Thanks for this 'polite' reply. As I Said i spent some years away from Unix/Linux world, I worked with business intelligence this years. Now i AM back to network administration and i got this Project to do. I used openbsd before version 3. I do like it.
This is my current senario. - 2 firewalls with 2 carp+pfsync that Will handle 2 internet connections, 1 mpls connection, 1 lan to handle around 60 bus company that transport 2 million users per Day, each user has your own myfair card. Each bus has a system that store this data in a file. This files Will be imported to Oracle later. After this import, there are a lot of specific applications that uses this informations. - behind this 2 firewalls we have around 30 servers: ( most Windows) iis, file transfer servers,ws, and some other servers like some red hat enterprise running Oracle 10g. - at the beginning the firewalls Will do Nat + filter + gateway + mpd5+squid ( the fucking operators Who need Access to the Windows servers were surfing on web from there. ) - our applications has around 5,000 users per Day, but we have a lot of web services and some etl process ( i dont have statistics about volume yet) So that is it. -----Mensagem original----- De: William Chivers [mailto:william.chiv...@newcastle.edu.au] Enviada em: segunda-feira, 4 de maio de 2009 22:46 Para: Ricardo Augusto de Souza; misc@openbsd.org Assunto: Re: Migration from IPTABLES to PF This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill --------------------------------------------- William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au --------------------------------------------- >>> Ricardo Augusto de Souza <ricardo.so...@cmtsp.com.br> 05/05/09 3:17 AM >>> Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__________________________________________________________________________ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = "sim" ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___________________________________________________________________________ # Cria politicas de LOGs #___________________________________________________________________________ if [ $LOGS = "sim" ] then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here #################################################################### EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD ip_conntrack_ftp #$LOAD ip_conntrack_pptp ## #$LOAD ip_conntrack_netlink ## #$LOAD ip_conntrack_tftp ## #$LOAD ip_nat $LOAD ip_nat_ftp $LOAD ip_gre #$LOAD ip_nat_pptp ## #$LOAD ip_nat_tftp ## $LOAD ip_queue ## $LOAD ip_tables $LOAD iptable_filter $LOAD iptable_nat $LOAD iptable_mangle $LOAD ipt_helper $LOAD ipt_LOG $LOAD ipt_limit $LOAD ipt_state #$LOAD ipt_layer7 ## $LOAD ipt_MASQUERADE $LOAD ipt_multiport #$LOAD ipt_string $LOAD ipt_tcpmss $LOAD ipt_TCPMSS ######################################################### EOF /etc/rc.d/init.d/prodata/fw_kernel #___________________________________________________________________________ # Protecao do KERNEL #___________________________________________________________________________ #Enable forwarding in kernel echo 1 > /proc/sys/net/ipv4/ip_forward #Disabling IP Spoofing attacks. if [ $IPSEC = "sim" ] then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f done else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 > $f done fi #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 > /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies #echo 1 > /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets with impossible addresses) echo 1 > /proc/sys/net/ipv4/conf/all/log_martians #Set out local port range echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range #Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack ################################################################### EOF /etc/rc.d/init.d/prodata/fw_politicas #___________________________________________________________________________ # LOG - Politica de Negacao de frames #___________________________________________________________________________ LOGLIMIT="2/s" LOGLIMITBURST="10" # Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT="5/s" # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10" # Overall Limit for Ping-Flood-Detection PINGLIMIT="5/s" # Burst Limit for Ping-Flood-Detection PINGLIMITBURST="1" $FW -N LOG_DROP $FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP " $FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP " $FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP " $FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=VPN:4 a=DROP " $FW -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:5 a=DROP " $FW -A LOG_DROP -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "fp=NEW nao SYN: " $FW -A LOG_DROP -j DROP #___________________________________________________________________________ # LOG - Politica de Liberacao de frames #___________________________________________________________________________ $FW -N LOG_OK $FW -A LOG_OK -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 3 --log-prefix "fp=LOG_OK:3 a=ACCEPT " $FW -A LOG_OK -j ACCEPT #___________________________________________________________________________ # LOG - Politica de Negacao TCP-SYN-Flood #___________________________________________________________________________ $FW -N LSYNFLOOD $FW -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP " $FW -A LSYNFLOOD -j DROP #___________________________________________________________________________ # TCP - Politica para Aceitar conexoes TCP verificando SYN-Floods #___________________________________________________________________________ $FW -N TCPACCEPT $FW -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT $FW -A TCPACCEPT -p tcp -m state --state ESTABLISHED,RELATED --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT $FW -A TCPACCEPT -p tcp --syn -j LSYNFLOOD $FW -A TCPACCEPT -p tcp ! --syn -j ACCEPT #___________________________________________________________________________ # SMB - Rejeita frames SMB (Netbios) #___________________________________________________________________________ $FW -N SMB $FW -A SMB -p tcp --dport 137 -j DROP $FW -A SMB -p tcp --dport 138 -j DROP $FW -A SMB -p tcp --dport 139 -j DROP $FW -A SMB -p tcp --dport 445 -j DROP $FW -A SMB -p udp --dport 137 -j DROP $FW -A SMB -p udp --dport 138 -j DROP $FW -A SMB -p udp --dport 139 -j DROP $FW -A SMB -p udp --dport 445 -j DROP $FW -A SMB -p tcp --sport 137 -j DROP $FW -A SMB -p tcp --sport 138 -j DROP $FW -A SMB -p tcp --sport 139 -j DROP $FW -A SMB -p tcp --sport 445 -j DROP $FW -A SMB -p udp --sport 137 -j DROP $FW -A SMB -p udp --sport 138 -j DROP $FW -A SMB -p udp --sport 139 -j DROP $FW -A SMB -p udp --sport 445 -j DROP #___________________________________________________________________________ # ICMP/TRACEROUTE (IN) #___________________________________________________________________________ #Logging of possible Ping-Floods $FW -N LPINGFLOOD $FW -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP " $FW -A LPINGFLOOD -j DROP #___________________________________________________________________________ $FW -N ICMPINBOUND #Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped $FW -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT $FW -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled) $FW -A ICMPINBOUND -p icmp --icmp-type redirect -j LOG_DROP #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled) $FW -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LOG_DROP $FW -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LOG_DROP #Block ICMP-address-mask (can help to prevent OS-fingerprinting) $FW -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LOG_DROP $FW -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LOG_DROP #Allow all other ICMP in $FW -A ICMPINBOUND -p icmp -j ACCEPT #___________________________________________________________________________ # ICMP/TRACEROUTE (OUT) #___________________________________________________________________________ $FW -N ICMPOUTBOUND #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled) $FW -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LOG_DROP #Block ICMP-TTL-Expired #MS Traceroute (MS uses ICMP instead of UDp for tracert) $FW -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LOG_DROP $FW -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LOG_DROP #Block ICMP-Parameter-Problem $FW -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LOG_DROP #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled) $FW -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LOG_DROP $FW -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LOG_DROP #Block ICMP-address-mask (can help to prevent OS-fingerprinting) $FW -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LOG_DROP $FW -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LOG_DROP ##Accept all other ICMP going out $FW -A ICMPOUTBOUND -p icmp -j ACCEPT #___________________________________________________________________________ # PING Server - Libera ICMP #___________________________________________________________________________ $FW -N icmp_packets $FW -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $FW -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT #___________________________________________________________________________ # PING Client - Libera ICMP #___________________________________________________________________________ $FW -N icmp_ping $FW -A icmp_ping -p ICMP --icmp-type 8 -j ACCEPT $FW -A icmp_ping -p ICMP --icmp-type 11 -j ACCEPT