Hi,
I wanna allow local users ( 10.10.0.0/24 ) to Access internet just using port
80, 25 110 and 53 udp.
I wanna allow full access to 10.10.20.0/24 to the internet. I mean, no
restriction.
Easy like that.
I used openBSD 3.8 in the past and I was able to filter packets in $ext_if from
my local network ( 10.10.0.0/24 ).
Tests:
1)
Users_tcp_ports = "{ 25, 80, 110, 443 }"
Users_udp_ports = "{ 53, 123 }"
Normal_users = "10.10.0.0/24"
Power_users = "10.10.20.0/24"
nat on $ext_if from $normal_users to any port $users_tcp_ports -> ($ext_if)
tagged NORMAL_USERS_NAT
nat on $ext_if from $power_users to any -> ($ext_if) tagged POWER_USERS_NAT
#outgoing
Block out on $ext_if
Pass out quick on $ext_if from ($ext_if) to any
#filtering on $int_if
Pass in quick on $int_if inet proto tcp from $normal_users to any port
$users_tcp_ports
Pass In quick on $int_if inet proto tcp from $power_users to any
Should this solve my problem?
I still have no test enviroment. I have around 300 users already going to the
internet and to other WAN sites trhough this openBSD.
Plz, post me your suggestios.
Thanks
-----Mensagem original-----
De: cgc [mailto:[EMAIL PROTECTED]
Enviada em: quarta-feira, 15 de outubro de 2008 16:21
Para: Ricardo Augusto de Souza
Cc: misc@openbsd.org
Assunto: Re: RES: RES: Filtering outgoing connections in pf
What exactly are you trying to achieve? what pc's do you want to have
access to what ports? Are you just allowing every pc in the 10.10.0.0/16
network the same access or not? And access to what? Just web traffic?
pings? dns? ... You will have to be abit more specific
And any box that is doing packet filtering between 2 or more networks, eg.
a private network and the internet, is a router as far as I am aware
Regards,
Charlie
On Wed, 15 Oct 2008 16:06:16 -0300, "Ricardo Augusto de Souza"
<[EMAIL PROTECTED]> wrote:
> This sounds good.
> But my openBSD is working like a router.
> If I remove the rule pass in quick on $int_if I will have a lot of pcs
> that cannot access other subnets.
> Do u know what protocol I must allow to routes work?
>
> thankssssssss
>
> -----Mensagem original-----
> De: cgc [mailto:[EMAIL PROTECTED]
> Enviada em: quarta-feira, 15 de outubro de 2008 15:49
> Para: Ricardo Augusto de Souza
> Cc: misc@openbsd.org
> Assunto: Re: RES: Filtering outgoing connections in pf
>
> let me give you an example, if you just want 10.10.0.0/16 to have port 80
> access then you need 3 rules:
>
> #the nat
> nat on $ext_if from 10.10.0.0/16 to any port 80 -> ($ext_if)
>
> #allow through $int_if
> pass in quick on $int_if proto tcp from 10.10.0.0/16 to any port 80
>
> #and finally allow through $ext_if
> pass out quick on $ext_if proto tcp from ($ext_if) to any
>
> You can lock $ext_if down to just port 80 but the point is $int_if is
> where
> you do the filtering for 10.10.0.0/16
>
> Correct me if I am wrong.
>
> Regards,
>
> Charlie
>
> On Wed, 15 Oct 2008 14:44:43 -0300, "Ricardo Augusto de Souza"
> <[EMAIL PROTECTED]> wrote:
>> Is is possible filter outgoing packets in $ext_if even doing NAT?
>> I mean, after nat on $ext_if from 10.10.0.0/16 to any -> ($ext_if) all
>> packets from 10.10.0.0/16 will be translated to $ext_if.
>> I wish I could filter 10.10.0.0/16 packets in $ext_if.
>>
>> Is is possible?
>>
>> Thanks
>> -----Mensagem original-----
>> De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
>> Ricardo Augusto de Souza
>> Enviada em: quarta-feira, 15 de outubro de 2008 13:01
>> Para: misc@openbsd.org
>> Assunto: Filtering outgoing connections in pf
>>
>> Hi,
>>
>>
>>
>> I AM confused with some PF rules.
>>
>> I am trying to allow just some ports to my local users.
>>
>> I am using block out on $ext_if but I think I would be able to choose
>> ports my lan users will access with rule
>>
>> Pass out on $ext_if proto tcp from 10.10.0.0/16 to any port { 80, 25,
>> 110 } keep state .
>>
>>
>>
>> It seems to be ok, but I had to add this rule: Pass out on $ext_if
> from
>> $ext_if to any ( without this rule my box cannot connect to the
>> internet ). With this rule, All users can connect to any out port.
>>
>>
>>
>> Question: What is the right way to have my box at the internet and my
>> users can only access that selected ports?
>>
>>
>>
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>>
>> My pf.conf:
>>
>>
>>
>> set loginterface xl1
>>
>> set skip on lo0
>>
>> scrub in
>>
>>
>>
>> set require-order yes
>>
>> set state-policy if-bound
>>
>>
>>
>> altq on xl1 priq bandwidth 50Kb queue { q_pri, q_def }
>>
>> queue q_pri priority 7
>>
>> queue q_def priority 1 priq(default)
>>
>>
>>
>>
>>
>> # interface externa WAN
>>
>> ext_if="xl1"
>>
>> # interface interna LAN
>>
>> int_if="xl0"
>>
>> # interface MPLS
>>
>> mpls_if ="bge0"
>>
>> #interfaces VPn tuneis
>>
>> vpn_if ="{ tun0, tun1, tun2, tun3, tun4 }"
>>
>> vpn_net ="{ 10.10.9.0/26 }"
>>
>> #Default GW
>>
>> gw="200.162.41.33"
>>
>>
>>
>> table <badsites> persist file "/etc/badsites.txt"
>>
>> winupdate = "{ 65.54.87.0/24 } "
>>
>>
>>
>>
>>
>> ############
>>
>> # Variaveis
>>
>> ##########
>>
>>
>>
>> #################
>>
>> #1 - Redirecionamento ambiente de homologocao
>>
>> ###############
>>
>> ws_ip = "{ 10.10.100.21 }"
>>
>> ws_ports = "{ 8101, 8102, 8103 }"
>>
>>
>>
>> ####################################
>>
>> #2- Variaveis uteis
>>
>> ################################
>>
>> lan = "{ 10.10.0.0/16 }"
>>
>> cmt_lan = "{ 10.10.0.0/24 }"
>>
>> ti_lan = "{ 10.10.20.0/26 }"
>>
>> call_center_lan = "{ 10.10.60.0/26 }"
>>
>> rede_mpls = "{ 10.100.0.0/16 }"
>>
>> ip_admin = "{ 10.10.20.100 }"
>>
>> msn = "207.46.0.0/16"
>>
>>
>>
>> # portas
>>
>>
>>
>> portas_saida_tcp = " {25, 80, 110,443 }"
>>
>> portas_saida_udp = " { 53, 443 }"
>>
>> portas_entrada_tcp = " { 22,1981, 810} "
>>
>> portas_entrada_udp = " { 1194 }"
>>
>> ip_rose = " { 10.10.0.56 } "
>>
>> porta_rose = " { 2631 } "
>>
>> oracle_desenv = "{ 10.10.100.13, 10.10.100.14 }"
>>
>> ips_adm_ext = "{ 189.33.76.0/26 } "
>>
>>
>>
>> #teste internet lojas MPLS
>>
>> rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 3128 ->
>> $int_if port 3128
>>
>>
>>
>> #redirect para servidor NTP
>>
>> rdr pass on $mpls_if inet proto udp from $rede_mpls to $mpls_if port
> 123
>> -> 10.10.100.254 port 123
>>
>>
>>
>> #redirect para os servidores do DTC enviarem email pelo sol
>>
>> rdr pass on $mpls_if inet proto tcp from $rede_mpls to $mpls_if port 25
>> -> 10.10.0.2 port 25
>>
>> nat on $int_if from any to 10.10.0.2 -> $int_if
>>
>>
>>
>>
>>
>> # squid trasparente
>>
>> rdr pass on $int_if inet proto tcp from $lan to any port 80 -> $int_if
>> port 3128
>>
>>
>>
>> rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1521 ->
>> 10.10.100.13 port 1521
>>
>> rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1522 ->
>> 10.10.100.14 port 1521
>>
>> nat on $int_if from any to $oracle_desenv port 1521 -> $int_if
>>
>>
>>
>>
>>
>> # redirecionamento para lan, foi necessario fazer nat tb.
>>
>> rdr pass on $ext_if inet proto tcp from any to $ext_if port $ws_ports
> ->
>> $ws_ip
>>
>> nat on $int_if from any to $ws_ip -> $int_if
>>
>>
>>
>>
>>
>> #################
>>
>> ##### NAT ######
>>
>> #################
>>
>>
>>
>> #nat para dar acesso a internet para a lan
>>
>> nat on $ext_if from $lan to !($ext_if) -> $ext_if
>>
>> nat on $mpls_if from $lan to any -> $mpls_if
>>
>>
>>
>>
>>
>> # bloqueia a entrada de tudo e saida de tudo
>>
>> block in on $ext_if
>>
>>
>>
>> #regras de entrada
>>
>>
>>
>> # libera entrada de tudo na interface interna
>>
>> pass in on $int_if proto udp from $lan to $int_if port 53
>>
>> pass in on $int_if from any to $lan modulate state
>>
>> pass in on $int_if from $rede_mpls to $lan modulate state
>>
>>
>>
>> #liberar acesso rede mpls
>>
>> pass in quick on $mpls_if from any to any
>>
>> #pass in quick on $mpls_if from $rede_mpls to any
>>
>>
>>
>> # libera a entrada na interface externa
>>
>> pass in quick on $ext_if proto tcp from any to $ext_if port
>> $portas_entrada_tcp keep state
>>
>> pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports
>> keep state
>>
>> pass in quick on $ext_if proto udp from any to $ext_if port
>> $portas_entrada_udp keep state
>>
>> pass in quick on $ext_if proto tcp from any to $int_if port 443 flags
>> S/SAFR keep state (max 256)
>>
>>
>>
>> #VPN
>>
>> pass in quick on $ext_if proto tcp from any to $ext_if port = 1723
>> modulate state
>>
>> pass in quick on $ext_if proto gre from any to $ext_if keep state
>>
>> pass out quick on $ext_if proto gre from $ext_if to any keep state
>>
>> pass in quick on $vpn_if all
>>
>> pass out quick on $vpn_if all
>>
>>
>>
>> pass in quick on $int_if from $vpn_net to any modulate state
>>
>> pass in quick on $mpls_if from $vpn_net to any modulate state
>>
>>
>>
>>
>>
>> # regras de saida
>>
>> antispoof quick for { lo $int_if }
>>
>> pass out on $int_if from any to $lan keep state
>>
>> pass out on $mpls_if from $mpls_if to any modulate state
>>
>> #####
>>
>> # proibe todo o trafego de saida
>>
>> block out on $ext_if
>>
>> #pass out on $ext_if from $ext_if to any modulate state
>>
>>
>>
>> pass out quick on $ext_if proto tcp from any to any port
>> $portas_saida_tcp modulate state queue (q_def, q_pri)
>>
>> pass out quick on $ext_if proto tcp from $ip_rose port 1024:65535 to
>> 200.201.174.0/24 port { 80, 2631 } modulate state
>>
>>
>>
>> #libera acesso total para os administradores
>>
>> #pass out on $ext_if from $ip_admin to any modulate state
>>
>>
>>
>> pass out on $ext_if proto tcp from $ext_if to any modulate state
> flags
>> S/SA
>>
>> pass out on $ext_if proto { udp, icmp } all keep state
>>
>>
>>
>> # block msn
>>
>> pass out quick inet proto tcp from $ip_admin to $msn port { 80, 1863 }
>>
>> block out quick proto tcp from any to $msn port { 80, 1863 }
>>
>> #block acesso a estes sites
>>
>> block out on $ext_if from any to <badsites>
>>
>> block out on $ext_if from any to $winupdate
>
--
Charlie Clark
