Difference between revisions of "OpenBSD Firewall / PF"

From Hackerspace ACKspace
Jump to: navigation, search
m
Line 46: Line 46:
 
block in log
 
block in log
 
block out log
 
block out log
 +
 +
### Cleanup ###
 +
 +
# Scrub packets
 +
match in all scrub (no-df)
 +
match out all scrub (random-id)
 +
 +
# Antispoof
 +
antispoof log quick for { $ext_if } inet
 +
 +
# Block bogus
 +
block in quick log on $ext_if from no-route to any
 +
block in quick log on $ext_if from any to 255.255.255.255
 +
block in quick log on $ext_if from any to $private_networks
 +
block in quick log on $ext_if from $private_networks to any
 +
block return out quick log on $ext_if from any to $private_networks
 +
 +
### NAT rule ###
 +
match out on $ext_if from any to any nat-to $gw2_ext
 +
 +
 +
### Pass IN rules  ###
 +
 +
# Allow Active and Passive FTP
 +
anchor "ftp-proxy/*"
 +
pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021
 +
 +
# Allow incoming $SERVICES and ICMP on $GW2_EXT
 +
pass in on $ext_if inet proto tcp from any to $gw2_ext port $tcp_services
 +
pass in on $ext_if proto icmp from any to $gw2_ext
 +
 +
# Allow incoming traffic from all internal interface(s)
 +
pass in on $int_if
 +
 +
## ALLOW / REDIRECT to internal servers/services ##
 +
 +
## Allow + Redirect from $GW2_EXT to 10.0.50.1 (VMware Host)
 +
 +
# TCP port 443 (vSphere Client)
 +
pass in on $ext_if inet proto tcp from any to $gw2_ext port 443 rdr-to 10.0.50.1
 +
 +
 +
## Allow + Redirect from $GW2_EXT to 10.0.50.11 (Debian Q2)
 +
 +
# TCP port 11022 to port 22 (SSH)
 +
pass in on $ext_if inet proto tcp from any to $gw2_ext port 11022 rdr-to 10.0.50.11 port 22
 +
 +
# TCP+UDP portrange 27910-27915 (Quake2)
 +
pass in on $ext_if inet proto tcp from any to $gw2_ext port 27910:27915 rdr-to 10.0.50.11
 +
pass in on $ext_if inet proto udp from any to $gw2_ext port 27910:27915 rdr-to 10.0.50.11
 +
 +
# TCP port 8000 (Python Webserver)
 +
pass in on $ext_if inet proto tcp from any to $gw2_ext port 8000 rdr-to 10.0.50.11
 +
 +
 +
 +
### Pass OUT rules
 +
 +
# Allow outgoing traffic on external interface
 +
pass out on $ext_if
 +
 +
# Allow outgoing traffic on internal interface(s)
 +
# !Needs rewrite to block intervlan communication!
 +
pass out on $int_if all
 +
 +
# Intervlan routing
 +
# Example : allow VLAN 33 to communicate with VLAN 10
 +
# pass out from vlan33/24 to vlan10/24
 +
# pass out from vlan10/24 to vlan33/24
  
 
</pre>
 
</pre>

Revision as of 12:45, 11 June 2011

Project: OpenBSD Firewall / PF
Featured:
State Active
Members Antarez, Vicarious
GitHub No GitHub project defined. Add your project here.
Description building a gateway on openbsd
Picture
No project picture! Fill in form Picture or Upload a jpeg here

In this talk we will be building a highly available firewalling gateway. It is not a lecture or talk, it's a hands-on workshop.

how to play:

Dont play with it, it's in operation now :) 


# PF Rules ACKspace gateway 2

### Macros ###

ext_if = "fxp0"

int_if = "{ fxp1 \
vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 \
vlan20 vlan21 vlan22 vlan23 vlan24 vlan25 vlan26 vlan27 vlan28 vlan29 \
vlan30 vlan31 vlan32 vlan33 vlan34 vlan35 vlan36 vlan37 vlan38 vlan39 \
vlan40 vlan41 vlan42 vlan43 vlan44 vlan45 vlan46 vlan47 vlan48 vlan49 \
vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan56 vlan57 }"

gw2_ext = "213.125.94.212"
icmp_types = "echoreq"
tcp_services = "{ ssh }"
private_networks = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32, 127.0.0.0/8 }"

### Skip Policy ###

# Skip any filtering if it is on infterface localhost
set skip on lo

### Block Policy ###

# Provide nice blocked messages
set block-policy return


### Default Policy ###

# Block all unless a allow rule exists
block in log
block out log

### Cleanup ###

# Scrub packets
match in all scrub (no-df)
match out all scrub (random-id)

# Antispoof
antispoof log quick for { $ext_if } inet

# Block bogus
block in quick log on $ext_if from no-route to any
block in quick log on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from any to $private_networks
block in quick log on $ext_if from $private_networks to any
block return out quick log on $ext_if from any to $private_networks

### NAT rule ###
match out on $ext_if from any to any nat-to $gw2_ext


### Pass IN rules  ###

# Allow Active and Passive FTP
anchor "ftp-proxy/*"
pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021

# Allow incoming $SERVICES and ICMP on $GW2_EXT
pass in on $ext_if inet proto tcp from any to $gw2_ext port $tcp_services
pass in on $ext_if proto icmp from any to $gw2_ext

# Allow incoming traffic from all internal interface(s)
pass in on $int_if

## ALLOW / REDIRECT to internal servers/services ##

## Allow + Redirect from $GW2_EXT to 10.0.50.1 (VMware Host)

# TCP port 443 (vSphere Client)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 443 rdr-to 10.0.50.1


## Allow + Redirect from $GW2_EXT to 10.0.50.11 (Debian Q2)

# TCP port 11022 to port 22 (SSH)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 11022 rdr-to 10.0.50.11 port 22

# TCP+UDP portrange 27910-27915 (Quake2)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 27910:27915 rdr-to 10.0.50.11
pass in on $ext_if inet proto udp from any to $gw2_ext port 27910:27915 rdr-to 10.0.50.11

# TCP port 8000 (Python Webserver)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 8000 rdr-to 10.0.50.11



### Pass OUT rules

# Allow outgoing traffic on external interface
pass out on $ext_if

# Allow outgoing traffic on internal interface(s)
# !Needs rewrite to block intervlan communication!
pass out on $int_if all

# Intervlan routing
# Example : allow VLAN 33 to communicate with VLAN 10
# pass out from vlan33/24 to vlan10/24
# pass out from vlan10/24 to vlan33/24
Retrieved from "https://ackspace.nl/w/index.php?title=OpenBSD_Firewall_/_PF&oldid=872"