[TriLUG] OpenBSD firewall

ljacobs lj at mandala-designs.com
Tue Jan 6 22:42:46 EST 2004


Folks --

I have attached a longish file that is the rule set of an OpenBSD based packet filter firewall. Those of you who are experienced with these systems might find it interesting. And I would particularly appreciate any comments and suggestions, criticisms and recommendations to improve on this firewall.

I am basically supporting a number of Win2K servers, a FreeeBSD postfix server and several linux servers. All the servers are really in a DMZ and the OpenBSD system is only dual-homed, i.e., 2 NICs.

Thanks for any comments you might provide, especially as it relates to the requirement for the FTP servers to be available.

IPs have been changed to protect the innocent.

Thanks. 

 
________________________________________________________________
Sent via the WebMessaging system at mandala-designs.com


 
                   
-------------- next part --------------
# /etc/pf.conf
# essential reading: http://www.inebriated.demon.nl/pf-howto
#                    man pf.conf
#                    man pf
#
#
# To view the logfiles:
#       tcpdump -n -e -ttt -r /var/log/pflog
#
# To tail -f the logfile: (well not really but...)
#       tcpdump -n -e -ttt -i pflog0
#
# To watch the blocked packets
# 	tcpdump -n -e -tt -i pflog0 action block
#
# Use pfctl -t spamd -T replace -f /etc/spamd to update spammer table
# Use pfctl -t tablename -T show -v to show stats on each address in table
# Use pfctl -s nat   to show the effective nat-rules.
# Use pfctl -s rules to show your effective pf-rules.
# Use pfctl -vvs rules to show even more
#
# PF rule base, to get read into the PF script
#
# Version 0.60: August, 2003
#
# Interface:
#    fxp1 - internal to private network
#    fxp0 - external to T1
#
# rule keywords
#    * set
#    * scrub
#    * rdr
#    * nat
#    * binat
#    * block
#    * pass
#
# Order of Rules
# 1. Options
# 2. Scrub
# 3. NAT & RDR
# 4. Filter
#
# HOW TO FIREWALL A NEW IPADDRESS
# 1. add a new entry to "FIREWALLED SERVERS" for the 
#    external address and the internal address 
# 2. add internal server name to appropriate service providers
# 3. add a new binat entry
# 4. restart the firewall: pfctl -F all;pfctl -f /etc/pf.conf

#####################################################
# DEFINE INTERFACES
#####################################################
ext_if="fxp0"
int_if="fxp1"
Lo_if="lo0"

#####################################################
# DEFINE SERVERS
#####################################################
# DEFINE ADDRESS RANGES
int_ad = "192.168.1.0/24"
ext_ad = "143.23.199.128/27"


#####################################################
# ------------------------------------------------- #
# KNOWN REMOTE SERVERS
dorje = "234.139.229.177"
bodhi = "234.139.229.179"
dharma = "66.30.190.48"
kalapa = "168.103.60.107"
vajra = "66.30.190.106"
ursa_major = "245.140.80.3"
shambhala_firewall = "168.103.60.105"
redwing_home = "56.211.161.136"
redwing_office = "261.148.40.155"

#
# REMOTE SERVER GROUPS
trusted_ssh = $bodhi $dorje $vajra $dharma $kalapa
trusted_dns = $bodhi $ursa_major $dharma
trusted_db = $dorje $kalapa 
trusted_nagios = $dharma
trusted_tb2 = $bodhi $dorje $vajra $dharma $kalapa $shambhala_firewall
trusted_apc = $bodhi $dorje $vajra $dharma $kalapa
trusted_coyote = $bodhi $dorje $vajra $dharma $kalapa
trusted_switch = $bodhi $dorje $vajra $dharma $kalapa
trusted_rcp = $bodhi $dorje $vajra $dharma $kalapa $redwing_home $redwing_office
# ------------------------------------------------- #
#####################################################

#####################################################
# ------------------------------------------------- #
# FIREWALLED SERVERS
switch_136_ext = 	"226.327.93.136"
switch_136_int = 	"192.168.1.136"

rinpoche_131_ext =	"226.327.93.131"
rinpoche_131_int =	"192.168.1.131"
rinpoche_140_ext =	"226.327.93.140"
rinpoche_140_int =	"192.168.1.140"
rinpoche_141_ext =	"226.327.93.141"
rinpoche_141_int =	"192.168.1.141"
rinpoche_143_ext =	"226.327.93.143"
rinpoche_143_int =	"192.168.1.143"
rinpoche_149_ext =	"226.327.93.149"
rinpoche_149_int =	"192.168.1.131"
rinpoche_150_ext =	"226.327.93.150"
rinpoche_150_int =	"192.168.1.150"
rinpoche_153_ext =	"226.327.93.153"
rinpoche_153_int =	"192.168.1.153"
rinpoche_154_ext =	"226.327.93.154"
rinpoche_154_int =	"192.168.1.154"
rinpoche_155_ext =	"226.327.93.155"
rinpoche_155_int =	"192.168.1.155"
rinpoche_158_ext =	"226.327.93.158"
rinpoche_158_int =	"192.168.1.158"

rinpoche_all_int =	$rinpoche_131_int \
			$rinpoche_140_int \
			$rinpoche_141_int \
			$rinpoche_143_int \
			$rinpoche_149_int \
			$rinpoche_154_int \
			$rinpoche_150_int \
			$rinpoche_153_int \
			$rinpoche_155_int \
			$rinpoche_158_int 


tao_130_ext = "226.327.93.130"
tao_130_int = "192.168.1.130"

tao_135_ext = "226.327.93.135"
tao_135_int = "192.168.1.135"
tao_all = $tao_130_int \
	  $tao_135_int

pema_ext = "226.327.93.132"
pema_int = "192.168.1.132"

karma_ext = "226.327.93.133"
karma_int = "192.168.1.133"

shiva_ext = "226.327.93.138"
shiva_int = "192.168.1.1"

guru_ext = "226.327.93.157"
guru_int = "192.168.1.157"

prajna_137_ext = "226.327.93.137"
prajna_137_int = "192.168.1.137"
prajna_139_ext = "226.327.93.139"
prajna_139_int = "192.168.1.137"
prajna_all_int = $prajna_137_int \
		 $prajna_139_int

tulku_134_ext = "226.327.93.134"
tulku_134_int = "192.168.1.134"
tulku_156_ext = "226.327.93.156"
tulku_156_int = "192.168.1.156"
tulku_all_int = $tulku_134_int \
		$tulku_156_int
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# DEFINE SERVICE PROVIDERS
apc_providers = 	$guru_int

switch_providers = 	$switch_136_int

coyote_providers = 	$tao_all

ssh_providers = 	$shiva_int \
			$prajna_all_int \
			$tulku_all_int

dns_providers = 	$prajna_all_int \
			$tulku_all_int \
			$rinpoche_all_int

webct_providers = 	$tulku_all_int 

email_providers = 	$rinpoche_all_int \
			$pema_int

smtp_providers = 	$rinpoche_all_int \
			$pema_int \
			$tulku_all_int \
			$prajna_all_int 

ftp_providers = 	$rinpoche_all_int \
			$karma_int \
			$tulku_all_int \
			$prajna_all_int \
			$pema_int

www_providers = 	$rinpoche_all_int \
			$karma_int \
			$tulku_all_int \
			$prajna_all_int \
			$pema_int \
			$karma_int \
			$switch_136_int

telnet_providers = 	$switch_136_int

real_providers = 	$rinpoche_all_int

tb2_providers = 	$rinpoche_all_int \
			$pema_int \
			$karma_int

rcp_providers =     $rinpoche_all_int

# ------------------------------------------------- #
#####################################################


#####################################################
# DEFINE ALLOWED SERVICES 
#####################################################

#####################################################
# ------------------------------------------------- #
# REMOTE CONTROL
# SSH
ssh_tcp = "22"
#
# TB2 SERVICES
tb2_udp = "407"
tb2_tcp = "445 1417 1418 1419 1420"
#
# VNC
# DON'T ALLOW! 
# It's unencrypted, so only allow via SSH port forwarding
# ------------------------------------------------- #
#####################################################

#####################################################
# ------------------------------------------------- #
# NAME SERVICES
dns_tcp = "53"
dns_udp = "53"
# ------------------------------------------------- #
#####################################################

#####################################################
# ------------------------------------------------- #
# APC SWITCH SERVICES
apc_tcp = "8300"
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# NETWORK MONITORING SERVICES
nagios_tcp = "5666"
# ------------------------------------------------- #
#####################################################

#####################################################
# ------------------------------------------------- #
# GENERIC WEB SERVICES
http_tcp = "80"
https_tcp = "443"
log_analyzer_tcp = "888"
#
# ALL WWW
all_www_tcp = $http_tcp $https_tcp $log_analyzer_tcp
# ------------------------------------------------- #
#####################################################

#####################################################
# ------------------------------------------------- #
# 3COM SWITCH SERVICES
all_switch_tcp = "23" $http_tcp $https_tcp
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# REAL NETWORKS SERVICES
real_tcp = "554 7070"
real_low_udp = "6969"
real_hi_udp = "7169"
# ------------------------------------------------- #
#####################################################

#####################################################
# ------------------------------------------------- #
# EMAIL SERVICES
web_msg_tcp = "8383"
pop_tcp = "110"
imap_tcp = "143"
smtp_tcp = "25"
#
# ALL EMAIL
all_send_email_tcp = $smtp_tcp
all_receive_email_tcp = $web_msg_tcp $http_tcp $https_tcp $pop_tcp $imap_tcp
# ------------------------------------------------- #
#####################################################

#####################################################
# ------------------------------------------------- #
# WEBCT SERVICES
chat_4_tcp = "44454"
chat_4_udp = "44454"
whiteboard_4_tcp = "45674"
whiteboard_4_udp = "45674"
webct_http_tcp = "8900"

chat_tcp = "4445"
chat_udp = "4445"
whiteboard_tcp = "4567"
whiteboard_udp = "4567"
license_tcp = "5555"
#
# ALL WEBCT TCP
all_webct_tcp = $http_tcp $https_tcp $chat_tcp $whiteboard_tcp $license_tcp \
		$chat_4_tcp $whiteboard_4_tcp $webct_http_tcp
#
# ALL WEBCT UDP
all_webct_udp = $chat_udp $whiteboard_udp $chat_4_udp $whiteboard_4_udp 
#
# ------------------------------------------------- #
#####################################################

#####################################################
# ------------------------------------------------- #
# FTP SERVICES
ftp_tcp = "21"
ftp_data_tcp = "20"
ftp_rand_tcp = ">1024"

all_ftp_tcp = $ftp_tcp $ftp_data_tcp 
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# RCP SERVICES
rcp_tcp = "514"
# ------------------------------------------------- #
#####################################################


#####################################################
# DEINE BEHAVIORS
#####################################################
set limit { frags 40000, states 35000 }
set loginterface $ext_if
set optimization normal
set block-policy return

#####################################################
# DEFINE TABLES (for speed)
#####################################################
table <mandala> { 192.168.1.0/255, 143.23.199.128/27 }

table <noroute> { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32, \
          	  169.254.0.0/16, 127.0.0.0/8, 0.0.0.0/8, 192.0.2.0/24, \
          	  204.152.64.0/23, 224.0.0.0/3, 127.0.0.0/8 }

table <spamd> persist file "/etc/spamd"

#####################################################
# DEFINE FIREWALL RULES
#####################################################
scrub in all
scrub out all

#####################################################
# REDIRECTION CONFIGURATION: BINAT & RDR
#
# tarpit for spammers
# rdr inet proto tcp from <spamd> to any port 25 -> 127.0.0.1 port 8025
# rdr for email redirection of rinpoche to pema
rdr on $ext_if proto tcp from any to $rinpoche_131_ext port 25 -> $pema_int port 25
rdr on $ext_if proto tcp from any to $rinpoche_131_ext port 110 -> $pema_int port 110
rdr on $ext_if proto tcp from any to $rinpoche_131_ext port 8383 -> $pema_int port 8383

# All internal traffice will look like it's coming from the external address
# BINAT SERVERS
binat on $ext_if from $rinpoche_131_int to any -> $rinpoche_131_ext
binat on $ext_if from $rinpoche_140_int to any -> $rinpoche_140_ext
binat on $ext_if from $rinpoche_141_int to any -> $rinpoche_141_ext
binat on $ext_if from $rinpoche_143_int to any -> $rinpoche_143_ext
binat on $ext_if from $rinpoche_149_int to any -> $rinpoche_149_ext
binat on $ext_if from $rinpoche_150_int to any -> $rinpoche_150_ext
binat on $ext_if from $rinpoche_153_int to any -> $rinpoche_153_ext
binat on $ext_if from $rinpoche_154_int to any -> $rinpoche_154_ext
binat on $ext_if from $rinpoche_155_int to any -> $rinpoche_155_ext
binat on $ext_if from $rinpoche_158_int to any -> $rinpoche_158_ext
binat on $ext_if from $pema_int to any -> $pema_ext
binat on $ext_if from $karma_int to any -> $karma_ext
binat on $ext_if from $prajna_137_int to any -> $prajna_137_ext
binat on $ext_if from $prajna_139_int to any -> $prajna_139_ext
binat on $ext_if from $tulku_134_int to any -> $tulku_134_ext
binat on $ext_if from $tulku_156_int to any -> $tulku_156_ext
binat on $ext_if from $tao_130_int to any -> $tao_130_ext
binat on $ext_if from $tao_135_int to any -> $tao_135_ext
binat on $ext_if from $switch_136_int to any -> $switch_136_ext

# Translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8081
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8081
rdr on $int_if proto tcp from any to any port 20 -> 127.0.0.1 port 8081

#####################################################
# FILTERING
#
#####################################################
# ------------------------------------------------- #
# DEFAULT "IN" AND "OUT"
# Note: "block in all" is required to make this config operate as a true firewall
block in log all
pass out all
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# UNFILTERED INTERFACES
pass out quick on { $Lo_if $int_if } all
pass in  quick on { $Lo_if $int_if } all
pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep state
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# BLOCK SPOOFERS AND SPAMMERS
# block drop in log quick on $ext_if from { <noroute>, <spammers> } to any
# block drop out log quick on $ext_if from any to { <noroute>, <spammers> }
block drop in log quick on $ext_if from <noroute> to any
block drop out log quick on $ext_if from any to <noroute>
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# RCP SERVICES
pass in log on $ext_if proto tcp from {$trusted_rcp} to {$rcp_providers} port {$rcp_tcp} keep state
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# ALLOW SSH 
pass in log on $ext_if proto tcp from any to any port {$ssh_tcp} keep state
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# ALLOW SWITCH CONNECTIONS 
pass in log on $ext_if proto tcp from {$trusted_switch} to {$switch_providers} port {$all_switch_tcp} keep state
# ------------------------------------------------- #
#####################################################

#####################################################
# ------------------------------------------------- #
# ALLOW APC CONNECTIONS 
pass in log on $ext_if proto tcp from {$trusted_apc} to {$apc_providers} port {$apc_tcp} keep state
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# ALLOW REAL NETWORKS SERVICES
pass in log on $ext_if inet proto tcp from any to {$real_providers} port {$real_tcp} keep state
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# NAGIOS NRPE SERVICES
pass in log on $ext_if inet proto tcp from {$trusted_nagios} to any port {$nagios_tcp} keep state
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# DNS RULES
pass in log on $ext_if inet proto udp from any to {$dns_providers} port {$dns_udp} keep state
pass in log on $ext_if inet proto tcp from any to {$dns_providers} port {$dns_tcp} keep state
pass out log on $ext_if inet proto udp from any to any port = 53 keep state
pass out log on $ext_if inet proto tcp from any to any port = 53 modulate state
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# FTP RULES
pass in log on $ext_if proto tcp from any to {$ftp_providers} port {$all_ftp_tcp >1024} keep state
pass out log on $ext_if from {$ftp_providers} to any keep state
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# REMOTE CONTROL RULESET
# Allow tb2 for Rinpoche
pass in log on $ext_if inet proto tcp from {$trusted_tb2} to {$tb2_providers} port {$tb2_tcp} keep state
pass in log on $ext_if inet proto udp from {$trusted_tb2} to {$tb2_providers} port {$tb2_udp} keep state
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# ALLOW EMAIL
pass in log on $ext_if proto tcp from any to {$email_providers} port {$all_receive_email_tcp} keep state label "smtp-IN:$dstaddr"
pass in log on $ext_if proto tcp from any to {$smtp_providers} port {$all_send_email_tcp} keep state label "smtp-OUT:$dstaddr"
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# ALLOW COYOTE
pass in log on $ext_if proto tcp from {$trusted_coyote} to {$coyote_providers} port {$all_www_tcp} keep state
# ------------------------------------------------- #
#####################################################

#####################################################
# ------------------------------------------------- #
# ALLOW WEB TRAFFIC
pass in log on $ext_if proto tcp from any to {$www_providers} port {$all_www_tcp} keep state label "www:$dstaddr"
# ------------------------------------------------- #
#####################################################

#####################################################
# ------------------------------------------------- #
# ALLOW WEBCT TRAFFIC
pass in log on $ext_if proto tcp from any to {$webct_providers} port {$all_webct_tcp} keep state label "webct:$dstaddr"
pass in log on $ext_if proto udp from any to {$webct_providers} port {$all_webct_udp} keep state label "webct:$dstaddr"
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# OUTBOUND TRAFFIC
# Allow return traffic and connection from firewall
# pass tcp, udp, and icmp out on the external (Internet) interface. 
# keep state on udp and icmp and modulate state on tcp.
pass out log on $ext_if proto tcp all modulate state flags S/SA
pass out log on $ext_if proto { udp, icmp } all keep state
# ------------------------------------------------- #
#####################################################


#####################################################
# ------------------------------------------------- #
# ICMP
pass out on $ext_if inet proto icmp from any to any icmp-type 8 code 0 keep state
pass in  on $ext_if inet proto icmp from any to any icmp-type 8 code 0 keep state
# ------------------------------------------------- #
#####################################################


############################
#--------------------------#
# Protect against antispoofing
# antispoof log for fxp0
# antispoof log for fxp1
#--------------------------#
############################



More information about the TriLUG mailing list