datamike
August 29th, 2002, 13:28
This is my ruleset that I put together from many sources. I have read tons of how to's on PF and I hope I am getting better. Do I need anything else ro do I need to take anything out? Thanx.
Ext_if = "{ sis0 }"
NoRouteIPs = "{ 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16, 127.0.0.0/8, 0.0.0.0/8,
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 20.20.20.0/24 }"
##In Rules##
# Clean up fragmented and abnormal packets
scrub in all
# don't allow anyone to spoof non-routeable addresses
block in quick on $Ext_iF inet from $NoRouteIPs to any
block out quick on $Ext_iF inet from any to $NoRouteIPs
#block smurf relay
block in log quick on $Ext_if from 20.20.20.0./32 to any
block in log quick on $Ext_if from any to 20.20.20.0/32
block in log quick on $Ext_if from 20.20.20.255/32 to any
#Block ping and tcp in and send error unreachable messages
block return-icmp(port-unr) in quick on $Ext_if proto icmp from any to any
block return-rst in quick on $Ext_if proto tcp from any to any
# finally lock the rest down with a default deny
block in log on $Ext_IF all
##End of In Rules##
##Out Rules##
#Let certain out-going traffic out and maintain state on established #connections
pass out quick on $Ext_if inet proto tcp all flags S/SA keep state
pass out quick on $Ext_if inet proto udp all keep state
pass out quick on $Ext_if inet proto icmp all keep state
#Finally block out the rest
block out on $Ext_if all
tarballed
August 29th, 2002, 14:17
Weew...get to help someone get their firewall up.
I recently put my OpenBSD firewall up and had some great help from people on the boards here: elmore, bsdjunkie, minion and frisco.
Basically, what i've learned (and i've learned a lot) is KISS. Keep it simple stupid.
First question is, are you running anything on your internal LAN such as a DNS server, web server, mail server?
Ext_if = "{ sis0 }"
NoRouteIPs = "{ 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16, 127.0.0.0/8, 0.0.0.0/8,
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 20.20.20.0/24 }"
Looks good. Can always add or remove IP addresses as you please to your nonroute section?
Your scrub in looks good.
block in quick on $Ext_iF inet from $NoRouteIPs to any
block out quick on $Ext_iF inet from any to $NoRouteIPs
Good.
As far as your rules for blocking a smurf attack and return-rst, I originally had the same rulesets in my pf.conf. However, after discussing it with a few people on the boards here, I found that it was not necesary. I basically took mine out.
block in log on $Ext_IF all
Default block, good. You can add a quick here if you like since it's at then end of your blocks.
Your pass out rules look correct as you will be able to pass out requests and keep connections.
You may want to move your, block out on $Ext_if all to the beginning of your pass rules. I originally had that setup but eventually took it out.
Looks good. Hope this helps. There is also a couple of good threads in OpenBSD Security regarding PF rules that contain a lot of good info.
Good luck!
Tarballed
datamike
August 29th, 2002, 14:28
I am not running anything like a web server or mail server as of right now. This is a bridge for my home. All I have is cable modem -> BSD bridge -> router -> MAC cube, MAC ibook and a MS box( only used for mixing down my music). I might eventually put a Red Hat web server-mail server in there too though. Why do you ask? Did I miss something that will screw up if I had a server? It wont hurt if I leave that smurf relay protection though right? I feel better with it in there as long as I don't lose performance.
tarballed
August 29th, 2002, 15:24
Why do you ask? Did I miss something that will screw up if I had a server?
No no. Just was inquiring any information regarding your LAN that would be pertinent to your rule sets. No worries though.
It wont hurt if I leave that smurf relay protection though right?
Nope. Should be just fine. Although, im thinking if you want to, you could probably add those IP ranges to your $NoRouteIP list which will then be blocked by your variable for blocking $NoRouteIP rules.
Looks good though.
Tarballed
datamike
August 29th, 2002, 15:45
Although, im thinking if you want to, you could probably add those IP ranges to your $NoRouteIP list which will then be blocked by your variable for blocking $NoRouteIP rules.
Yeah that's a sweet idea. I was thinking that I will put em alone so I can log em but ah, if it's not a huge worry in the BSD world then I can just put them in the no-routes. Thanx again. If you think of anything else please let me know. I want to keep updating it. BTW, I am running through the bridge right now. I just plugged the ext_if into my router at work and got a pocket hub into the int_if which my PC is plugged into. Working sweet so far. I am making sure all my rules really work. Thanx again.
frisco
August 29th, 2002, 16:39
Although, im thinking if you want to, you could probably add those IP ranges to your $NoRouteIP list which will then be blocked by your variable for blocking $NoRouteIP rules.
Yeah that's a sweet idea. I was thinking that I will put em alone so I can log em but ah, if it's not a huge worry in the BSD world then I can just put them in the no-routes.
Your $NoRouteIPs has 20.20.20.0/24 in it already, and your smurf blocks are for 20.20.20.0./32 which is part of the former. since the NoRouteIPs rule comes first (and are quick), you won't reach the smurf logs anyways. If you need to log that stuff, then move the smurf logs before the other blocks.
And as tarballed mentioned, it's always good policy to have a default block before any other rule.
datamike
August 29th, 2002, 16:55
Ahh Yes I see that now. Thanx for pointing that out frisco. I was only going on what I read in another source. I am still a newbie at PF so this is why I need the input. Thanx again. Anyone else??