Difference between revisions of "OpenBSD Firewall / PF"
m |
m (added category) |
||
(13 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{Project | {{Project | ||
− | |State= | + | |State=Completed |
− | |Members= | + | |Members=Vicarious, PsychiC |
|Description=building a gateway on openbsd | |Description=building a gateway on openbsd | ||
− | }} | + | }} |
− | + | I have dumped the entire config so others can use this as template for their own PF setup or to shout OMGWTFBBQ u freakin' n00b you should do it like XYZ. | |
− | + | In the latter case either drop me an e-mail (psychic [monkeytailthingie] ackspace [lowerroundthingie] nl , join ACKspace and help out or simply STFU =D | |
− | |||
− | + | ||
− | + | == MEUK == | |
− | + | Meer devices maken anders breekt DHCP enzo.... gewoon genoeg aanmaken, hier worden er 20 extra bijgemaakt. | |
+ | |||
+ | `cd /dev;for i in {10..30}; do ./MAKEDEV bpf$i ; done` | ||
+ | |||
+ | |||
+ | Pad toevoegen om packages te downen | ||
+ | |||
+ | export PKG_PATH=http://ftp.bit.nl/mirror/OpenBSD/5.0/packages/i386/ | ||
+ | |||
+ | zet in ~/.profile | ||
+ | |||
+ | |||
+ | /etc/mygate is default gateway | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | RULESDUMP 26-November-2102 | ||
+ | Namen etc verwijderd :) | ||
+ | |||
+ | GW2 (GW1 = RIP) | ||
<pre> | <pre> | ||
+ | # PF Rules ACKspace gateway 2 | ||
+ | |||
− | # | + | ############################ |
+ | ### Macros / Definitions ### | ||
+ | ############################ | ||
− | ## | + | ## Interfaces ## |
+ | # WAN interface | ||
ext_if = "fxp0" | ext_if = "fxp0" | ||
− | int_if = "{ | + | # LAN interface |
+ | int_if = "fxp1" | ||
+ | |||
+ | # VLAN interfaces (VLAN30 + VLAN33 Excluded) | ||
+ | vlan_if = "{ \ | ||
vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 \ | vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 \ | ||
vlan20 vlan21 vlan22 vlan23 vlan24 vlan25 vlan26 vlan27 vlan28 vlan29 \ | vlan20 vlan21 vlan22 vlan23 vlan24 vlan25 vlan26 vlan27 vlan28 vlan29 \ | ||
− | + | vlan31 vlan32 vlan34 vlan35 vlan36 vlan37 vlan38 vlan39 \ | |
vlan40 vlan41 vlan42 vlan43 vlan44 vlan45 vlan46 vlan47 vlan48 vlan49 \ | vlan40 vlan41 vlan42 vlan43 vlan44 vlan45 vlan46 vlan47 vlan48 vlan49 \ | ||
− | vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan56 vlan57 }" | + | vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan56 vlan57}" |
+ | |||
+ | |||
+ | ## IP adresses ## | ||
+ | # WAN adress | ||
gw2_ext = "213.125.94.212" | gw2_ext = "213.125.94.212" | ||
− | |||
− | |||
− | |||
− | ### | + | # Local adress ranges |
+ | private_networks = "{ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32 127.0.0.0/8 }" | ||
+ | |||
+ | |||
+ | ######################## | ||
+ | ### Default Policies ### | ||
+ | ######################## | ||
− | # Skip any filtering if it is on | + | # Skip any filtering if it is on interface localhost |
set skip on lo | set skip on lo | ||
− | |||
− | |||
# Provide nice blocked messages | # Provide nice blocked messages | ||
set block-policy return | set block-policy return | ||
+ | # Block all unless a allow rule exists | ||
+ | block all | ||
− | |||
− | # | + | ####################### |
− | + | ### Cleanup Packets ### | |
− | + | ####################### | |
− | # | + | # Reassemble packets |
+ | set reassemble yes | ||
# Scrub packets | # Scrub packets | ||
− | match in all scrub ( | + | match in all scrub (max-mss 1472) |
match out all scrub (random-id) | match out all scrub (random-id) | ||
# Antispoof | # Antispoof | ||
− | antispoof | + | antispoof quick for { $ext_if } inet |
+ | |||
+ | # Block bogus packets | ||
+ | block in quick on $ext_if from no-route to any | ||
+ | block in quick on $ext_if from any to 255.255.255.255 | ||
+ | block in quick on $ext_if from any to $private_networks | ||
+ | block in quick on $ext_if from $private_networks to any | ||
+ | block return out quick on $ext_if from any to $private_networks | ||
+ | |||
− | # | + | ############ |
− | + | ### NAT #### | |
− | + | ############ | |
− | |||
− | |||
− | |||
− | + | # NAT all interfaces to WAN | |
match out on $ext_if from any to any nat-to $gw2_ext | match out on $ext_if from any to any nat-to $gw2_ext | ||
+ | ##################### | ||
+ | ### SPECIAL rules ### | ||
+ | ##################### | ||
+ | |||
+ | # Help with Active and Passive FTP | ||
+ | anchor "ftp-proxy/*" | ||
+ | pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021 | ||
+ | |||
+ | |||
+ | ###################### | ||
### Pass IN rules ### | ### Pass IN rules ### | ||
+ | ###################### | ||
+ | |||
+ | # Allow incoming GRE (VPN) protocal on WAN interface | ||
+ | pass in on $ext_if proto gre all keep state | ||
+ | |||
+ | # Allow incoming SSH and ICMP on WAN interface | ||
+ | pass in on $ext_if inet proto tcp from any to $gw2_ext port 22 | ||
+ | pass in on $ext_if inet proto icmp from any to $gw2_ext icmp-type echoreq | ||
+ | |||
+ | # Allow incoming ALL on LAN interfaces | ||
+ | pass in on $int_if | ||
+ | |||
+ | # Allow incoming ALL on VLAN Interfaces | ||
+ | pass in on $vlan_if | ||
+ | |||
+ | |||
+ | ###################### | ||
+ | ### Redirect rules ### | ||
+ | ###################### | ||
+ | |||
+ | |||
+ | ### VPN ### | ||
+ | |||
+ | # Redirect port 1723 to 10.0.10.101 | ||
+ | |||
+ | pass in on $ext_if inet proto tcp from any to $gw2_ext port 1723 rdr-to 10.0.10.101 | ||
+ | pass in on $ext_if inet proto udp from any to $gw2_ext port 500 rdr-to 10.0.10.101 | ||
+ | pass in on $ext_if inet proto udp from any to $gw2_ext port 5500 rdr-to 10.0.10.101 | ||
+ | pass in on $ext_if inet proto udp from any to $gw2_ext port 1701 rdr-to 10.0.10.101 | ||
+ | |||
+ | ###################### | ||
+ | ### Pass OUT rules ### | ||
+ | ###################### | ||
+ | |||
+ | # Allow outgoing traffic on WAN from any | ||
+ | # pass out on $ext_if from any | ||
+ | pass out on $ext_if proto { tcp udp icmp esp gre } from any modulate state | ||
+ | |||
+ | |||
+ | # Allow outgoing traffic on LAN from LAN | ||
+ | pass out on $int_if from $int_if | ||
+ | |||
+ | # Allow outgoing traffic to VLAN50 and VLAN57 from non-private range 10.0.0.0/8 | ||
+ | # Somehow it doesnt work with variables. Don't use any to prevent other vlans from entering. | ||
+ | pass out on vlan10 from ! 10.0.0.0/8 | ||
+ | pass out on vlan50 from ! 10.0.0.0/8 | ||
+ | pass out on vlan57 from ! 10.0.0.0/8 | ||
+ | |||
+ | |||
+ | # Allow outgoing traffic on VLAN from same VLAN (Block InterVLAN) | ||
+ | pass out on vlan10 from vlan10:network | ||
+ | pass out on vlan11 from vlan11:network | ||
+ | pass out on vlan12 from vlan12:network | ||
+ | pass out on vlan13 from vlan13:network | ||
+ | pass out on vlan14 from vlan14:network | ||
+ | pass out on vlan15 from vlan15:network | ||
+ | pass out on vlan16 from vlan16:network | ||
+ | pass out on vlan17 from vlan17:network | ||
+ | pass out on vlan18 from vlan18:network | ||
+ | pass out on vlan19 from vlan19:network | ||
+ | pass out on vlan20 from vlan20:network | ||
+ | pass out on vlan21 from vlan21:network | ||
+ | pass out on vlan22 from vlan22:network | ||
+ | pass out on vlan23 from vlan23:network | ||
+ | pass out on vlan24 from vlan24:network | ||
+ | pass out on vlan25 from vlan25:network | ||
+ | pass out on vlan26 from vlan26:network | ||
+ | pass out on vlan27 from vlan27:network | ||
+ | pass out on vlan28 from vlan28:network | ||
+ | pass out on vlan29 from vlan29:network | ||
+ | # pass out on vlan30 from vlan30:network () | ||
+ | pass out on vlan31 from vlan31:network | ||
+ | pass out on vlan32 from vlan32:network | ||
+ | # pass out on vlan33 from vlan33:network () | ||
+ | pass out on vlan34 from vlan34:network | ||
+ | pass out on vlan35 from vlan35:network | ||
+ | pass out on vlan36 from vlan36:network | ||
+ | pass out on vlan37 from vlan37:network | ||
+ | pass out on vlan38 from vlan38:network | ||
+ | pass out on vlan39 from vlan39:network | ||
+ | pass out on vlan40 from vlan40:network | ||
+ | pass out on vlan41 from vlan41:network | ||
+ | pass out on vlan42 from vlan42:network | ||
+ | pass out on vlan43 from vlan43:network | ||
+ | pass out on vlan44 from vlan44:network | ||
+ | pass out on vlan45 from vlan45:network | ||
+ | pass out on vlan46 from vlan46:network | ||
+ | pass out on vlan47 from vlan47:network | ||
+ | pass out on vlan48 from vlan48:network | ||
+ | pass out on vlan49 from vlan49:network | ||
+ | pass out on vlan50 from vlan50:network | ||
+ | pass out on vlan51 from vlan51:network | ||
+ | pass out on vlan52 from vlan52:network | ||
+ | pass out on vlan53 from vlan53:network | ||
+ | pass out on vlan54 from vlan54:network | ||
+ | pass out on vlan55 from vlan55:network | ||
+ | pass out on vlan56 from vlan56:network | ||
+ | pass out on vlan57 from vlan57:network | ||
+ | |||
+ | # Allow outgoing traffic from/to VLANS 50-55, VLAN 57 | ||
+ | |||
+ | intervlan_interfaces = "{vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan57}" | ||
+ | intervlan_network = "{vlan50:network vlan51:network vlan52:network vlan53:network vlan54:network vlan55:network vlan56:network vlan57:network}" | ||
+ | |||
+ | pass out on $intervlan_interfaces from $intervlan_network | ||
+ | |||
+ | |||
+ | # VPN TEST | ||
+ | pass in on $ext_if proto gre all keep state | ||
+ | pass out on $ext_if proto gre all keep state | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | |||
+ | PUTGRAAF | ||
+ | |||
+ | <pre> | ||
+ | |||
+ | # PF Rules ACKspace gateway Putgraaf | ||
+ | |||
+ | |||
+ | ############################ | ||
+ | ### Macros / Definitions ### | ||
+ | ############################ | ||
+ | |||
+ | ## Interfaces ## | ||
+ | |||
+ | # WAN interface | ||
+ | ext_if = "em0" | ||
+ | |||
+ | # LAN interface | ||
+ | int_if = "em1" | ||
+ | |||
+ | # VLAN interfaces | ||
+ | vlan_if = "{ vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 vlan20 }" | ||
+ | |||
+ | |||
+ | ## IP adresses ## | ||
+ | |||
+ | # WAN adress | ||
+ | gw_ext = $ext_if:0 | ||
+ | |||
+ | # Local address ranges | ||
+ | private_networks = "{ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32 127.0.0.0/8 }" | ||
+ | |||
+ | |||
+ | |||
+ | #### | ||
+ | # IPV6 | ||
+ | #### | ||
+ | |||
+ | |||
+ | # Allow incoming IPv6 traffic | ||
+ | pass in quick on $ext_if inet proto ipv6 keep state | ||
+ | pass in quick on gif0 inet6 all | ||
+ | |||
+ | # Allow outgoing IPv6 traffic | ||
+ | pass out quick on $ext_if inet proto ipv6 keep state | ||
+ | pass out quick on gif0 inet6 all keep state | ||
+ | pass out quick on vlan20 inet6 all keep state | ||
+ | pass out quick on vlan10 inet6 all keep state | ||
+ | |||
+ | |||
+ | |||
+ | ######################## | ||
+ | ### Priority ### | ||
+ | ######################## | ||
+ | |||
+ | altq on $ext_if priq bandwidth 10000Kb queue { q_ack, q_dns, q_ssh, q_web, q_normal, q_bittorrent } | ||
+ | queue q_ack priority 7 | ||
+ | queue q_dns priority 6 | ||
+ | queue q_ssh priority 5 | ||
+ | queue q_web priority 4 | ||
+ | queue q_normal priority 1 priq(default) | ||
+ | queue q_bittorrent priority 0 | ||
+ | |||
+ | |||
+ | ######################## | ||
+ | ### Default Policies ### | ||
+ | ######################## | ||
+ | |||
+ | # Skip any filtering if it is on interface localhost | ||
+ | set skip on lo | ||
+ | |||
+ | # Provide nice blocked messages | ||
+ | set block-policy return | ||
+ | |||
+ | # Block all unless a allow rule exists | ||
+ | block all | ||
+ | |||
+ | |||
+ | ####################### | ||
+ | ### Cleanup Packets ### | ||
+ | ####################### | ||
+ | |||
+ | # Reassemble packets | ||
+ | set reassemble yes | ||
+ | |||
+ | # Scrub packets | ||
+ | match in all scrub (max-mss 1472) | ||
+ | match out all scrub (random-id) | ||
+ | |||
+ | # Antispoof | ||
+ | antispoof quick for { $ext_if } inet | ||
+ | |||
+ | # Block bogus packets | ||
+ | block in quick on $ext_if from no-route to any | ||
+ | block in quick on $ext_if from any to 255.255.255.255 | ||
+ | block in quick on $ext_if from any to $private_networks | ||
+ | block in quick on $ext_if from $private_networks to any | ||
+ | block return out quick on $ext_if from any to $private_networks | ||
+ | |||
+ | |||
+ | ############ | ||
+ | ### NAT #### | ||
+ | ############ | ||
+ | |||
+ | # NAT all interfaces to WAN | ||
+ | match out on $ext_if inet from !($ext_if:network) to any nat-to $gw_ext | ||
+ | |||
+ | |||
+ | ##################### | ||
+ | ### SPECIAL rules ### | ||
+ | ##################### | ||
− | # | + | # Help with Active and Passive FTP |
anchor "ftp-proxy/*" | anchor "ftp-proxy/*" | ||
pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021 | pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021 | ||
− | |||
− | |||
− | |||
− | # Allow incoming | + | ###################### |
+ | ### Pass IN rules ### | ||
+ | ###################### | ||
+ | |||
+ | # Allow incoming SSH and ICMP on WAN interface | ||
+ | pass in on $ext_if inet proto tcp from any to $gw_ext port 22 | ||
+ | pass in on $ext_if inet proto icmp from any to $gw_ext icmp-type echoreq | ||
+ | |||
+ | # Prioritize ACK states | ||
+ | pass in on $ext_if inet proto tcp from any to $ext_if flags S/SA modulate state queue (q_normal, q_ack) | ||
+ | |||
+ | |||
+ | # Allow incoming ALL on LAN interfaces | ||
pass in on $int_if | pass in on $int_if | ||
− | ## | + | # Allow incoming ALL on VLAN Interfaces |
+ | pass in on $vlan_if | ||
+ | |||
+ | |||
+ | ###################### | ||
+ | ### Redirect rules ### | ||
+ | ###################### | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ## ACKspace CAM / 10.1.10.253 | ||
+ | # | ||
+ | # TCP port 25380 to port 80 (HTTP) | ||
+ | pass in on $ext_if proto tcp from any to $gw_ext port 25380 rdr-to 10.1.10.253 port 80 | ||
+ | ## | ||
+ | |||
+ | ## ACKspace CAM2 / 10.1.10.252 | ||
+ | # | ||
+ | # TCP port 25280 to port 80 (HTTP) | ||
+ | pass in on $ext_if proto tcp from any to $gw_ext port 25280 rdr-to 10.1.10.252 port 80 | ||
+ | ## | ||
+ | |||
+ | ## ACKspace ZoneMinder / 10.1.10.119 | ||
+ | # | ||
+ | # TCP port 11980 to port 80 (HTTP) | ||
+ | pass in on $ext_if proto tcp from any to $gw_ext port 11980 rdr-to 10.1.10.119 port 80 | ||
+ | ## | ||
+ | |||
+ | ## VM Debian OpenVPN / 10.1.20.13 | ||
+ | # | ||
+ | # TCP port 13022 to port 22 (SSH) | ||
+ | pass in on $ext_if inet proto tcp from any to $gw_ext port 13022 rdr-to 10.1.20.13 port 22 | ||
+ | # TCP port 13443 to port 443(VPN TUNNEL TCP) | ||
+ | pass in on $ext_if inet proto tcp from any to $gw_ext port 13443 rdr-to 10.1.20.13 port 443 | ||
+ | # TCP port 443 (HTTPS / VPN TUNNEL TCP) | ||
+ | pass in on $ext_if inet proto tcp from any to $gw_ext port 443 rdr-to 10.1.20.13 | ||
+ | # UDP port 1194 (OpenVPN / VPN TUNNEL UDP) | ||
+ | pass in on $ext_if inet proto udp from any to $gw_ext port 1194 rdr-to 10.1.20.13 | ||
+ | ## | ||
+ | |||
+ | ## Mailman / 10.1.20.19 | ||
+ | # | ||
+ | # TCP port 25 to port 25 (SMTP) | ||
+ | pass in on $ext_if inet proto tcp from any to $gw_ext port 25 rdr-to 10.1.20.19 port 25 | ||
+ | # TCP port 19080 to port 80 (HTTP) | ||
+ | pass in on $ext_if inet proto tcp from any to $gw_ext port 19080 rdr-to 10.1.20.19 port 80 | ||
+ | |||
+ | |||
+ | ## Gforge / 10.1.20.20 | ||
+ | # | ||
+ | # TCP port 20080 to port 20080 (HTTP) | ||
+ | pass in on $ext_if inet proto tcp from any to $gw_ext port 20080 rdr-to 10.1.20.20 port 20080 | ||
+ | |||
+ | pass in on $ext_if inet6 proto udp from any to any | ||
+ | pass in on gif0 inet6 proto udp from any to any | ||
+ | |||
+ | |||
+ | |||
+ | ## VM Debian / 10.1.20.22 | ||
+ | # | ||
+ | # TCP port 22022 to port 22 (SSH) | ||
+ | pass in on $ext_if inet proto tcp from any to $gw_ext port 22022 rdr-to 10.1.20.22 port 22 | ||
+ | |||
+ | |||
+ | ## Playstation / 10.1.10.230 | ||
+ | # | ||
+ | |||
+ | # match out log on $ext_if from !10.1.10.230 to any received-on $int_if tag EGRESS nat-to ($ext_if:0) | ||
+ | # match out log on $ext_if from 10.1.10.230 to any received-on $int_if tag EGRESS nat-to ($ext_if:0) static-port | ||
+ | # pass out quick on $ext_if from 10.1.10.230 | ||
+ | # pass in quick on $ext_if inet proto { tcp udp } from 198.107.156.152 to $gw_ext rdr-to 10.1.10.230 | ||
− | # | + | #pass in quick on $ext_if inet proto tcp from any to $gw_ext port 1723 rdr-to 10.1.11.103 port 1723 |
− | # TCP port | + | # TCP + UDP port 3478,3479,3658,5223,9293 |
− | pass in on $ext_if inet proto tcp from any to $ | + | #pass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3074 rdr-to 10.1.10.126 port 3074 |
+ | #ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3478 rdr-to 10.1.10.126 port 3478 | ||
+ | #ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3479 rdr-to 10.1.10.126 port 3479 | ||
+ | #ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3658 rdr-to 10.1.10.126 port 3658 | ||
+ | #ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 5223 rdr-to 10.1.10.126 port 5223 | ||
+ | #ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 9293 rdr-to 10.1.10.126 port 9293 | ||
+ | ## Xbox 360 / 10.1.15.1 | ||
+ | # | ||
+ | # TCP + §UDP ports 3074, UDP ports 88 | ||
+ | pass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3074 rdr-to 10.1.15.1 port 3074 | ||
+ | pass in quick on $ext_if inet proto udp from any to $gw_ext port 88 rdr-to 10.1.15.1 port 88 | ||
− | ## | + | ###################### |
+ | ### Pass OUT rules ### | ||
+ | ###################### | ||
− | # | + | # Allow outgoing traffic on WAN from any |
− | pass | + | pass out on $ext_if proto { tcp udp icmp esp gre } from any modulate state |
− | # | + | # Prioritize |
− | pass | + | pass out on $ext_if proto tcp from $ext_if to any flags S/SA modulate state queue (q_nomal, q_ack) |
− | pass | + | pass out on $ext_if proto tcp from $ext_if to any port { 80, 443 } flags S/SA modulate state queue (q_web, q_ack) |
− | # | + | # Allow outgoing traffic on LAN from LAN |
− | pass | + | pass out on $int_if from $int_if |
+ | # Allow outgoing traffic to VLANxx from non-private range 10.1.0.0/8 | ||
+ | # Somehow it doesnt work with variables | ||
+ | pass out on vlan10 from ! 10.1.0.0/8 | ||
+ | pass out on vlan20 from ! 10.1.0.0/8 | ||
+ | # Allow outgoing traffic on VLAN from same VLAN (Block InterVLAN) | ||
+ | pass out on vlan10 from vlan10:network | ||
+ | pass out on vlan11 from vlan11:network | ||
+ | pass out on vlan12 from vlan12:network | ||
+ | pass out on vlan13 from vlan13:network | ||
+ | pass out on vlan14 from vlan14:network | ||
+ | pass out on vlan15 from vlan15:network | ||
+ | pass out on vlan16 from vlan16:network | ||
+ | pass out on vlan17 from vlan17:network | ||
+ | pass out on vlan18 from vlan18:network | ||
+ | pass out on vlan19 from vlan19:network | ||
+ | pass out on vlan20 from vlan20:network | ||
− | # | + | # Allow outgoing traffic from/to VLAN 10, VLAN20 |
− | + | intervlan_interfaces = "{vlan10 vlan20}" | |
− | + | intervlan_network = "{vlan10:network vlan20:network}" | |
− | + | pass out on $intervlan_interfaces from $intervlan_network | |
− | |||
− | pass out on $ | ||
− | + | pass out on $int_if from vlan20:network | |
− | + | pass out on vlan20 from $int_if:network | |
− | |||
− | |||
</pre> | </pre> | ||
+ | [[Category:Network]] |
Latest revision as of 17:26, 18 February 2016
Project: OpenBSD Firewall / PF | |
---|---|
Featured: | |
State | Completed |
Members | Vicarious, PsychiC |
GitHub | No GitHub project defined. Add your project here. |
Description | building a gateway on openbsd |
Picture | |
No project picture! Fill in form Picture or Upload a jpeg here |
I have dumped the entire config so others can use this as template for their own PF setup or to shout OMGWTFBBQ u freakin' n00b you should do it like XYZ.
In the latter case either drop me an e-mail (psychic [monkeytailthingie] ackspace [lowerroundthingie] nl , join ACKspace and help out or simply STFU =D
MEUK
Meer devices maken anders breekt DHCP enzo.... gewoon genoeg aanmaken, hier worden er 20 extra bijgemaakt.
`cd /dev;for i in {10..30}; do ./MAKEDEV bpf$i ; done`
Pad toevoegen om packages te downen
export PKG_PATH=http://ftp.bit.nl/mirror/OpenBSD/5.0/packages/i386/
zet in ~/.profile
/etc/mygate is default gateway
RULESDUMP 26-November-2102
Namen etc verwijderd :)
GW2 (GW1 = RIP)
# PF Rules ACKspace gateway 2 ############################ ### Macros / Definitions ### ############################ ## Interfaces ## # WAN interface ext_if = "fxp0" # LAN interface int_if = "fxp1" # VLAN interfaces (VLAN30 + VLAN33 Excluded) vlan_if = "{ \ vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 \ vlan20 vlan21 vlan22 vlan23 vlan24 vlan25 vlan26 vlan27 vlan28 vlan29 \ vlan31 vlan32 vlan34 vlan35 vlan36 vlan37 vlan38 vlan39 \ vlan40 vlan41 vlan42 vlan43 vlan44 vlan45 vlan46 vlan47 vlan48 vlan49 \ vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan56 vlan57}" ## IP adresses ## # WAN adress gw2_ext = "213.125.94.212" # Local adress ranges private_networks = "{ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32 127.0.0.0/8 }" ######################## ### Default Policies ### ######################## # Skip any filtering if it is on interface localhost set skip on lo # Provide nice blocked messages set block-policy return # Block all unless a allow rule exists block all ####################### ### Cleanup Packets ### ####################### # Reassemble packets set reassemble yes # Scrub packets match in all scrub (max-mss 1472) match out all scrub (random-id) # Antispoof antispoof quick for { $ext_if } inet # Block bogus packets block in quick on $ext_if from no-route to any block in quick on $ext_if from any to 255.255.255.255 block in quick on $ext_if from any to $private_networks block in quick on $ext_if from $private_networks to any block return out quick on $ext_if from any to $private_networks ############ ### NAT #### ############ # NAT all interfaces to WAN match out on $ext_if from any to any nat-to $gw2_ext ##################### ### SPECIAL rules ### ##################### # Help with Active and Passive FTP anchor "ftp-proxy/*" pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021 ###################### ### Pass IN rules ### ###################### # Allow incoming GRE (VPN) protocal on WAN interface pass in on $ext_if proto gre all keep state # Allow incoming SSH and ICMP on WAN interface pass in on $ext_if inet proto tcp from any to $gw2_ext port 22 pass in on $ext_if inet proto icmp from any to $gw2_ext icmp-type echoreq # Allow incoming ALL on LAN interfaces pass in on $int_if # Allow incoming ALL on VLAN Interfaces pass in on $vlan_if ###################### ### Redirect rules ### ###################### ### VPN ### # Redirect port 1723 to 10.0.10.101 pass in on $ext_if inet proto tcp from any to $gw2_ext port 1723 rdr-to 10.0.10.101 pass in on $ext_if inet proto udp from any to $gw2_ext port 500 rdr-to 10.0.10.101 pass in on $ext_if inet proto udp from any to $gw2_ext port 5500 rdr-to 10.0.10.101 pass in on $ext_if inet proto udp from any to $gw2_ext port 1701 rdr-to 10.0.10.101 ###################### ### Pass OUT rules ### ###################### # Allow outgoing traffic on WAN from any # pass out on $ext_if from any pass out on $ext_if proto { tcp udp icmp esp gre } from any modulate state # Allow outgoing traffic on LAN from LAN pass out on $int_if from $int_if # Allow outgoing traffic to VLAN50 and VLAN57 from non-private range 10.0.0.0/8 # Somehow it doesnt work with variables. Don't use any to prevent other vlans from entering. pass out on vlan10 from ! 10.0.0.0/8 pass out on vlan50 from ! 10.0.0.0/8 pass out on vlan57 from ! 10.0.0.0/8 # Allow outgoing traffic on VLAN from same VLAN (Block InterVLAN) pass out on vlan10 from vlan10:network pass out on vlan11 from vlan11:network pass out on vlan12 from vlan12:network pass out on vlan13 from vlan13:network pass out on vlan14 from vlan14:network pass out on vlan15 from vlan15:network pass out on vlan16 from vlan16:network pass out on vlan17 from vlan17:network pass out on vlan18 from vlan18:network pass out on vlan19 from vlan19:network pass out on vlan20 from vlan20:network pass out on vlan21 from vlan21:network pass out on vlan22 from vlan22:network pass out on vlan23 from vlan23:network pass out on vlan24 from vlan24:network pass out on vlan25 from vlan25:network pass out on vlan26 from vlan26:network pass out on vlan27 from vlan27:network pass out on vlan28 from vlan28:network pass out on vlan29 from vlan29:network # pass out on vlan30 from vlan30:network () pass out on vlan31 from vlan31:network pass out on vlan32 from vlan32:network # pass out on vlan33 from vlan33:network () pass out on vlan34 from vlan34:network pass out on vlan35 from vlan35:network pass out on vlan36 from vlan36:network pass out on vlan37 from vlan37:network pass out on vlan38 from vlan38:network pass out on vlan39 from vlan39:network pass out on vlan40 from vlan40:network pass out on vlan41 from vlan41:network pass out on vlan42 from vlan42:network pass out on vlan43 from vlan43:network pass out on vlan44 from vlan44:network pass out on vlan45 from vlan45:network pass out on vlan46 from vlan46:network pass out on vlan47 from vlan47:network pass out on vlan48 from vlan48:network pass out on vlan49 from vlan49:network pass out on vlan50 from vlan50:network pass out on vlan51 from vlan51:network pass out on vlan52 from vlan52:network pass out on vlan53 from vlan53:network pass out on vlan54 from vlan54:network pass out on vlan55 from vlan55:network pass out on vlan56 from vlan56:network pass out on vlan57 from vlan57:network # Allow outgoing traffic from/to VLANS 50-55, VLAN 57 intervlan_interfaces = "{vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan57}" intervlan_network = "{vlan50:network vlan51:network vlan52:network vlan53:network vlan54:network vlan55:network vlan56:network vlan57:network}" pass out on $intervlan_interfaces from $intervlan_network # VPN TEST pass in on $ext_if proto gre all keep state pass out on $ext_if proto gre all keep state
PUTGRAAF
# PF Rules ACKspace gateway Putgraaf ############################ ### Macros / Definitions ### ############################ ## Interfaces ## # WAN interface ext_if = "em0" # LAN interface int_if = "em1" # VLAN interfaces vlan_if = "{ vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 vlan20 }" ## IP adresses ## # WAN adress gw_ext = $ext_if:0 # Local address ranges private_networks = "{ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32 127.0.0.0/8 }" #### # IPV6 #### # Allow incoming IPv6 traffic pass in quick on $ext_if inet proto ipv6 keep state pass in quick on gif0 inet6 all # Allow outgoing IPv6 traffic pass out quick on $ext_if inet proto ipv6 keep state pass out quick on gif0 inet6 all keep state pass out quick on vlan20 inet6 all keep state pass out quick on vlan10 inet6 all keep state ######################## ### Priority ### ######################## altq on $ext_if priq bandwidth 10000Kb queue { q_ack, q_dns, q_ssh, q_web, q_normal, q_bittorrent } queue q_ack priority 7 queue q_dns priority 6 queue q_ssh priority 5 queue q_web priority 4 queue q_normal priority 1 priq(default) queue q_bittorrent priority 0 ######################## ### Default Policies ### ######################## # Skip any filtering if it is on interface localhost set skip on lo # Provide nice blocked messages set block-policy return # Block all unless a allow rule exists block all ####################### ### Cleanup Packets ### ####################### # Reassemble packets set reassemble yes # Scrub packets match in all scrub (max-mss 1472) match out all scrub (random-id) # Antispoof antispoof quick for { $ext_if } inet # Block bogus packets block in quick on $ext_if from no-route to any block in quick on $ext_if from any to 255.255.255.255 block in quick on $ext_if from any to $private_networks block in quick on $ext_if from $private_networks to any block return out quick on $ext_if from any to $private_networks ############ ### NAT #### ############ # NAT all interfaces to WAN match out on $ext_if inet from !($ext_if:network) to any nat-to $gw_ext ##################### ### SPECIAL rules ### ##################### # Help with Active and Passive FTP anchor "ftp-proxy/*" pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021 ###################### ### Pass IN rules ### ###################### # Allow incoming SSH and ICMP on WAN interface pass in on $ext_if inet proto tcp from any to $gw_ext port 22 pass in on $ext_if inet proto icmp from any to $gw_ext icmp-type echoreq # Prioritize ACK states pass in on $ext_if inet proto tcp from any to $ext_if flags S/SA modulate state queue (q_normal, q_ack) # Allow incoming ALL on LAN interfaces pass in on $int_if # Allow incoming ALL on VLAN Interfaces pass in on $vlan_if ###################### ### Redirect rules ### ###################### ## ACKspace CAM / 10.1.10.253 # # TCP port 25380 to port 80 (HTTP) pass in on $ext_if proto tcp from any to $gw_ext port 25380 rdr-to 10.1.10.253 port 80 ## ## ACKspace CAM2 / 10.1.10.252 # # TCP port 25280 to port 80 (HTTP) pass in on $ext_if proto tcp from any to $gw_ext port 25280 rdr-to 10.1.10.252 port 80 ## ## ACKspace ZoneMinder / 10.1.10.119 # # TCP port 11980 to port 80 (HTTP) pass in on $ext_if proto tcp from any to $gw_ext port 11980 rdr-to 10.1.10.119 port 80 ## ## VM Debian OpenVPN / 10.1.20.13 # # TCP port 13022 to port 22 (SSH) pass in on $ext_if inet proto tcp from any to $gw_ext port 13022 rdr-to 10.1.20.13 port 22 # TCP port 13443 to port 443(VPN TUNNEL TCP) pass in on $ext_if inet proto tcp from any to $gw_ext port 13443 rdr-to 10.1.20.13 port 443 # TCP port 443 (HTTPS / VPN TUNNEL TCP) pass in on $ext_if inet proto tcp from any to $gw_ext port 443 rdr-to 10.1.20.13 # UDP port 1194 (OpenVPN / VPN TUNNEL UDP) pass in on $ext_if inet proto udp from any to $gw_ext port 1194 rdr-to 10.1.20.13 ## ## Mailman / 10.1.20.19 # # TCP port 25 to port 25 (SMTP) pass in on $ext_if inet proto tcp from any to $gw_ext port 25 rdr-to 10.1.20.19 port 25 # TCP port 19080 to port 80 (HTTP) pass in on $ext_if inet proto tcp from any to $gw_ext port 19080 rdr-to 10.1.20.19 port 80 ## Gforge / 10.1.20.20 # # TCP port 20080 to port 20080 (HTTP) pass in on $ext_if inet proto tcp from any to $gw_ext port 20080 rdr-to 10.1.20.20 port 20080 pass in on $ext_if inet6 proto udp from any to any pass in on gif0 inet6 proto udp from any to any ## VM Debian / 10.1.20.22 # # TCP port 22022 to port 22 (SSH) pass in on $ext_if inet proto tcp from any to $gw_ext port 22022 rdr-to 10.1.20.22 port 22 ## Playstation / 10.1.10.230 # # match out log on $ext_if from !10.1.10.230 to any received-on $int_if tag EGRESS nat-to ($ext_if:0) # match out log on $ext_if from 10.1.10.230 to any received-on $int_if tag EGRESS nat-to ($ext_if:0) static-port # pass out quick on $ext_if from 10.1.10.230 # pass in quick on $ext_if inet proto { tcp udp } from 198.107.156.152 to $gw_ext rdr-to 10.1.10.230 #pass in quick on $ext_if inet proto tcp from any to $gw_ext port 1723 rdr-to 10.1.11.103 port 1723 # TCP + UDP port 3478,3479,3658,5223,9293 #pass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3074 rdr-to 10.1.10.126 port 3074 #ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3478 rdr-to 10.1.10.126 port 3478 #ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3479 rdr-to 10.1.10.126 port 3479 #ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3658 rdr-to 10.1.10.126 port 3658 #ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 5223 rdr-to 10.1.10.126 port 5223 #ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 9293 rdr-to 10.1.10.126 port 9293 ## Xbox 360 / 10.1.15.1 # # TCP + §UDP ports 3074, UDP ports 88 pass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3074 rdr-to 10.1.15.1 port 3074 pass in quick on $ext_if inet proto udp from any to $gw_ext port 88 rdr-to 10.1.15.1 port 88 ###################### ### Pass OUT rules ### ###################### # Allow outgoing traffic on WAN from any pass out on $ext_if proto { tcp udp icmp esp gre } from any modulate state # Prioritize pass out on $ext_if proto tcp from $ext_if to any flags S/SA modulate state queue (q_nomal, q_ack) pass out on $ext_if proto tcp from $ext_if to any port { 80, 443 } flags S/SA modulate state queue (q_web, q_ack) # Allow outgoing traffic on LAN from LAN pass out on $int_if from $int_if # Allow outgoing traffic to VLANxx from non-private range 10.1.0.0/8 # Somehow it doesnt work with variables pass out on vlan10 from ! 10.1.0.0/8 pass out on vlan20 from ! 10.1.0.0/8 # Allow outgoing traffic on VLAN from same VLAN (Block InterVLAN) pass out on vlan10 from vlan10:network pass out on vlan11 from vlan11:network pass out on vlan12 from vlan12:network pass out on vlan13 from vlan13:network pass out on vlan14 from vlan14:network pass out on vlan15 from vlan15:network pass out on vlan16 from vlan16:network pass out on vlan17 from vlan17:network pass out on vlan18 from vlan18:network pass out on vlan19 from vlan19:network pass out on vlan20 from vlan20:network # Allow outgoing traffic from/to VLAN 10, VLAN20 intervlan_interfaces = "{vlan10 vlan20}" intervlan_network = "{vlan10:network vlan20:network}" pass out on $intervlan_interfaces from $intervlan_network pass out on $int_if from vlan20:network pass out on vlan20 from $int_if:network