Hi,
I wanna allow local users ( 10.10.0.0/24 ) to Access internet just using port
80, 25 110 and 53 udp.
I wanna allow full access to 10.10.20.0/24 to the internet. I mean, no
restriction.
Easy like that.
I used openBSD 3.8 in the past and I was able to filter packets in $ext_if from
my local network ( 10.10.0.0/24 ).
Tests:
1)
Users_tcp_ports = "{ 25, 80, 110, 443 }"
Users_udp_ports = "{ 53, 123 }"
Normal_users = "10.10.0.0/24"
Power_users = "10.10.20.0/24"
nat on $ext_if from $normal_users to any port $users_tcp_ports -> ($ext_if)
tagged NORMAL_USERS_NAT
nat on $ext_if from $power_users to any -> ($ext_if) tagged POWER_USERS_NAT
#outgoing
Block out on $ext_if
Pass out quick on $ext_if from ($ext_if) to any
#filtering on $int_if
Pass in quick on $int_if inet proto tcp from $normal_users to any port
$users_tcp_ports
Pass In quick on $int_if inet proto tcp from $power_users to any
Should this solve my problem?
I still have no test enviroment. I have around 300 users already going to the
internet and to other WAN sites trhough this openBSD.
Plz, post me your suggestios.
Thanks
-----Mensagem original-----
De: cgc [mailto:[EMAIL PROTECTED]
Enviada em: quarta-feira, 15 de outubro de 2008 16:21
Para: Ricardo Augusto de Souza
Cc: misc@openbsd.org
Assunto: Re: RES: RES: Filtering outgoing connections in pf
What exactly are you trying to achieve? what pc's do you want to have
access to what ports? Are you just allowing every pc in the 10.10.0.0/16
network the same access or not? And access to what? Just web traffic?
pings? dns? ... You will have to be abit more specific
And any box that is doing packet filtering between 2 or more networks, eg.
a private network and the internet, is a router as far as I am aware
Regards,
Charlie
On Wed, 15 Oct 2008 16:06:16 -0300, "Ricardo Augusto de Souza"
<[EMAIL PROTECTED]> wrote:
This sounds good.
But my openBSD is working like a router.
If I remove the rule pass in quick on $int_if I will have a lot of pcs
that cannot access other subnets.
Do u know what protocol I must allow to routes work?
thankssssssss
-----Mensagem original-----
De: cgc [mailto:[EMAIL PROTECTED]
Enviada em: quarta-feira, 15 de outubro de 2008 15:49
Para: Ricardo Augusto de Souza
Cc: misc@openbsd.org
Assunto: Re: RES: Filtering outgoing connections in pf
let me give you an example, if you just want 10.10.0.0/16 to have port 80
access then you need 3 rules:
#the nat
nat on $ext_if from 10.10.0.0/16 to any port 80 -> ($ext_if)
#allow through $int_if
pass in quick on $int_if proto tcp from 10.10.0.0/16 to any port 80
#and finally allow through $ext_if
pass out quick on $ext_if proto tcp from ($ext_if) to any
You can lock $ext_if down to just port 80 but the point is $int_if is
where
you do the filtering for 10.10.0.0/16
Correct me if I am wrong.
Regards,
Charlie
On Wed, 15 Oct 2008 14:44:43 -0300, "Ricardo Augusto de Souza"
<[EMAIL PROTECTED]> wrote:
Is is possible filter outgoing packets in $ext_if even doing NAT?
I mean, after nat on $ext_if from 10.10.0.0/16 to any -> ($ext_if) all
packets from 10.10.0.0/16 will be translated to $ext_if.
I wish I could filter 10.10.0.0/16 packets in $ext_if.
Is is possible?
Thanks
-----Mensagem original-----
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
Ricardo Augusto de Souza
Enviada em: quarta-feira, 15 de outubro de 2008 13:01
Para: misc@openbsd.org
Assunto: Filtering outgoing connections in pf
Hi,
I AM confused with some PF rules.
I am trying to allow just some ports to my local users.
I am using block out on $ext_if but I think I would be able to choose
ports my lan users will access with rule
Pass out on $ext_if proto tcp from 10.10.0.0/16 to any port { 80, 25,
110 } keep state .
It seems to be ok, but I had to add this rule: Pass out on $ext_if
from
$ext_if to any ( without this rule my box cannot connect to the
internet ). With this rule, All users can connect to any out port.
Question: What is the right way to have my box at the internet and my
users can only access that selected ports?
Thanks
My pf.conf:
set loginterface xl1
set skip on lo0
scrub in
set require-order yes
set state-policy if-bound
altq on xl1 priq bandwidth 50Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
# interface externa WAN
ext_if="xl1"
# interface interna LAN
int_if="xl0"
# interface MPLS
mpls_if ="bge0"
#interfaces VPn tuneis
vpn_if ="{ tun0, tun1, tun2, tun3, tun4 }"
vpn_net ="{ 10.10.9.0/26 }"
#Default GW
gw="200.162.41.33"
table <badsites> persist file "/etc/badsites.txt"
winupdate = "{ 65.54.87.0/24 } "
############
# Variaveis
##########
#################
#1 - Redirecionamento ambiente de homologocao
###############
ws_ip = "{ 10.10.100.21 }"
ws_ports = "{ 8101, 8102, 8103 }"
####################################
#2- Variaveis uteis
################################
lan = "{ 10.10.0.0/16 }"
cmt_lan = "{ 10.10.0.0/24 }"
ti_lan = "{ 10.10.20.0/26 }"
call_center_lan = "{ 10.10.60.0/26 }"
rede_mpls = "{ 10.100.0.0/16 }"
ip_admin = "{ 10.10.20.100 }"
msn = "207.46.0.0/16"
# portas
portas_saida_tcp = " {25, 80, 110,443 }"
portas_saida_udp = " { 53, 443 }"
portas_entrada_tcp = " { 22,1981, 810} "
portas_entrada_udp = " { 1194 }"
ip_rose = " { 10.10.0.56 } "
porta_rose = " { 2631 } "
oracle_desenv = "{ 10.10.100.13, 10.10.100.14 }"
ips_adm_ext = "{ 189.33.76.0/26 } "
#teste internet lojas MPLS
rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 3128 ->
$int_if port 3128
#redirect para servidor NTP
rdr pass on $mpls_if inet proto udp from $rede_mpls to $mpls_if port
123
-> 10.10.100.254 port 123
#redirect para os servidores do DTC enviarem email pelo sol
rdr pass on $mpls_if inet proto tcp from $rede_mpls to $mpls_if port 25
-> 10.10.0.2 port 25
nat on $int_if from any to 10.10.0.2 -> $int_if
# squid trasparente
rdr pass on $int_if inet proto tcp from $lan to any port 80 -> $int_if
port 3128
rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1521 ->
10.10.100.13 port 1521
rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1522 ->
10.10.100.14 port 1521
nat on $int_if from any to $oracle_desenv port 1521 -> $int_if
# redirecionamento para lan, foi necessario fazer nat tb.
rdr pass on $ext_if inet proto tcp from any to $ext_if port $ws_ports
->
$ws_ip
nat on $int_if from any to $ws_ip -> $int_if
#################
##### NAT ######
#################
#nat para dar acesso a internet para a lan
nat on $ext_if from $lan to !($ext_if) -> $ext_if
nat on $mpls_if from $lan to any -> $mpls_if
# bloqueia a entrada de tudo e saida de tudo
block in on $ext_if
#regras de entrada
# libera entrada de tudo na interface interna
pass in on $int_if proto udp from $lan to $int_if port 53
pass in on $int_if from any to $lan modulate state
pass in on $int_if from $rede_mpls to $lan modulate state
#liberar acesso rede mpls
pass in quick on $mpls_if from any to any
#pass in quick on $mpls_if from $rede_mpls to any
# libera a entrada na interface externa
pass in quick on $ext_if proto tcp from any to $ext_if port
$portas_entrada_tcp keep state
pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports
keep state
pass in quick on $ext_if proto udp from any to $ext_if port
$portas_entrada_udp keep state
pass in quick on $ext_if proto tcp from any to $int_if port 443 flags
S/SAFR keep state (max 256)
#VPN
pass in quick on $ext_if proto tcp from any to $ext_if port = 1723
modulate state
pass in quick on $ext_if proto gre from any to $ext_if keep state
pass out quick on $ext_if proto gre from $ext_if to any keep state
pass in quick on $vpn_if all
pass out quick on $vpn_if all
pass in quick on $int_if from $vpn_net to any modulate state
pass in quick on $mpls_if from $vpn_net to any modulate state
# regras de saida
antispoof quick for { lo $int_if }
pass out on $int_if from any to $lan keep state
pass out on $mpls_if from $mpls_if to any modulate state
#####
# proibe todo o trafego de saida
block out on $ext_if
#pass out on $ext_if from $ext_if to any modulate state
pass out quick on $ext_if proto tcp from any to any port
$portas_saida_tcp modulate state queue (q_def, q_pri)
pass out quick on $ext_if proto tcp from $ip_rose port 1024:65535 to
200.201.174.0/24 port { 80, 2631 } modulate state
#libera acesso total para os administradores
#pass out on $ext_if from $ip_admin to any modulate state
pass out on $ext_if proto tcp from $ext_if to any modulate state
flags
S/SA
pass out on $ext_if proto { udp, icmp } all keep state
# block msn
pass out quick inet proto tcp from $ip_admin to $msn port { 80, 1863 }
block out quick proto tcp from any to $msn port { 80, 1863 }
#block acesso a estes sites
block out on $ext_if from any to <badsites>
block out on $ext_if from any to $winupdate