ftp_providers = $rinpoche_all_int \
$karma_int \
$tulku_all_int \
$prajna_all_int \
$pema_int
www_providers = $rinpoche_all_int \
$karma_int \
$tulku_all_int \
$prajna_all_int \
$pema_int \
$karma_int \
$switch_136_int
telnet_providers = $switch_136_int
real_providers = $rinpoche_all_int
tb2_providers = $rinpoche_all_int \
$pema_int \
$karma_int
rcp_providers = $rinpoche_all_int
# ------------------------------------------------- #
#####################################################
#####################################################
# DEFINE ALLOWED SERVICES
#####################################################
#####################################################
# ------------------------------------------------- #
# REMOTE CONTROL
# SSH
ssh_tcp = "22"
#
# TB2 SERVICES
tb2_udp = "407"
tb2_tcp = "445 1417 1418 1419 1420"
#
# VNC
# DON'T ALLOW!
# It's unencrypted, so only allow via SSH port forwarding
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# NAME SERVICES
dns_tcp = "53"
dns_udp = "53"
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# APC SWITCH SERVICES
apc_tcp = "8300"
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# NETWORK MONITORING SERVICES
nagios_tcp = "5666"
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# GENERIC WEB SERVICES
http_tcp = "80"
https_tcp = "443"
log_analyzer_tcp = "888"
#
# ALL WWW
all_www_tcp = $http_tcp $https_tcp $log_analyzer_tcp
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# 3COM SWITCH SERVICES
all_switch_tcp = "23" $http_tcp $https_tcp
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# REAL NETWORKS SERVICES
real_tcp = "554 7070"
real_low_udp = "6969"
real_hi_udp = "7169"
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# EMAIL SERVICES
web_msg_tcp = "8383"
pop_tcp = "110"
imap_tcp = "143"
smtp_tcp = "25"
#
# ALL EMAIL
all_send_email_tcp = $smtp_tcp
all_receive_email_tcp = $web_msg_tcp $http_tcp $https_tcp $pop_tcp $imap_tcp
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# WEBCT SERVICES
chat_4_tcp = "44454"
chat_4_udp = "44454"
whiteboard_4_tcp = "45674"
whiteboard_4_udp = "45674"
webct_http_tcp = "8900"
chat_tcp = "4445"
chat_udp = "4445"
whiteboard_tcp = "4567"
whiteboard_udp = "4567"
license_tcp = "5555"
#
# ALL WEBCT TCP
all_webct_tcp = $http_tcp $https_tcp $chat_tcp $whiteboard_tcp $license_tcp \
$chat_4_tcp $whiteboard_4_tcp $webct_http_tcp
#
# ALL WEBCT UDP
all_webct_udp = $chat_udp $whiteboard_udp $chat_4_udp $whiteboard_4_udp
#
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# FTP SERVICES
ftp_tcp = "21"
ftp_data_tcp = "20"
ftp_rand_tcp = ">1024"
all_ftp_tcp = $ftp_tcp $ftp_data_tcp
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# RCP SERVICES
rcp_tcp = "514"
# ------------------------------------------------- #
#####################################################
#####################################################
# DEINE BEHAVIORS
#####################################################
set limit { frags 40000, states 35000 }
set loginterface $ext_if
set optimization normal
set block-policy return
#####################################################
# DEFINE TABLES (for speed)
#####################################################
table <mandala> { 192.168.1.0/255, 143.23.199.128/27 }
table <noroute> { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32, \
169.254.0.0/16, 127.0.0.0/8, 0.0.0.0/8, 192.0.2.0/24, \
204.152.64.0/23, 224.0.0.0/3, 127.0.0.0/8 }
table <spamd> persist file "/etc/spamd"
#####################################################
# DEFINE FIREWALL RULES
#####################################################
scrub in all
scrub out all
#####################################################
# REDIRECTION CONFIGURATION: BINAT & RDR
#
# tarpit for spammers
# rdr inet proto tcp from <spamd> to any port 25 -> 127.0.0.1 port 8025
# rdr for email redirection of rinpoche to pema
rdr on $ext_if proto tcp from any to $rinpoche_131_ext port 25 -> $pema_int port 25
rdr on $ext_if proto tcp from any to $rinpoche_131_ext port 110 -> $pema_int port 110
rdr on $ext_if proto tcp from any to $rinpoche_131_ext port 8383 -> $pema_int port 8383
# All internal traffice will look like it's coming from the external address
# BINAT SERVERS
binat on $ext_if from $rinpoche_131_int to any -> $rinpoche_131_ext
binat on $ext_if from $rinpoche_140_int to any -> $rinpoche_140_ext
binat on $ext_if from $rinpoche_141_int to any -> $rinpoche_141_ext
binat on $ext_if from $rinpoche_143_int to any -> $rinpoche_143_ext
binat on $ext_if from $rinpoche_149_int to any -> $rinpoche_149_ext
binat on $ext_if from $rinpoche_150_int to any -> $rinpoche_150_ext
binat on $ext_if from $rinpoche_153_int to any -> $rinpoche_153_ext
binat on $ext_if from $rinpoche_154_int to any -> $rinpoche_154_ext
binat on $ext_if from $rinpoche_155_int to any -> $rinpoche_155_ext
binat on $ext_if from $rinpoche_158_int to any -> $rinpoche_158_ext
binat on $ext_if from $pema_int to any -> $pema_ext
binat on $ext_if from $karma_int to any -> $karma_ext
binat on $ext_if from $prajna_137_int to any -> $prajna_137_ext
binat on $ext_if from $prajna_139_int to any -> $prajna_139_ext
binat on $ext_if from $tulku_134_int to any -> $tulku_134_ext
binat on $ext_if from $tulku_156_int to any -> $tulku_156_ext
binat on $ext_if from $tao_130_int to any -> $tao_130_ext
binat on $ext_if from $tao_135_int to any -> $tao_135_ext
binat on $ext_if from $switch_136_int to any -> $switch_136_ext
# Translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8081
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8081
rdr on $int_if proto tcp from any to any port 20 -> 127.0.0.1 port 8081
#####################################################
# FILTERING
#
#####################################################
# ------------------------------------------------- #
# DEFAULT "IN" AND "OUT"
# Note: "block in all" is required to make this config operate as a true firewall
block in log all
pass out all
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# UNFILTERED INTERFACES
pass out quick on { $Lo_if $int_if } all
pass in quick on { $Lo_if $int_if } all
pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep state
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# BLOCK SPOOFERS AND SPAMMERS
# block drop in log quick on $ext_if from { <noroute>, <spammers> } to any
# block drop out log quick on $ext_if from any to { <noroute>, <spammers> }
block drop in log quick on $ext_if from <noroute> to any
block drop out log quick on $ext_if from any to <noroute>
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# RCP SERVICES
pass in log on $ext_if proto tcp from {$trusted_rcp} to {$rcp_providers} port {$rcp_tcp} keep state
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# ALLOW SSH
pass in log on $ext_if proto tcp from any to any port {$ssh_tcp} keep state
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# ALLOW SWITCH CONNECTIONS
pass in log on $ext_if proto tcp from {$trusted_switch} to {$switch_providers} port {$all_switch_tcp} keep state
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# ALLOW APC CONNECTIONS
pass in log on $ext_if proto tcp from {$trusted_apc} to {$apc_providers} port {$apc_tcp} keep state
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# ALLOW REAL NETWORKS SERVICES
pass in log on $ext_if inet proto tcp from any to {$real_providers} port {$real_tcp} keep state
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# NAGIOS NRPE SERVICES
pass in log on $ext_if inet proto tcp from {$trusted_nagios} to any port {$nagios_tcp} keep state
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# DNS RULES
pass in log on $ext_if inet proto udp from any to {$dns_providers} port {$dns_udp} keep state
pass in log on $ext_if inet proto tcp from any to {$dns_providers} port {$dns_tcp} keep state
pass out log on $ext_if inet proto udp from any to any port = 53 keep state
pass out log on $ext_if inet proto tcp from any to any port = 53 modulate state
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# FTP RULES
pass in log on $ext_if proto tcp from any to {$ftp_providers} port {$all_ftp_tcp >1024} keep state
pass out log on $ext_if from {$ftp_providers} to any keep state
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# REMOTE CONTROL RULESET
# Allow tb2 for Rinpoche
pass in log on $ext_if inet proto tcp from {$trusted_tb2} to {$tb2_providers} port {$tb2_tcp} keep state
pass in log on $ext_if inet proto udp from {$trusted_tb2} to {$tb2_providers} port {$tb2_udp} keep state
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# ALLOW EMAIL
pass in log on $ext_if proto tcp from any to {$email_providers} port {$all_receive_email_tcp} keep state label "smtp-IN:$dstaddr"
pass in log on $ext_if proto tcp from any to {$smtp_providers} port {$all_send_email_tcp} keep state label "smtp-OUT:$dstaddr"
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# ALLOW COYOTE
pass in log on $ext_if proto tcp from {$trusted_coyote} to {$coyote_providers} port {$all_www_tcp} keep state
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# ALLOW WEB TRAFFIC
pass in log on $ext_if proto tcp from any to {$www_providers} port {$all_www_tcp} keep state label "www:$dstaddr"
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# ALLOW WEBCT TRAFFIC
pass in log on $ext_if proto tcp from any to {$webct_providers} port {$all_webct_tcp} keep state label "webct:$dstaddr"
pass in log on $ext_if proto udp from any to {$webct_providers} port {$all_webct_udp} keep state label "webct:$dstaddr"
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# OUTBOUND TRAFFIC
# Allow return traffic and connection from firewall
# pass tcp, udp, and icmp out on the external (Internet) interface.
# keep state on udp and icmp and modulate state on tcp.
pass out log on $ext_if proto tcp all modulate state flags S/SA
pass out log on $ext_if proto { udp, icmp } all keep state
# ------------------------------------------------- #
#####################################################
#####################################################
# ------------------------------------------------- #
# ICMP
pass out on $ext_if inet proto icmp from any to any icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp from any to any icmp-type 8 code 0 keep state
# ------------------------------------------------- #
#####################################################
############################
#--------------------------#
# Protect against antispoofing
# antispoof log for fxp0
# antispoof log for fxp1
#--------------------------#
############################
More information about the TriLUG
mailing list