[TriLUG] Re: OpenBSD firewall

Brandon L. Newport (704.658.9990) bnewport at appws.com
Wed Jan 7 10:53:05 EST 2004


For those that are interested in learning OpenBSD firewall, I wrote an article
on deadly.org a while back. It was in relation to OpenBSD 3.2, but it should be
good a a learning tool..

www.deadly.org/article.php3?sid=20030301141353 - but it seems to be down right
now.

It was also published on daemonnews.

http://ezine.daemonnews.org/200303/openbsdfw.html




Jon Carnes <jonc at trilug.org> said:

> Wow!  Now that is what I call a *real* firewall!
> Fantastic use of almost every OpenBSD firewalling function.
>
> Just out of curiosity, what kind of processor and RAM do you have on the
> server?  What added latency do you get when passing thorough?
>
> Jon Carnes
>
> On Tue, 2004-01-06 at 22:42, ljacobs wrote:
> > Folks --
> >
> > I have attached a longish file that is the rule set of an OpenBSD based packet
filter firewall. Those of you who are experienced with these systems might find it
interesting. And I would particularly appreciate any comments and suggestions,
criticisms and recommendations to improve on this firewall.
> >
> > I am basically supporting a number of Win2K servers, a FreeeBSD postfix server and
several linux servers. All the servers are really in a DMZ and the OpenBSD system is
only dual-homed, i.e., 2 NICs.
> >
> > Thanks for any comments you might provide, especially as it relates to the
requirement for the FTP servers to be available.
> >
> > IPs have been changed to protect the innocent.
> >
> > Thanks.
> >
> >
> > ________________________________________________________________
> > Sent via the WebMessaging system at mandala-designs.com
> >
> >
> >
> >
> >
> > ______________________________________________________________________
> >
> > # /etc/pf.conf
> > # essential reading: http://www.inebriated.demon.nl/pf-howto
> > #                    man pf.conf
> > #                    man pf
> > #
> > #
> > # To view the logfiles:
> > #       tcpdump -n -e -ttt -r /var/log/pflog
> > #
> > # To tail -f the logfile: (well not really but...)
> > #       tcpdump -n -e -ttt -i pflog0
> > #
> > # To watch the blocked packets
> > # 	tcpdump -n -e -tt -i pflog0 action block
> > #
> > # Use pfctl -t spamd -T replace -f /etc/spamd to update spammer table
> > # Use pfctl -t tablename -T show -v to show stats on each address in table
> > # Use pfctl -s nat   to show the effective nat-rules.
> > # Use pfctl -s rules to show your effective pf-rules.
> > # Use pfctl -vvs rules to show even more
> > #
> > # PF rule base, to get read into the PF script
> > #
> > # Version 0.60: August, 2003
> > #
> > # Interface:
> > #    fxp1 - internal to private network
> > #    fxp0 - external to T1
> > #
> > # rule keywords
> > #    * set
> > #    * scrub
> > #    * rdr
> > #    * nat
> > #    * binat
> > #    * block
> > #    * pass
> > #
> > # Order of Rules
> > # 1. Options
> > # 2. Scrub
> > # 3. NAT & RDR
> > # 4. Filter
> > #
> > # HOW TO FIREWALL A NEW IPADDRESS
> > # 1. add a new entry to "FIREWALLED SERVERS" for the
> > #    external address and the internal address
> > # 2. add internal server name to appropriate service providers
> > # 3. add a new binat entry
> > # 4. restart the firewall: pfctl -F all;pfctl -f /etc/pf.conf
> >
> > #####################################################
> > # DEFINE INTERFACES
> > #####################################################
> > ext_if="fxp0"
> > int_if="fxp1"
> > Lo_if="lo0"
> >
> > #####################################################
> > # DEFINE SERVERS
> > #####################################################
> > # DEFINE ADDRESS RANGES
> > int_ad = "192.168.1.0/24"
> > ext_ad = "143.23.199.128/27"
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # KNOWN REMOTE SERVERS
> > dorje = "234.139.229.177"
> > bodhi = "234.139.229.179"
> > dharma = "66.30.190.48"
> > kalapa = "168.103.60.107"
> > vajra = "66.30.190.106"
> > ursa_major = "245.140.80.3"
> > shambhala_firewall = "168.103.60.105"
> > redwing_home = "56.211.161.136"
> > redwing_office = "261.148.40.155"
> >
> > #
> > # REMOTE SERVER GROUPS
> > trusted_ssh = $bodhi $dorje $vajra $dharma $kalapa
> > trusted_dns = $bodhi $ursa_major $dharma
> > trusted_db = $dorje $kalapa
> > trusted_nagios = $dharma
> > trusted_tb2 = $bodhi $dorje $vajra $dharma $kalapa $shambhala_firewall
> > trusted_apc = $bodhi $dorje $vajra $dharma $kalapa
> > trusted_coyote = $bodhi $dorje $vajra $dharma $kalapa
> > trusted_switch = $bodhi $dorje $vajra $dharma $kalapa
> > trusted_rcp = $bodhi $dorje $vajra $dharma $kalapa $redwing_home $redwing_office
> > # ------------------------------------------------- #
> > #####################################################
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # FIREWALLED SERVERS
> > switch_136_ext = 	"226.327.93.136"
> > switch_136_int = 	"192.168.1.136"
> >
> > rinpoche_131_ext =	"226.327.93.131"
> > rinpoche_131_int =	"192.168.1.131"
> > rinpoche_140_ext =	"226.327.93.140"
> > rinpoche_140_int =	"192.168.1.140"
> > rinpoche_141_ext =	"226.327.93.141"
> > rinpoche_141_int =	"192.168.1.141"
> > rinpoche_143_ext =	"226.327.93.143"
> > rinpoche_143_int =	"192.168.1.143"
> > rinpoche_149_ext =	"226.327.93.149"
> > rinpoche_149_int =	"192.168.1.131"
> > rinpoche_150_ext =	"226.327.93.150"
> > rinpoche_150_int =	"192.168.1.150"
> > rinpoche_153_ext =	"226.327.93.153"
> > rinpoche_153_int =	"192.168.1.153"
> > rinpoche_154_ext =	"226.327.93.154"
> > rinpoche_154_int =	"192.168.1.154"
> > rinpoche_155_ext =	"226.327.93.155"
> > rinpoche_155_int =	"192.168.1.155"
> > rinpoche_158_ext =	"226.327.93.158"
> > rinpoche_158_int =	"192.168.1.158"
> >
> > rinpoche_all_int =	$rinpoche_131_int \
> > 			$rinpoche_140_int \
> > 			$rinpoche_141_int \
> > 			$rinpoche_143_int \
> > 			$rinpoche_149_int \
> > 			$rinpoche_154_int \
> > 			$rinpoche_150_int \
> > 			$rinpoche_153_int \
> > 			$rinpoche_155_int \
> > 			$rinpoche_158_int
> >
> >
> > tao_130_ext = "226.327.93.130"
> > tao_130_int = "192.168.1.130"
> >
> > tao_135_ext = "226.327.93.135"
> > tao_135_int = "192.168.1.135"
> > tao_all = $tao_130_int \
> > 	  $tao_135_int
> >
> > pema_ext = "226.327.93.132"
> > pema_int = "192.168.1.132"
> >
> > karma_ext = "226.327.93.133"
> > karma_int = "192.168.1.133"
> >
> > shiva_ext = "226.327.93.138"
> > shiva_int = "192.168.1.1"
> >
> > guru_ext = "226.327.93.157"
> > guru_int = "192.168.1.157"
> >
> > prajna_137_ext = "226.327.93.137"
> > prajna_137_int = "192.168.1.137"
> > prajna_139_ext = "226.327.93.139"
> > prajna_139_int = "192.168.1.137"
> > prajna_all_int = $prajna_137_int \
> > 		 $prajna_139_int
> >
> > tulku_134_ext = "226.327.93.134"
> > tulku_134_int = "192.168.1.134"
> > tulku_156_ext = "226.327.93.156"
> > tulku_156_int = "192.168.1.156"
> > tulku_all_int = $tulku_134_int \
> > 		$tulku_156_int
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # DEFINE SERVICE PROVIDERS
> > apc_providers = 	$guru_int
> >
> > switch_providers = 	$switch_136_int
> >
> > coyote_providers = 	$tao_all
> >
> > ssh_providers = 	$shiva_int \
> > 			$prajna_all_int \
> > 			$tulku_all_int
> >
> > dns_providers = 	$prajna_all_int \
> > 			$tulku_all_int \
> > 			$rinpoche_all_int
> >
> > webct_providers = 	$tulku_all_int
> >
> > email_providers = 	$rinpoche_all_int \
> > 			$pema_int
> >
> > smtp_providers = 	$rinpoche_all_int \
> > 			$pema_int \
> > 			$tulku_all_int \
> > 			$prajna_all_int
> >
> > ftp_providers = 	$rinpoche_all_int \
> > 			$karma_int \
> > 			$tulku_all_int \
> > 			$prajna_all_int \
> > 			$pema_int
> >
> > www_providers = 	$rinpoche_all_int \
> > 			$karma_int \
> > 			$tulku_all_int \
> > 			$prajna_all_int \
> > 			$pema_int \
> > 			$karma_int \
> > 			$switch_136_int
> >
> > telnet_providers = 	$switch_136_int
> >
> > real_providers = 	$rinpoche_all_int
> >
> > tb2_providers = 	$rinpoche_all_int \
> > 			$pema_int \
> > 			$karma_int
> >
> > rcp_providers =     $rinpoche_all_int
> >
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # DEFINE ALLOWED SERVICES
> > #####################################################
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # REMOTE CONTROL
> > # SSH
> > ssh_tcp = "22"
> > #
> > # TB2 SERVICES
> > tb2_udp = "407"
> > tb2_tcp = "445 1417 1418 1419 1420"
> > #
> > # VNC
> > # DON'T ALLOW!
> > # It's unencrypted, so only allow via SSH port forwarding
> > # ------------------------------------------------- #
> > #####################################################
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # NAME SERVICES
> > dns_tcp = "53"
> > dns_udp = "53"
> > # ------------------------------------------------- #
> > #####################################################
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # APC SWITCH SERVICES
> > apc_tcp = "8300"
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # NETWORK MONITORING SERVICES
> > nagios_tcp = "5666"
> > # ------------------------------------------------- #
> > #####################################################
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # GENERIC WEB SERVICES
> > http_tcp = "80"
> > https_tcp = "443"
> > log_analyzer_tcp = "888"
> > #
> > # ALL WWW
> > all_www_tcp = $http_tcp $https_tcp $log_analyzer_tcp
> > # ------------------------------------------------- #
> > #####################################################
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # 3COM SWITCH SERVICES
> > all_switch_tcp = "23" $http_tcp $https_tcp
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # REAL NETWORKS SERVICES
> > real_tcp = "554 7070"
> > real_low_udp = "6969"
> > real_hi_udp = "7169"
> > # ------------------------------------------------- #
> > #####################################################
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # EMAIL SERVICES
> > web_msg_tcp = "8383"
> > pop_tcp = "110"
> > imap_tcp = "143"
> > smtp_tcp = "25"
> > #
> > # ALL EMAIL
> > all_send_email_tcp = $smtp_tcp
> > all_receive_email_tcp = $web_msg_tcp $http_tcp $https_tcp $pop_tcp $imap_tcp
> > # ------------------------------------------------- #
> > #####################################################
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # WEBCT SERVICES
> > chat_4_tcp = "44454"
> > chat_4_udp = "44454"
> > whiteboard_4_tcp = "45674"
> > whiteboard_4_udp = "45674"
> > webct_http_tcp = "8900"
> >
> > chat_tcp = "4445"
> > chat_udp = "4445"
> > whiteboard_tcp = "4567"
> > whiteboard_udp = "4567"
> > license_tcp = "5555"
> > #
> > # ALL WEBCT TCP
> > all_webct_tcp = $http_tcp $https_tcp $chat_tcp $whiteboard_tcp $license_tcp \
> > 		$chat_4_tcp $whiteboard_4_tcp $webct_http_tcp
> > #
> > # ALL WEBCT UDP
> > all_webct_udp = $chat_udp $whiteboard_udp $chat_4_udp $whiteboard_4_udp
> > #
> > # ------------------------------------------------- #
> > #####################################################
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # FTP SERVICES
> > ftp_tcp = "21"
> > ftp_data_tcp = "20"
> > ftp_rand_tcp = ">1024"
> >
> > all_ftp_tcp = $ftp_tcp $ftp_data_tcp
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # RCP SERVICES
> > rcp_tcp = "514"
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # DEINE BEHAVIORS
> > #####################################################
> > set limit { frags 40000, states 35000 }
> > set loginterface $ext_if
> > set optimization normal
> > set block-policy return
> >
> > #####################################################
> > # DEFINE TABLES (for speed)
> > #####################################################
> > table <mandala> { 192.168.1.0/255, 143.23.199.128/27 }
> >
> > table <noroute> { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32, \
> >           	  169.254.0.0/16, 127.0.0.0/8, 0.0.0.0/8, 192.0.2.0/24, \
> >           	  204.152.64.0/23, 224.0.0.0/3, 127.0.0.0/8 }
> >
> > table <spamd> persist file "/etc/spamd"
> >
> > #####################################################
> > # DEFINE FIREWALL RULES
> > #####################################################
> > scrub in all
> > scrub out all
> >
> > #####################################################
> > # REDIRECTION CONFIGURATION: BINAT & RDR
> > #
> > # tarpit for spammers
> > # rdr inet proto tcp from <spamd> to any port 25 -> 127.0.0.1 port 8025
> > # rdr for email redirection of rinpoche to pema
> > rdr on $ext_if proto tcp from any to $rinpoche_131_ext port 25 -> $pema_int port 25
> > rdr on $ext_if proto tcp from any to $rinpoche_131_ext port 110 -> $pema_int port
110
> > rdr on $ext_if proto tcp from any to $rinpoche_131_ext port 8383 -> $pema_int port
8383
> >
> > # All internal traffice will look like it's coming from the external address
> > # BINAT SERVERS
> > binat on $ext_if from $rinpoche_131_int to any -> $rinpoche_131_ext
> > binat on $ext_if from $rinpoche_140_int to any -> $rinpoche_140_ext
> > binat on $ext_if from $rinpoche_141_int to any -> $rinpoche_141_ext
> > binat on $ext_if from $rinpoche_143_int to any -> $rinpoche_143_ext
> > binat on $ext_if from $rinpoche_149_int to any -> $rinpoche_149_ext
> > binat on $ext_if from $rinpoche_150_int to any -> $rinpoche_150_ext
> > binat on $ext_if from $rinpoche_153_int to any -> $rinpoche_153_ext
> > binat on $ext_if from $rinpoche_154_int to any -> $rinpoche_154_ext
> > binat on $ext_if from $rinpoche_155_int to any -> $rinpoche_155_ext
> > binat on $ext_if from $rinpoche_158_int to any -> $rinpoche_158_ext
> > binat on $ext_if from $pema_int to any -> $pema_ext
> > binat on $ext_if from $karma_int to any -> $karma_ext
> > binat on $ext_if from $prajna_137_int to any -> $prajna_137_ext
> > binat on $ext_if from $prajna_139_int to any -> $prajna_139_ext
> > binat on $ext_if from $tulku_134_int to any -> $tulku_134_ext
> > binat on $ext_if from $tulku_156_int to any -> $tulku_156_ext
> > binat on $ext_if from $tao_130_int to any -> $tao_130_ext
> > binat on $ext_if from $tao_135_int to any -> $tao_135_ext
> > binat on $ext_if from $switch_136_int to any -> $switch_136_ext
> >
> > # Translate outgoing ftp control connections to send them to localhost
> > # for proxying with ftp-proxy(8) running on port 8081
> > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8081
> > rdr on $int_if proto tcp from any to any port 20 -> 127.0.0.1 port 8081
> >
> > #####################################################
> > # FILTERING
> > #
> > #####################################################
> > # ------------------------------------------------- #
> > # DEFAULT "IN" AND "OUT"
> > # Note: "block in all" is required to make this config operate as a true firewall
> > block in log all
> > pass out all
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # UNFILTERED INTERFACES
> > pass out quick on { $Lo_if $int_if } all
> > pass in  quick on { $Lo_if $int_if } all
> > pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep state
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # BLOCK SPOOFERS AND SPAMMERS
> > # block drop in log quick on $ext_if from { <noroute>, <spammers> } to any
> > # block drop out log quick on $ext_if from any to { <noroute>, <spammers> }
> > block drop in log quick on $ext_if from <noroute> to any
> > block drop out log quick on $ext_if from any to <noroute>
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # RCP SERVICES
> > pass in log on $ext_if proto tcp from {$trusted_rcp} to {$rcp_providers} port
{$rcp_tcp} keep state
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # ALLOW SSH
> > pass in log on $ext_if proto tcp from any to any port {$ssh_tcp} keep state
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # ALLOW SWITCH CONNECTIONS
> > pass in log on $ext_if proto tcp from {$trusted_switch} to {$switch_providers}
port {$all_switch_tcp} keep state
> > # ------------------------------------------------- #
> > #####################################################
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # ALLOW APC CONNECTIONS
> > pass in log on $ext_if proto tcp from {$trusted_apc} to {$apc_providers} port
{$apc_tcp} keep state
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # ALLOW REAL NETWORKS SERVICES
> > pass in log on $ext_if inet proto tcp from any to {$real_providers} port
{$real_tcp} keep state
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # NAGIOS NRPE SERVICES
> > pass in log on $ext_if inet proto tcp from {$trusted_nagios} to any port
{$nagios_tcp} keep state
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # DNS RULES
> > pass in log on $ext_if inet proto udp from any to {$dns_providers} port {$dns_udp}
keep state
> > pass in log on $ext_if inet proto tcp from any to {$dns_providers} port {$dns_tcp}
keep state
> > pass out log on $ext_if inet proto udp from any to any port = 53 keep state
> > pass out log on $ext_if inet proto tcp from any to any port = 53 modulate state
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # FTP RULES
> > pass in log on $ext_if proto tcp from any to {$ftp_providers} port {$all_ftp_tcp
>1024} keep state
> > pass out log on $ext_if from {$ftp_providers} to any keep state
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # REMOTE CONTROL RULESET
> > # Allow tb2 for Rinpoche
> > pass in log on $ext_if inet proto tcp from {$trusted_tb2} to {$tb2_providers} port
{$tb2_tcp} keep state
> > pass in log on $ext_if inet proto udp from {$trusted_tb2} to {$tb2_providers} port
{$tb2_udp} keep state
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # ALLOW EMAIL
> > pass in log on $ext_if proto tcp from any to {$email_providers} port
{$all_receive_email_tcp} keep state label "smtp-IN:$dstaddr"
> > pass in log on $ext_if proto tcp from any to {$smtp_providers} port
{$all_send_email_tcp} keep state label "smtp-OUT:$dstaddr"
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # ALLOW COYOTE
> > pass in log on $ext_if proto tcp from {$trusted_coyote} to {$coyote_providers}
port {$all_www_tcp} keep state
> > # ------------------------------------------------- #
> > #####################################################
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # ALLOW WEB TRAFFIC
> > pass in log on $ext_if proto tcp from any to {$www_providers} port {$all_www_tcp}
keep state label "www:$dstaddr"
> > # ------------------------------------------------- #
> > #####################################################
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # ALLOW WEBCT TRAFFIC
> > pass in log on $ext_if proto tcp from any to {$webct_providers} port
{$all_webct_tcp} keep state label "webct:$dstaddr"
> > pass in log on $ext_if proto udp from any to {$webct_providers} port
{$all_webct_udp} keep state label "webct:$dstaddr"
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # OUTBOUND TRAFFIC
> > # Allow return traffic and connection from firewall
> > # pass tcp, udp, and icmp out on the external (Internet) interface.
> > # keep state on udp and icmp and modulate state on tcp.
> > pass out log on $ext_if proto tcp all modulate state flags S/SA
> > pass out log on $ext_if proto { udp, icmp } all keep state
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > #####################################################
> > # ------------------------------------------------- #
> > # ICMP
> > pass out on $ext_if inet proto icmp from any to any icmp-type 8 code 0 keep state
> > pass in  on $ext_if inet proto icmp from any to any icmp-type 8 code 0 keep state
> > # ------------------------------------------------- #
> > #####################################################
> >
> >
> > ############################
> > #--------------------------#
> > # Protect against antispoofing
> > # antispoof log for fxp0
> > # antispoof log for fxp1
> > #--------------------------#
> > ############################
> >
>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>




--
------------------------------------
Brandon L. Newport
Appalachian Web Solutions
http://www.appws.com
P.O. Box 4254
Mooresville, North Carolina 28117
Ph. 704.658.9990
Fx. 866.422.4006
Mo. 704.564.9246




More information about the TriLUG mailing list