Rob
March 24th, 2005, 09:33
Hi,
I was hoping to get feedback on this, I want to have fine grained stats and good performance for the web site. I have tried a number of scenarios, and it seems to work but is probably not optimal.
TIA
# $OpenBSD: pf.conf,v 1.27 2004/03/02 20:13:55 cedric Exp $
# 2005 03 20 Rob server site #3
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# ascii art from http://www.aei.ca/~pmatulis/pub/obsd_pf.html (http://www.aei.ca/%7Epmatulis/pub/obsd_pf.html)
# dc1 dc0
# out <---> in in <---> out
# +---------+ +----------+ +----------+
# | Servers |--------- dc1 | firewall | dc0 --------| Internet |
# +---------+ +----------+ +----------+
# |
# ============
# No DMZ
# ============
# |
# +---------+
# | DMZ |
# +---------+
#
# Macros :
ext_if="dc0"
int_if="dc1"
# I want to record other net block via a separate rule and macro
rfc1918 = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# services :
svcs_i2e = "{ ssh, http, https, smtp, pop3 }"
svcs_i2fw = "{ ntp, ssh }"
svcs_fw4e = "{ http, ssh }"
svcs_e4fw = "{ ntp, http, ssh }"
svcs_e2i = "{ http, https, ssh, smtp, pop3 }"
# my net ranges/machines :
i_all = "{ 192.168.0.0/16, 10.0.0.0/8 }"
i_dns_srvrs = "{ 10.1.3.14, 10.1.3.41, 10.1.3.42, 10.1.3.43 }"
fw_i1 = "10.1.3.3"
fw_e1 = "0.1.1.61"
e_www1 = "0.1.1.59"
i_www1 = "10.1.3.59"
# options :
set loginterface $ext_if
# tables :
# get bogon table XXX FIXME
# global :
scrub in on {$ext_if, $int_if} inet all random-id no-df
nat on $ext_if inet from !($ext_if) -> ($ext_if)
rdr on $ext_if inet proto tcp from any to 0.1.1.59 port 80 -> 10.1.3.59 port 80
# no nat on $int_if proto tcp from ($int_if) to $rfc1918
block in log quick inet6 all
block out log quick inet6 all
# $ext_if rules :
block drop in log quick on $ext_if inet from $rfc1918 to any
block drop out log quick on $ext_if inet from any to $rfc1918
# add bogon blocking XXX FIXME
antispoof for $ext_if inet
# --------> IN on $ext_if
block in log on $ext_if inet all
# prevent invalid internet UDP and TCP requests from timing out -- log matches
# from http://www.aei.ca/~pmatulis/pub/obsd_pf.html (http://www.aei.ca/%7Epmatulis/pub/obsd_pf.html)
block return in log on $ext_if inet proto { udp, tcp } all
# pass in on ext_if :
# traffic to website
# rdr translates the address prior to this rule looking for the external website address?
# pass in quick log on $ext_if proto tcp from any to $e_www1 port 80 keep state label "i_www1_epiq"
# traffic to website
pass in log quick on $ext_if inet proto tcp from any to $i_www1 port 80 flags S/SA synproxy state label "i_www1_epiqsp"
#traffic to externally available fw services
pass in on $ext_if inet proto tcp from any to $ext_if port $svcs_fw4e keep state label "fw4e_epi"
# <-------- OUT on $ext_if
block out log on $ext_if all
# it appears that this rule is only used if synproxying is turned on
pass out quick log on $ext_if inet proto tcp from $e_www1 port 80 to any keep state label "e_www1_epoq"
# allow outgoing packets destined for external services
pass out log on $ext_if inet proto tcp from any to any port $svcs_i2e keep state label "i2e_epo"
# allow packets needed by fw services
pass out on $ext_if inet proto {udp,tcp} from $ext_if to any port $svcs_e4fw keep state label "e4fw_epo"
# people forget we need tcp, too for dns
# many fws block valid responses via tcp
pass out on $ext_if inet proto {udp,tcp} to any port 53 keep state label "i2e_dns_epo"
# $int_if rules :
# --------> IN on $int_if
block in log on $int_if all
pass in quick on $int_if inet proto tcp from $i_www1 port 80 to any keep state label "i_www1_ipi"
pass in on $int_if inet proto {udp,tcp} from $i_dns_srvrs to any port 53 keep state label "i_dns_ipi"
pass in on $int_if inet proto tcp from $i_all to any port $svcs_i2e keep state label "i2e_ipi"
pass in on $int_if inet proto {udp,tcp} from $i_all to $fw_i1 port $svcs_i2fw keep state label "i2fw_ipi"
# <-------- OUT on $int_if
block out log on $int_if all
# pass packets from inside fw to internal webserver
pass out on $int_if inet proto {udp,tcp} from any to $i_www1 port 80 keep state label "i_www_ipo"
# pass packets from svcs residing on fw to internal machines
pass out on $int_if inet proto {udp,tcp} from $fw_i1 to $i_all port $svcs_i2fw keep state label "i2fw_ipo"
# <-------> pass
# pass on $int_if proto {udp,tcp} from $fw_i1 to $i_all port $svcs_i2fw keep state label "i2fw_ipo"
# lo rules :
# should I "skip" this interface, are there security problems doing that?
pass quick on { lo } keep state label "lo_pq"
# icmp rules :
#
pass out log quick on $ext_if inet proto icmp all keep state label "e_icmp_out"
pass in log quick on $ext_if inet proto icmp all keep state label "e_icmp_in"
pass out log quick on $int_if inet proto icmp all keep state label "i_icmp_out"
pass in log quick on $int_if inet proto icmp all keep state label "i_icmp_in"
I was hoping to get feedback on this, I want to have fine grained stats and good performance for the web site. I have tried a number of scenarios, and it seems to work but is probably not optimal.
TIA
# $OpenBSD: pf.conf,v 1.27 2004/03/02 20:13:55 cedric Exp $
# 2005 03 20 Rob server site #3
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# ascii art from http://www.aei.ca/~pmatulis/pub/obsd_pf.html (http://www.aei.ca/%7Epmatulis/pub/obsd_pf.html)
# dc1 dc0
# out <---> in in <---> out
# +---------+ +----------+ +----------+
# | Servers |--------- dc1 | firewall | dc0 --------| Internet |
# +---------+ +----------+ +----------+
# |
# ============
# No DMZ
# ============
# |
# +---------+
# | DMZ |
# +---------+
#
# Macros :
ext_if="dc0"
int_if="dc1"
# I want to record other net block via a separate rule and macro
rfc1918 = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# services :
svcs_i2e = "{ ssh, http, https, smtp, pop3 }"
svcs_i2fw = "{ ntp, ssh }"
svcs_fw4e = "{ http, ssh }"
svcs_e4fw = "{ ntp, http, ssh }"
svcs_e2i = "{ http, https, ssh, smtp, pop3 }"
# my net ranges/machines :
i_all = "{ 192.168.0.0/16, 10.0.0.0/8 }"
i_dns_srvrs = "{ 10.1.3.14, 10.1.3.41, 10.1.3.42, 10.1.3.43 }"
fw_i1 = "10.1.3.3"
fw_e1 = "0.1.1.61"
e_www1 = "0.1.1.59"
i_www1 = "10.1.3.59"
# options :
set loginterface $ext_if
# tables :
# get bogon table XXX FIXME
# global :
scrub in on {$ext_if, $int_if} inet all random-id no-df
nat on $ext_if inet from !($ext_if) -> ($ext_if)
rdr on $ext_if inet proto tcp from any to 0.1.1.59 port 80 -> 10.1.3.59 port 80
# no nat on $int_if proto tcp from ($int_if) to $rfc1918
block in log quick inet6 all
block out log quick inet6 all
# $ext_if rules :
block drop in log quick on $ext_if inet from $rfc1918 to any
block drop out log quick on $ext_if inet from any to $rfc1918
# add bogon blocking XXX FIXME
antispoof for $ext_if inet
# --------> IN on $ext_if
block in log on $ext_if inet all
# prevent invalid internet UDP and TCP requests from timing out -- log matches
# from http://www.aei.ca/~pmatulis/pub/obsd_pf.html (http://www.aei.ca/%7Epmatulis/pub/obsd_pf.html)
block return in log on $ext_if inet proto { udp, tcp } all
# pass in on ext_if :
# traffic to website
# rdr translates the address prior to this rule looking for the external website address?
# pass in quick log on $ext_if proto tcp from any to $e_www1 port 80 keep state label "i_www1_epiq"
# traffic to website
pass in log quick on $ext_if inet proto tcp from any to $i_www1 port 80 flags S/SA synproxy state label "i_www1_epiqsp"
#traffic to externally available fw services
pass in on $ext_if inet proto tcp from any to $ext_if port $svcs_fw4e keep state label "fw4e_epi"
# <-------- OUT on $ext_if
block out log on $ext_if all
# it appears that this rule is only used if synproxying is turned on
pass out quick log on $ext_if inet proto tcp from $e_www1 port 80 to any keep state label "e_www1_epoq"
# allow outgoing packets destined for external services
pass out log on $ext_if inet proto tcp from any to any port $svcs_i2e keep state label "i2e_epo"
# allow packets needed by fw services
pass out on $ext_if inet proto {udp,tcp} from $ext_if to any port $svcs_e4fw keep state label "e4fw_epo"
# people forget we need tcp, too for dns
# many fws block valid responses via tcp
pass out on $ext_if inet proto {udp,tcp} to any port 53 keep state label "i2e_dns_epo"
# $int_if rules :
# --------> IN on $int_if
block in log on $int_if all
pass in quick on $int_if inet proto tcp from $i_www1 port 80 to any keep state label "i_www1_ipi"
pass in on $int_if inet proto {udp,tcp} from $i_dns_srvrs to any port 53 keep state label "i_dns_ipi"
pass in on $int_if inet proto tcp from $i_all to any port $svcs_i2e keep state label "i2e_ipi"
pass in on $int_if inet proto {udp,tcp} from $i_all to $fw_i1 port $svcs_i2fw keep state label "i2fw_ipi"
# <-------- OUT on $int_if
block out log on $int_if all
# pass packets from inside fw to internal webserver
pass out on $int_if inet proto {udp,tcp} from any to $i_www1 port 80 keep state label "i_www_ipo"
# pass packets from svcs residing on fw to internal machines
pass out on $int_if inet proto {udp,tcp} from $fw_i1 to $i_all port $svcs_i2fw keep state label "i2fw_ipo"
# <-------> pass
# pass on $int_if proto {udp,tcp} from $fw_i1 to $i_all port $svcs_i2fw keep state label "i2fw_ipo"
# lo rules :
# should I "skip" this interface, are there security problems doing that?
pass quick on { lo } keep state label "lo_pq"
# icmp rules :
#
pass out log quick on $ext_if inet proto icmp all keep state label "e_icmp_out"
pass in log quick on $ext_if inet proto icmp all keep state label "e_icmp_in"
pass out log quick on $int_if inet proto icmp all keep state label "i_icmp_out"
pass in log quick on $int_if inet proto icmp all keep state label "i_icmp_in"