I have recently upgraded our OpenBSD 4.8 bridge & firewall to OpenBSD 5.0
(GENERIC.MP) #57: Mon Aug 8 14:58:00 MDT 2011 and I'm having some problems
with a rule set that used to work with 4.8. I took our backup firewall out of
production, re-installed a fresh copy of the snapshot stated, and used
site50.tgz to populate the hostname.* interfaces for physical devices, bridges
and VLANs, sysctl.conf for interface forwarding, etc. The install went fine,
all the files were put into place correctly, however, with the old rule set
the network fails to come up. I read the source-changes list and recall the
change for the set skip rules and interface groups, confirmed the changes as
defined in the following -current web page which doesn't *seem* to apply to me
since I am not using interface types, but instead physical interface names (or
variables that define interface names). Please keep in mind that the rules
load. In fact, if I do not enable PF during boot but enable PF afterwards it
works fine so I must be missing something here... Do I now have to set skip on
the physical interfaces for the VLANs/Bridge (em0 & em1) :'/
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
NS_DMZ="vlan1111"
DMZ="vlan2111"
NS_FASNET="vlan310"
NS_ACS="vlan311"
NS_EXPERIMENTAL="vlan312"
NS_NAT="vlan313"
NS_DMZ2="vlan314"
NS_111B="vlan315"
NS_NETM="vlan316"
FASNET="vlan300"
ACS="vlan301"
EXPERIMENTAL="vlan302"
NAT="vlan303"
DMZ2="vlan304"
111B="vlan305"
NETM="vlan306"
FW_MGMT="bge0"
# Service definitions
CIFS_PORTS="{137 139 445 epmap kerberos ldap}"
DNS_PORTS="{domain}"
FILEMAKER_PORTS="{2339 5003 5353}"
NFS_PORTS="{sunrpc 2049 4045}"
PRINT_PORTS="{161 printer ipp 9100}"
RDP_PORTS="{3389 5900:5999}"
WEB_PORTS="{http https}"
FLEXLM_PORTS="{ 1025:65535 }"
AD_PORTS="{ 88 389 1025 3268 epmap kerberos kpasswd ldap ntp }"
ARD_PORTS="{ 3283 }"
# Table definitions
# all hosts that get blocked due to too
# many connections are added temporarily here
table <bad_hosts> persist file "/etc/bad_hosts.list"
# Hosts that should be allowed into the NETM
table <netm_hosts> persist file "/etc/netm_hosts.list"
# Hosts that have been blocked permanently
table <blacklist_hosts> persist file "/etc/blacklist_hosts.list"
# Hosts we should never block
table <whitelist_hosts> persist file "/etc/whitelist_hosts.list"
# DNS Servers that we should communicate with
table <dns_servers> persist file "/etc/dns_servers.list"
# Web Servers
table <web_servers> persist file "/etc/web_servers.list"
# Public SFU / FASNET IP space
table <trusted_ip_space> persist file "/etc/trusted_ip_space.list"
# Publically accessible printers
table <public_printers> persist file "/etc/public_printers.list"
# Sytems Lab machines
table <systems_lab_hosts> persist file "/etc/systems_lab_hosts.list"
# baltic.example.com access list
table <baltic_acls> persist file "/etc/baltic_acls.list"
# FlexLM servers
table <flexlm_servers> persist file "/etc/flexlm_servers.list"
# CIFS servers
table <cifs_servers> persist file "/etc/cifs_servers.list"
# Our domain controllers servers
table <dc_servers> persist file "/etc/dc_servers.list"
# Camups DC servers
table <campus_dc_servers> persist file "/etc/campus_dc_servers.list"
# PlanetLab Machines
table <planet_lab_machines> persist file "/etc/planet_lab_machines.list"
## PF Engine paramaters
# Play nicely and send return refused,
# destination unreachable, etc on block
set block-policy return
# limit the number of states that can be created
# monitor "congestion" and "state count" ouput
# in systat pf
set limit { states 50000, table-entries 500000 }
# disable packet fragement reassembly to work with seven
# this should be removed when seven is decommissioned
set reassemble no
# Log traffic statistics on all interfaces
set loginterface all
# don't do any filtering on these devices
# only "public" side is filtered since you only
# need to filter on one side of the bridge
#set skip on { lo0 $FW_MGMT $NS_DMZ $NS_EXPERIMENTAL $NS_NAT $NS_DMZ2 $NS_111B
$111B $ACS $DMZ $DMZ2 $EXPERIMENTAL $FASNET $NAT }
set skip on { lo0 bge0 bge1 $FW_MGMT $NS_EXPERIMENTAL $NS_NAT $NS_DMZ2
$NS_111B $111B $ACS $DMZ2 $EXPERIMENTAL $FASNET $NAT }
# scrub incoming packets
match in all scrub (no-df)
# NAT all 172.16.0/24 traffic to the external interface
#match out on ! $NAT from 172.16.0.0/24 to any nat-to $FW_MGMT:network
# block any host deemed for whatever reason to be bad
# be meaner and just drop them which will use resources
# of the attacker slightly longer
block drop quick from <bad_hosts>
block drop quick from <blacklist_hosts>
# By default, do not permit remote connections to X11
# all X11 traffic should be tunnelled through SSH
block in quick on ! lo0 proto tcp to port 6000:6010
# Allow ping and traceroute through
pass quick log (to pflog1) inet proto icmp from any to any icmp-type echoreq
keep state
# traffic from these hosts should never be blocked
pass quick from <whitelist_hosts>
pass to <whitelist_hosts>
### NETM RULES ###
###
# Block access to NETM
block in log (to pflog2) on $NETM all
pass out log (to pflog2) quick on $NETM all
# Allow traffic to/from NETM allowed hosts
pass in log (to pflog2) quick on $NETM from <netm_hosts>
pass out log (to pflog2) quick on $NETM to <netm_hosts>
# Allow the testing of NETM
# Only enable for debugging
#pass in log (to pflog2) on $NS_NETM all
#pass out log (to pflog2) on $NS_NETM all
### FASNET RULES ###
###
# Block access to FASNET
block in log on $NS_FASNET all
# use modulate state to generate stronger ISNs on outgoing packets
# for OSs that don't already generate them
pass out quick log (to pflog1) on $NS_FASNET
# Allow SSH traffic but...
# if a host is found to be connecting more than 15 times within 5 seconds
# add them to bad_hosts table so they can be blocked
pass in log (to pflog1) proto tcp to any port ssh keep state \
(max-src-conn-rate 15/5, overload <bad_hosts> flush global)
# Allow RDP traffic but...
# if a host is found to be connecting more than 15 times within 5 seconds
# add them to bad_hosts table so they can be blocked
pass in log (to pflog1) proto tcp to any port $RDP_PORTS keep state \
(max-src-conn-rate 15/5, overload <bad_hosts> flush global)
# Allow DNS traffic to from our peers
pass in log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
<dns_servers> to any port $DNS_PORTS
pass in log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
<trusted_ip_space> to <dns_servers> port $DNS_PORTS
# Allow HTTP traffic to FASNET web servers
pass in log (to pflog1) quick on $NS_FASNET proto tcp from any to
<web_servers> port $WEB_PORTS
# Allow printing to public printers for trusted IP spaces
pass in log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
<trusted_ip_space> to <public_printers> port $PRINT_PORTS
# Allow remote desktop and VNC connections
pass in log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to any
port $RDP_PORTS
# Allow trusted IP spaces access to bigmac to speak to FileMaker Pro
pass in log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
<trusted_ip_space> to bigmac.example.com port $FILEMAKER_PORTS
# Allow systems lab machines to talk to each other
# regardless of networks
pass log (to pflog1) quick on $NS_FASNET from <systems_lab_hosts> to
<systems_lab_hosts>
# Allow some systems access to baltic.example.com
pass log (to pflog1) quick on $NS_FASNET proto tcp from <trusted_ip_space> to
baltic.example.com port $CIFS_PORTS
pass log (to pflog1) quick on $NS_FASNET proto tcp from <baltic_acls> to
baltic.example.com port $CIFS_PORTS
# Allow core.example.com to send statistics to wisteria.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
core.example.com to wisteria.example.com
# Allow access to FLEXLM License servers
pass log (to pflog1) quick on $NS_FASNET proto tcp from any to
<flexlm_servers> port $FLEXLM_PORTS
# Allow access to domain controller servers from trusted networks
pass log (to pflog1) quick proto { tcp, udp } from <trusted_ip_space> to
<dc_servers> #port $AD_PORTS
pass log (to pflog1) quick proto { tcp, udp } from <campus_dc_servers> to any
#port $AD_PORTS
pass log (to pflog1) quick proto { tcp, udp } from <trusted_ip_space> to
<dc_servers> port $CIFS_PORTS
# Allow access to CIFS servers
pass log (to pflog1) quick proto { tcp, udp } from <trusted_ip_space> to
<cifs_servers> #port $AD_PORTS
pass log (to pflog1) quick proto { tcp, udp } from <trusted_ip_space> to
<cifs_servers> port $CIFS_PORTS
# Allow connections to neo for things like updates and policy stuff
pass log (to pflog1) quick proto tcp from <trusted_ip_space> to
neo.example.com port { 5723, 8531 }
# Allow seven to talk to chuskawn so it can speak NIS
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
seven.example.com to chuskawn.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
seven.example.com to head1.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
seven.example.com to taiyang.example.com
# Allow hosts to talk to ghost.example.com and head4.example.com for backups
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to {
ghost.example.com, head4.example.com }
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from {
ghost.example.com, head4.example.com } to any
# Allow tftp traffic from mirror.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
mirror.example.com to any
# Allow printing from staff.example.com
pass quick log (to pflog1) on $NS_FASNET proto { tcp, udp } from
staff.example.com to any
# Allow puppet traffic from puppet.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
puppet.example.com to any port 8139
# Allow trend traffic from trend.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
trend.example.com to any port 43180
# Allow Managed Mac traffic from our trusted networks
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
<trusted_ip_space> to any port $ARD_PORTS
# Allow FTP traffic to our compute servers
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to
oak.example.com port ftp
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to
dogwood.example.com port ftp
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to
css.example.com port ftp
# Allow syslog traffic from ra1.example.com and ra2.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
ra1.example.com to any port syslog
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
ra2.example.com to any port syslog
# Allow external access to asb10830craig.example.com
# RT 151528
pass log (to pflog1) quick on $NS_FASNET proto tcp from any to
asb10830craig.example.com port 8085
# Allow redbug access to fornax
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
redbug.example.com to fornax.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
web.example.com to fornax.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
gradpcs.example.com to fornax.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
onara.example.com to fornax.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
intraweb.example.com to fornax.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
gradebook.example.com to fornax.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
cmpt165.example.com to fornax.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
portal.example.com to fornax.example.com
# Allow all access to PlanetLab test machines from anywhere on unprivileged
ports
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to
<planet_lab_machines> port 1025:65535
# Allows all traffic into FASNET
# USE FOR TESTING ONLY
#pass in log (to pflog1) on $NS_FASNET keep state
--
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
I will do the best I can with the talent I have
