Hi,
I'm trying to setup PF Rules for a new OpenBSD 4.2 installation, but
after struggling for a few days I still can't get it the way I need it
to be. This is my first time setting up a pf.conf file, so any
assistance would be greatly appreciated.
What I need:
- A firewall that allows ONLY the required access
- A firewall that allows FTP (passive & active)
- A firewall that is also a transparent bridge
- A firewall that reduces spam
- A firewall that keeps hackers & bruteforcers out by any means neccessary
My biggest issue so far was getting the FTP working, but that's working
now, but moving on to the spam part, I re-approached the same issue I
initially had with the FTP (resulting in me using ftpsesame instead of
ftp-proxy, since it turned out simpler).
My /etc/pf.conf file:
## BEGIN /etc/pf.conf ##
ext_if = "xl1"
int_if = "xl0"
opt_if = "xl2"
table <bruteforce> persist
tcp_ports = "{ ftp-data, ftp, ssh, smtp, domain, http, pop3, https,
pop3s, radius, radacct }"
udp_ports = "{ domain, bootps, bootpc, ntp, radius, radacct, 33433 ><
33626 }"
icmp_types = "{ echoreq, unreach }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
set block-policy drop
scrub in all
antispoof for $ext_if
antispoof for $int_if
antispoof for $opt_if
block quick from <bruteforce>
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
pass in quick on $int_if
pass out quick on $int_if
pass in quick on $opt_if
pass out quick on $opt_if
block in log on $ext_if all
block return out log on $ext_if all
anchor "ftpsesame/*" proto tcp all
pass on $ext_if inet proto tcp from any to any port $tcp_ports keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <bruteforce> flush global)
pass on $ext_if inet proto udp from any to any port $udp_ports keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <bruteforce> flush global)
pass inet proto icmp all icmp-type $icmp_types keep state
## END /etc/pf.conf ##
Can somebody please advise me which rules I should put in here to get
spamd working? The standard rdr stuff specified everywhere doesn't
appear to work for my setup.
My network configuration is as follows:
xl0: up
xl1: up
xl2: inet 10.2.254.253 255.255.0.0 up
bridge0: add ep0 add ep1 blocknonip ep0 blocknonip ep1 up
I hope I have provided enough information on my setup, basically all
that needs to change is to hook the spamd daemon in somewhere, but like
I said, the standard instructions from spamd didn't work (it instead
blocks port 25 completely, spamd doesn't receive any traffic nor does
any packets get logged - even if I turn on more verbose logging).
Regards,
Lionel Pinkhard
