Difference between revisions of "OpenBSD Firewall / PF"
m |
m |
||
| Line 9: | Line 9: | ||
Dont play with it, it's in operation now :) | Dont play with it, it's in operation now :) | ||
| + | |||
| + | Rulesdump | ||
| + | Date 11-June-2011 | ||
| + | This changes very frequently =) | ||
<pre> | <pre> | ||
Revision as of 12:46, 11 June 2011
| Project: OpenBSD Firewall / PF | |
|---|---|
| Featured: | |
| State | Active |
| Members | Antarez, Vicarious |
| GitHub | No GitHub project defined. Add your project here. |
| Description | building a gateway on openbsd |
| Picture | |
| No project picture! Fill in form Picture or Upload a jpeg here | |
In this talk we will be building a highly available firewalling gateway. It is not a lecture or talk, it's a hands-on workshop.
how to play:
Dont play with it, it's in operation now :)
Rulesdump Date 11-June-2011 This changes very frequently =)
# PF Rules ACKspace gateway 2
### Macros ###
ext_if = "fxp0"
int_if = "{ fxp1 \
vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 \
vlan20 vlan21 vlan22 vlan23 vlan24 vlan25 vlan26 vlan27 vlan28 vlan29 \
vlan30 vlan31 vlan32 vlan33 vlan34 vlan35 vlan36 vlan37 vlan38 vlan39 \
vlan40 vlan41 vlan42 vlan43 vlan44 vlan45 vlan46 vlan47 vlan48 vlan49 \
vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan56 vlan57 }"
gw2_ext = "213.125.94.212"
icmp_types = "echoreq"
tcp_services = "{ ssh }"
private_networks = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32, 127.0.0.0/8 }"
### Skip Policy ###
# Skip any filtering if it is on infterface localhost
set skip on lo
### Block Policy ###
# Provide nice blocked messages
set block-policy return
### Default Policy ###
# Block all unless a allow rule exists
block in log
block out log
### Cleanup ###
# Scrub packets
match in all scrub (no-df)
match out all scrub (random-id)
# Antispoof
antispoof log quick for { $ext_if } inet
# Block bogus
block in quick log on $ext_if from no-route to any
block in quick log on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from any to $private_networks
block in quick log on $ext_if from $private_networks to any
block return out quick log on $ext_if from any to $private_networks
### NAT rule ###
match out on $ext_if from any to any nat-to $gw2_ext
### Pass IN rules ###
# Allow Active and Passive FTP
anchor "ftp-proxy/*"
pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021
# Allow incoming $SERVICES and ICMP on $GW2_EXT
pass in on $ext_if inet proto tcp from any to $gw2_ext port $tcp_services
pass in on $ext_if proto icmp from any to $gw2_ext
# Allow incoming traffic from all internal interface(s)
pass in on $int_if
## ALLOW / REDIRECT to internal servers/services ##
## Allow + Redirect from $GW2_EXT to 10.0.50.1 (VMware Host)
# TCP port 443 (vSphere Client)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 443 rdr-to 10.0.50.1
## Allow + Redirect from $GW2_EXT to 10.0.50.11 (Debian Q2)
# TCP port 11022 to port 22 (SSH)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 11022 rdr-to 10.0.50.11 port 22
# TCP+UDP portrange 27910-27915 (Quake2)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 27910:27915 rdr-to 10.0.50.11
pass in on $ext_if inet proto udp from any to $gw2_ext port 27910:27915 rdr-to 10.0.50.11
# TCP port 8000 (Python Webserver)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 8000 rdr-to 10.0.50.11
### Pass OUT rules
# Allow outgoing traffic on external interface
pass out on $ext_if
# Allow outgoing traffic on internal interface(s)
# !Needs rewrite to block intervlan communication!
pass out on $int_if all
# Intervlan routing
# Example : allow VLAN 33 to communicate with VLAN 10
# pass out from vlan33/24 to vlan10/24
# pass out from vlan10/24 to vlan33/24
