On Thu, Jan 4, 2018 at 8:09 AM, Jon S <jonsjost...@gmail.com> wrote:
> This led to my first experieces with pf. After some work I came up with
> whats below. It works as I want it to work, but I wonder if there is a way
> to create a rule where incomming traffic to the internal NIC (re0) is
> passed if it is targeted for em0 (external, internet NIC)? The current
> solution would require an update of the "pass in on re0 to
> !re0:network"-rule if another NIC is added (lets say a DMZ).
>
> [ruleset omitted]
For years I used a vaguely similar ruleset on my own router; similar
in the sense that it used "pass out all" and relied only on filtering
inbound traffic.
But over time I've decided that it's better to block both inbound and
outbound by default, then explicitly allow traffic in 3 categories:
1. traffic to this router as the final destination (for services
running on the router)
2. traffic to be forwarded (with NAT if needed)
3. traffic that originates from this router
#3 is especially important if the router is also running other
services which may make announcements on the network. If you are
running Samba for example you probably don't want to send
announcements to the Internet. Yes, this means you need to know
explicitly what your services are doing so you know what to enable.
On the plus side it means nothing gets sent to the Internet simply
because you didn't know you needed to turn it off.
To differentiate between #1 and #2 I use tags to mark packets as
ACCEPT or FORWARD. Only the packets tagged FORWARD are allowed to
pass out. Inbound packets start with a TBD tag that basically means
"not yet tagged" and ensures that once a rule sets an ACCEPT or
FORWARD tag, other rules don't then try to re-tag it.
Also, I try to avoid using ! anywhere. It is too easy to make
mistakes with it, and configuration mistakes are the #1 reason
unwanted traffic will get through your firewall.
A very stripped down subset of my ruleset follows, showing the
essentials. em0 is my internal interface, em1 is my 'guest' interface
(that friends can use for their WiFi when they visit) and em2 connects
to my Internet cable modem (I don't use variable name substitutions
for unrelated reasons, but you may want to do so anyway). I have
included em1 because it's very similar to a DMZ network. I am running
several services on my router so I've also included the DNS and
ftp-proxy rules because they are good examples. Note that I make
extensive use of "quick" to give "first matching rule wins" behavior.
I think this is easier to understand.
# pf.conf - PF configuration file
# tables
table <rfc1918> const { 10/8, 172.16/12, 192.168/16 }
# by default, block all traffic not explicitly allowed
block in log all tag TBD
block out log all
# ACCEPT - traffic that should be accepted by this router (not forwarded)
# accept ping requests
pass in log quick on em0 inet proto icmp from em0:network to (self)
icmp-type echoreq tagged TBD tag ACCEPT
pass in log quick on em1 inet proto icmp from em1:network to em1
icmp-type echoreq tagged TBD tag ACCEPT
# accept DNS requests
pass in log quick on em0 inet proto { udp tcp } to (self) port domain
tagged TBD tag ACCEPT
pass in log quick on em1 inet proto { udp tcp } from em1:network to
em1 port domain tagged TBD tag ACCEPT
# accept SSH connections
pass in log quick on em0 inet proto tcp from em0:network to (self)
port ssh tagged TBD tag ACCEPT
pass in log quick on em1 inet proto tcp from em1:network to em1 port
ssh tagged TBD tag ACCEPT
# FORWARD / Inbound - traffic that should be forwarded by this router
# block non-Internet traffic from public (guest) network
block in log quick on em1 to <rfc1918> tagged TBD
# pass internal FTP traffic
pass in log quick on em0 inet proto tcp from em0:network to 192.168/18
port ftp tagged TBD tag FORWARD
# proxy external FTP traffic
pass in log quick on em0 inet proto tcp from em0:network to port ftp
divert-to 127.0.0.1 port 8021 tagged TBD tag ACCEPT
pass in log quick on em1 inet proto tcp from em1:network to port ftp
divert-to 127.0.0.1 port 8021 tagged TBD tag ACCEPT
anchor "ftp-proxy/*"
# default forwarding rules for traffic from private network
pass in log quick on em0 from em0:network to 192.168/18 tagged TBD tag FORWARD
pass in log quick on em0 from em0:network modulate state tagged TBD tag FORWARD
# default forwarding rules for traffic from public (guest) network
pass in log quick on em1 from em1:network to em1:network tagged TBD tag FORWARD
pass in log quick on em1 from em1:network modulate state tagged TBD tag FORWARD
# game server
pass in log quick on em2 inet proto udp to (em2) port 27016 rdr-to
192.168.24.50 tagged TBD tag FORWARD
# FORWARD / Outbound
# forward internal traffic
pass out log quick on em0 tagged FORWARD
pass out log quick on em1 tagged FORWARD
# block unroutable external traffic
block out log quick on em2 to <rfc1918> tagged FORWARD
# forward external traffic
pass out log quick on em2 nat-to (em2) tagged FORWARD
# Outbound - traffic that may originate from this router
# allow traffic to any internal network
pass out log quick on em0 from (self)
pass out log quick on em1 from (self)
# allow DHCP on em2
pass out log quick on em2 inet proto udp from (em2) port bootpc to any
port bootps
# allow ping requests
pass out log quick on em2 inet proto icmp from (em2) icmp-type echoreq
# allow DNS lookups
pass out log quick on em2 inet proto { udp tcp } from (em2) to any port domain
# allow FTP proxy connections
pass out log quick on em2 inet proto tcp from (em2) to any port ftp
