running on OpenBSD 3.6 -stable updated 2 days ago.

Please let me know of any suggestions to improve security (or any really stupid things i've done that hurt security!). Thanks for your help everyone.

also, is there any reason I couldn't make all the pass rules quick? Since there are no block rules below them I don't see why not, but nobody seems to do this, so I must be missing something...???

pf.conf:

ext="xl0"
int="xl1"

#desktop ip
dtop="192.168.2.214"

# remote desktop
rd="3389"

# emule
em="4661, 4662, 4665, 4672, 4711"

# azureus
az="14955, 6969"

tcp_services="ssh,smtp,domain,auth,www"
icmp_types="echoreq"

w95="Windows 95"
w98="Windows 98"

no_route_ips = "{ 127.0.0.0/8, 192.168.0.0/16, \
172.16.0.0/12, 10.0.0.0/8 }"

scrub in all

# nat and rdr
################################################## #############

nat on $ext inet from $int:network to any -> ($ext)

rdr on $ext proto tcp from any to any port {$em,$az,$rd} -> $dtop
rdr on $ext proto udp from any to any port {$em,$az} -> $dtop

# block rules
################################################## #############

block in all
block out all

block in quick on $ext from $no_route_ips to any
block out quick on $ext from any to $no_route_ips
block in quick from no-route to any

block in quick on $ext from any to 255.255.255.255
block in quick on $ext proto tcp from any \
os {$w95,$w98} to any port smtp

block in quick on $ext proto tcp from any \
os Linux to ($ext) port ssh

antispoof quick for $int inet

# pass rules
################################################## #############

pass quick on lo0 all

pass in on $int proto {tcp, udp} all modulate state
pass out on $ext proto {tcp, udp} all modulate state

pass in on $ext proto tcp from any to any \
port {$tcp_services} flags S/SA keep state

pass in on $ext proto tcp from any to $dtop \
port {$em,$rd,$az} flags S/SA keep state

pass in on $ext proto udp from any to $dtop \
port {$em,$az} keep state

# allow ping
pass inet proto icmp all icmp-type $icmp_types keep state

I format my my pf.conf a little differently but that's just personal choice. This seems fine to me. You're obviously aware of your rdr rules and the dangers that they pose. That being said if you;re willing to live with that the ruleset is fine.

There is nothing wrong with passing out quick. I pass out quick on my own rulesets. Remember the quick keyword matches the rule and then goes no further.

I.E. - If a rule matches it continues to parse through the ruleset and applies the last matched rule. If quick is used, the it automatically assumes that that's the rule that should be applied and does not parse the rest of the ruleset.

Hope that helps.

thx elmore! I just wanted to make sure there were no glaring security holes (apart from the rdr's as you point out). I plan on locking down external ssh connections to only trusted subnets as well.

Out of curiosity, how do you format your rules? I'm always trying to learn more about OpenBSD. Thanks

Here's a link to a great place for example pf rulesets:

https://solarflux.org/pf/

I have two older rulesets posted up there. They're quite different now but the format still applies:

Well scratch that Solarflux seems to have removed mine. Just as well, they were pretty outdated.

Here's one that repriortizes empty tcp acks that I run on my Soekris 4801 at home:


# Macros: define common values, so they can be referenced and changed easily.

ext_if="sis0" # replace with actual external interface name i.e., dc0
int_if="sis1" # replace with actual internal interface name i.e., dc1
internal_net="10.26.1.0/24"
ssh_ports="{ 22 2022 }"
sshhost="any"
im_ports="{ 1863 5190 5222 }"
NoRouteIP="{ 127.0.0.1/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }"

#Normalization: reassemble fragments and resolve or reduce traffic #ambiguities.

scrub in on $ext_if all fragment reassemble

## Enable 200kb queue

altq on $ext_if priq bandwidth 200Kb queue { std_out, ssh_im_out, dns_out, \
tcp_ack_out }
altq on $int_if cbq bandwidth 3Mb queue { std_in, ssh_im_in, dns_in }

# define the parameters for the child queues.
# std_out - the standard queue. any filter rule below that does not
# explicitly specify a queue will have its traffic added
# to this queue.
# ssh_im_out - interactive SSH and various instant message traffic.
# dns_out - DNS queries.
# tcp_ack_out - TCP ACK packets with no data payload.

queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6

# enable queueing on the internal interface to control traffic coming in
# from the Internet. use the cbq scheduler to control bandwidth. max
# bandwidth is 2Mbps.

# altq on $int_if cbq bandwidth 3Mb queue { std_in, ssh_im_in, dns_in }

# define the parameters for the child queues.
# std_in - the standard queue. any filter rule below that does not
# explicitly specify a queue will have its traffic added
# to this queue.
# ssh_im_in - interactive SSH and various instant message traffic.
# dns_in - DNS replies.
# bob_in - bandwidth reserved for Bob's workstation. allow him to
# borrow.

queue std_in cbq(default)
queue ssh_im_in priority 4
queue dns_in priority 5

#NAT to the internal network

nat on $ext_if from $internal_net to any -> ($ext_if)

#Don't allow anyone to spoof unroutable addresses

block in quick on $ext_if from $NoRouteIP to any
block out quick on $ext_if from any to $NoRouteIP

#Block all ipopts to fool NMAP attempts

block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU

#Block in Everything by default
block in on $ext_if all

# Allow isakmp
pass in quick on $ext_if inet proto udp from any to any port = 500
pass in quick on $ext_if inet proto esp from any to any

#Let outgoing traffic out and assign it to a queue
block out on $ext_if all
pass out on $ext_if inet proto tcp all flags S/SA keep state \
queue (std_out, tcp_ack_out)
pass out quick on $ext_if inet proto udp from any to any port = 500
pass out quick on $ext_if inet proto esp from any to any
pass out quick on $ext_if inet proto udp all keep state
pass out quick on $ext_if inet proto icmp all keep state
pass out quick on $ext_if inet proto { tcp udp } from $ext_if to any port domain \
keep state queue dns_out
pass out quick on $ext_if inet proto tcp from $ext_if to any port $ssh_ports \
flags S/SA keep state queue(std_out, ssh_im_out)
pass out quick on $ext_if inet proto tcp from $ext_if to any port $im_ports \
flags S/SA keep state queue(ssh_im_out, tcp_ack_out)

# filter rules for $ext_if inbound
block in on $ext_if all
pass in on $ext_if from $internal_net

# filter rules for $int_if outbound
block out on $int_if all
pass out quick on $int_if from any to $internal_net
pass out quick on $int_if proto { tcp udp } from any port domain to $internal_net \
queue dns_in
pass out quick on $int_if proto tcp from any port $ssh_ports to $internal_net \
queue(std_in, ssh_im_in)
pass out quick on $int_if proto tcp from any port $im_ports to $internal_net \
queue ssh_im_in


This box does still run 3.4 so it is still somewhat outdated. :(

Elmore, actually, I just commented out your rulesets, so technically they're still there, just hidden (View source and you'll see them). I was going through examples a few weeks ago and was trying to get rid of some older configs and put some fresh ones up.

Since scrub takes care of illegal TCP flag combinations, I was trying to eliminate examples that had rules like from #Block all ipopts to fool NMAP attempts in your config. The only real reason to keep those rules nowadays is for logging purposes, but otherwise they're just redundant.