Take a peek at a gateway pf.conf? [Archive]

opus

August 2nd, 2003, 23:37

WIll this work? None of this is mine, I just altered what I knew to do. Might even be a few things there that I have no clues as to what they are.

This is a gateway with the ip to the internet 192.168.1.10 and the inside ip 192.168.2.21

Thanks!

#
#
#Firewall rules 02AUG03
#
#
#
################################################## ##########################
#
#
#
#-------------------------
# Variables Section
#-------------------------
ext_if="dc0"
int_if="rl0"
#-------------------------------
# Non routable addresses
#-------------------------------
noroute="{10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32, \
169.254.0.0/16, 127.0.0.0/8, 0.0.0.0/8, 192.0.2.0/24, \
204.152.64.0/23 127.0.0.0/8}"
#------------------------------
# Chat
#------------------------------
local_machines="{192.168.2.210, 192.168.2.230, 192.168.2.20, 192.168.2.240}"
#------------------------------
# Corporate Servers
#------------------------------
firewall="{192.168.1.10}"
webservers="{192.168.2.23}"
securewebservers="{192.168.2.23}"
mailservers="{192.168.2.23}"
ftpservers="{192.168.2.23}"
#------------------------------
# Hosting Services
#------------------------------
basic_services="{imap, pop3, smtp, www, https, ftp, ftp-data}"
#************************************************* ***********************
#************************************************* ***********************
# Firewall Rulebase Begin
#************************************************* ***********************
#************************************************* ***********************
#
#-----------------------------------------------------------------
# Packet Normalization (deny fragmented packets)
#-----------------------------------------------------------------
scrub in all
#------------------------------------
# Allow Loopback Packets
#------------------------------------
pass in quick on lo0 all
pass out quick on lo0 all
#
#-------------------------------------
# Allow from ext_if to int_if
#-------------------------------------
pass in quick on $ext_if to $int_if all
#---------------------------------
# Drop Spoofed Packets
#---------------------------------
block in quick from $noroute to any
#-------------------------------
# Drop wrong TCP Flags
#-------------------------------
block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP
#-----------------------------------------
# Firewall RULES
#-----------------------------------------
# Always document what the rules are doing you don't know how long it will
# be before you look at them again
pass in quick on $ext_if proto tcp from any to $local_machines port {1863, 5050} flags S/SA modulate state
pass in quick on $ext_if proto tcp from any to $mailservers port {25, 143} flags S/SA modulate state
pass in quick on $ext_if proto tcp from any to $webservers port 80 flags S/SA modulate state
pass in quick on $ext_if proto tcp from any to $securewebservers port 443 flags S/SA modulate state
pass in quick on $ext_if proto udp from any to $nameservers port 53 keep state
#---------------------------------------------------
# FTP to webserver uncomment as needed
#---------------------------------------------------
pass in quick on $ext_if proto tcp from any to $ftpservers port {ftp, ftp-data} flags S/SA modulate state
#------------------------------
# Catch All Rule
#------------------------------
block in on $ext_if from any to any
#--------------------------------------------------------------
# Allow return traffic and connection from firewall
#--------------------------------------------------------------
pass out on $ext_if from any to any keep state
pass out on $int_if from any to any keep state
pass out on $host1_if from any to any keep state

SolarfluX

August 3rd, 2003, 13:07

Hi,

I take it you're setting this up behind a hardware router of some kind. It looks like you have somewhat of a grasp on the basics, but you should get up-to-date on the latest syntax by checking https://solarflux.org/pf/pf-tips first and http://openbsd.org/faq/pf/ second.

The absolute first thing is to look at this rule:
pass in quick on $ext_if to $int_if all

This one rule allows all inbound traffic to basically bypass your firewall completely. All the rules below it won't get processed at all. PF uses 'last match wins' for rules. If you use 'quick', it immediately stops processing packets against the remainder of the ruleset.

Next, that 'catch-all' rule should be near the top of your ruleset; you want to deny everything by default up front and not worry about catching everything later.

This:
block in on $ext_if from any to any

Can be replaced by this:
block log

This blocks everything in and out by default, it should be the second rule in your list. You'll want to pass quick everything on unfiltered interfaces (lo0 and the internal interface) before this.

'Scrub' takes care of illegal TCP flags, so remove your FUP/FUP rule

I don't see any nat rules for your internal boxen. I could go on, but I really think you should read up a bit more.

Try using Dan Hartmeier's pf.conf as a base for yours. You can also look at mine in the examples section ( https://solarflux.org/pf/#examples ) on the pf-r, as I used Hartmeier's as the basis for my own, which is also there. Good luck.

opus

August 3rd, 2003, 16:44

The hardware router does NAT, I dont want double NAT. I just want to get this going so it will work..then I can read more and dink with it when I have the time.

Did I complete this correctly? Thanks for the help!

#-----------------------------------------------------------------
# Packet Normalization (deny fragmented packets)
#-----------------------------------------------------------------
scrub in all
#------------------------------------
# Allow Loopback Packets
#------------------------------------
pass in quick on lo0 all
pass out quick on lo0 all
#
#-------------------------------------
# Allow from ext_if to int_if
#-------------------------------------
pass in on $ext_if to $int_if all
#----------------------------------
# Catch All
#----------------------------------
block log
#---------------------------------
# Drop Spoofed Packets
#---------------------------------
block in quick from $noroute to any
#-----------------------------------------
# Firewall RULES
#-----------------------------------------
pass in quick on $ext_if proto tcp from any to $local_machines port {1863, 5050} flags S/SA modulate state
pass in quick on $ext_if proto tcp from any to $mailservers port {25, 143} flags S/SA modulate state
pass in quick on $ext_if proto tcp from any to $webservers port 80 flags S/SA modulate state
pass in quick on $ext_if proto tcp from any to $securewebservers port 443 flags S/SA modulate state
pass in quick on $ext_if proto udp from any to $nameservers port 53 keep state
#---------------------------------------------------
# FTP to webserver uncomment as needed
#---------------------------------------------------
pass in quick on $ext_if proto tcp from any to $ftpservers port {ftp, ftp-data} flags S/SA modulate state
#--------------------------------------------------------------
# Allow return traffic and connection from firewall
#--------------------------------------------------------------
pass out on $ext_if from any to any keep state
pass out on $int_if from any to any keep state