Here is my rules (without macro & table definitions which are before,
sensible rules are hidden, but are in the same template as shown rules
and same place)
##
## Options
##
set skip on lo0
set block-policy drop
set limit { states 50000, frags 20000, src-nodes 40000, table-entries
600000 }
##
## NAT /!\ toujours avant le filtrage ! /!\
##
pass out quick proto tcp from $iogspriv_addr to !$priv_addr port
{ $smtp_ports $mail_ports $ldap_ports 16286 16287 22745 22734 49157 }
nat-to $natto_iface
pass out quick proto tcp from $priv_addr to !$priv_addr port { ssh }
nat-to $natto_iface
pass out quick proto tcp from <serviceinfo> to !$priv_addr port
{ $tse_port } nat-to $natto_iface
pass out quick proto { tcp udp } from <icloud_allowed_clients> to
<icloud> port { https $jabber_ports 16384 16385 16386 16387 } nat-to
$natto_iface
pass out quick proto icmp to { !$priv_addr } nat-to $natto_iface
pass out quick proto tcp from $administration to <socgen> nat-to
$natto_iface
##
## Filtrage
##
#
# Regles par defaut (entrees bloquees et loguees, sorties autorisees)
#
block in log all
pass out quick all
pass in quick on $internet_iface
pass in quick on $internet_carp_iface
pass in quick on $proxy_iface
pass in quick on $lan_iface
pass in quick proto carp
pass in quick on $lan_iface proto pfsync
# antispoofing, for hackers
#antispoof log for $clientlan_ifaces
block in quick from $poubelle
pass in quick proto icmp
pass in quick proto tcp to $proxy_addr
pass in quick proto tcp to { $proxy_addr1 $proxy_addr2 } port { 3128
http }
pass in quick from { $srv_gw1 $srv_gw2 }
pass in quick from <serviceinfo> to { $lan_addrs $toip_srv }
pass in quick from { $lan_addrs $toip_srv } to <serviceinfo>
pass in quick proto udp to port { bootps bootpc domain ntp }
pass in quick proto tcp from $srv_monitor
pass in quick proto tcp to $srv_monitor
pass in quick proto { tcp udp } from { $srv_logs $srv_ads } to
{ $srv_gw1 $srv_gw2 $priv_addr }
pass in quick proto { tcp udp } from { $srv_gw1 $srv_gw2 $priv_addr } to
{ $srv_logs $srv_ads }
# Serveurs accessibles a tout le LAN en TCP
pass in quick proto tcp from { $srv_debian_repo $srv_ftp $srv_cloud } to
$priv_addr
pass in quick proto tcp from $priv_addr to { $srv_debian_repo $srv_ftp
$srv_cloud }
# Serveurs accessibles a tout le LAN en UDP
pass in quick proto udp from { $srv_logs $srv_serveurmac } to $priv_addr
pass in quick proto udp from $priv_addr to { $srv_logs $srv_serveurmac }
# serveurs de fichiers & partages windows (Zeus/Hera)
pass in quick from $srv_fichiers_adm to { }
pass in quick from { } to $srv_fichiers_adm
pass in quick from $srv_fichiers_ecole to { }
pass in quick from { } to $srv_fichiers_ecole
# view + physique
pass in quick from { } to { $view}
pass in quick from { $view } to { }
pass in proto { tcp udp } from <icloud_allowed_clients> to <icloud> port
{ https 5223 16384 16385 16386 16387 }
pass in proto { tcp udp } from <icloud> port { https 5223 16384 16385
16386 16387 } to <icloud_allowed_clients>
pass in proto tcp from $priv_addr to port { ssh $ldap_ports $smtp_ports
$mail_ports $pcoip_ports $tse_port }
pass in proto tcp from port { ssh $ldap_ports $smtp_ports $mail_ports
$pcoip_ports $tse_port } to $priv_addr
pass in proto tcp from $priv_addr to { $kms }
pass in proto tcp from { $kms } to $priv_addr
##
## RDR web
##
pass in quick proto tcp from !$proxy_addr to any port 80 rdr-to
$proxy_addr port 3128
--
Cordialement,
Loïc BLOT, expertise en systèmes UNIX, sécurité et réseaux
Frost Sapphire Studios
Le mardi 27 novembre 2012 Ã 08:45 +0100, Laurent Caron (Mobile) a
écrit :
> "Loïc BLOT" <loic.b...@frostsapphirestudios.com> a écrit :
>
> >Hello to OpenBSD users,
> >
> >i have a little problem, i think it's linked with PF, but i have no
> >proofs. System is OpenBSD 5.1 but OpenBSD 5.2 get the same things (with
> >different card, 5.1 uses bnx and 5.2 use em)
> >I have a router with squid proxy, named and isc-dhcpd. The problem is,
> >sometimes i get "no route to host" for some transmissions (often on the
> >proxy), but randomly. Our connexion is perfectly stable (Renater 1Gbit
> >fiber connection), and the routes are static and right.
> >When squid says no route to host and i refresh the page, it works. I
> >think it's a packet filter problem. Nmap has sometimes the same problem
> >and says no route to host when i try to scan. Example:
> >
> >Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-26 23:56 CET
> >sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, aaa.bbb.ccc.20,
> >16) => No route to host
> >Offending packet: TCP xxx.yyy.zzz.1:42282 > aaa.bbb.ccc.20:5200 S
> >ttl=37
> >id=32702 iplen=44 seq=2453102157 win=2048 <mss 1460>
> >Sleeping 15 seconds then retrying
> >
> >This scan was realized in two differents networks, but in this capture,
> >this is the same networks
> >
> >Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-26 23:58 CET
> >sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, xxx.yyy.zzz.50,
> >16) => No route to host
> >Offending packet: TCP xxx.yyy.zzz.1:49053 > xxx.yyy.zzz.50:161 S ttl=52
> >id=62248 iplen=44 seq=3073961720 win=1024 <mss 1460>
> >Sleeping 15 seconds then retrying
> >
> >if don't have the problem with pf disabled.
> >
> >All my outgoing packets are allowed and somes are nated.
> >
> >Where do you think the problem comes ?
> >
> >Thanks for Advance.
> >
> >Lo��c Blot,
> >UNIX systems engineer.
>
> Hello Loïc
>
> What does your ruleset look like ?
>
> Do.you have à .log of rejected packets (tcpdump on pflog 0)?
