TomC!E!, thanks for the tip Bill
--------------------------------------------- William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au --------------------------------------------- >>> TomC!E! BodE>C!r <tomas.bod...@gmail.com> 05/06/09 3:41 PM >>> I think,that in case of pf is good start point this site http://home.nuug.no/~peter/pf/ and then FAQ parts 2009/5/5 William Chivers <william.chiv...@newcastle.edu.au>: > Hello Ricardo, > > This is not a beginners' mailing list, people here expect questions to > 1. be very specific, and > 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. > > Start with http://www.openbsd.org/faq/pf/index.html > If you still need help, there are several books on pf, for example "The Book of PF" (http://nostarch.com/pf.htm). > > Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. > > Bill > > --------------------------------------------- > William J. Chivers > Lecturer in Information Technology > School of DCIT > Faculty of Science and Information Technology > University of Newcastle---Ourimbah Campus > PO Box 127, Ourimbah, NSW 2259 > Australia > CRICOS Provider Number: 00109J > > phone: +61 2 4349 4473 > fax: +61 2 4349 4565 > email: william.chiv...@newcastle.edu.au > --------------------------------------------- >>>> Ricardo Augusto de Souza <ricardo.so...@cmtsp.com.br> 05/06/09 5:08 AM >>> > Thanks for this 'polite' reply. > As I Said i spent some years away from Unix/Linux world, > I worked with business intelligence this years. > Now i AM back to network administration and i got this Project to do. > I used openbsd before version 3. I do like it. > > This is my current senario. > - 2 firewalls with 2 carp+pfsync that Will handle 2 internet connections, 1 > mpls connection, 1 lan to handle around 60 bus company that transport 2 > million users per Day, each user has your own myfair card. Each bus has a > system that store this data in a file. This files Will be imported to Oracle > later. After this import, there are a lot of specific applications that uses > this informations. > - behind this 2 firewalls we have around 30 servers: ( most Windows) iis, > file transfer servers,ws, and some other servers like some red hat enterprise > running Oracle 10g. > - at the beginning the firewalls Will do Nat + filter + gateway + mpd5+squid > ( the fucking operators Who need Access to the Windows servers were surfing on > web from there. ) > - our applications has around 5,000 users per Day, but we have a lot of web > services and some etl process ( i dont have statistics about volume yet) > > So that is it. > > > -----Mensagem original----- > De: William Chivers [mailto:william.chiv...@newcastle.edu.au] > Enviada em: segunda-feira, 4 de maio de 2009 22:46 > Para: Ricardo Augusto de Souza; misc@openbsd.org > Assunto: Re: Migration from IPTABLES to PF > > This is a great advertisement for OpenBSD, PF, and keeping things simple in > general, mind if I use it Ricardo? > > As for your original question, I wouldn't even try to convert your iptables, > especially using some magic tool to do it. Decide what you want your firewall > to do and start from scratch with PF. That way you will know it is working and > you will be able to maintain it reliably. > > Cheers, Bill > > > --------------------------------------------- > William J. Chivers > Lecturer in Information Technology > School of DCIT > Faculty of Science and Information Technology > University of Newcastle---Ourimbah Campus > PO Box 127, Ourimbah, NSW 2259 > Australia > CRICO> email: william.chiv...@newcastle.edu.au > --------------------------------------------- >>>> Ricardo Augusto de Souza <ricardo.so...@cmtsp.com.br> 05/05/09 3:17 AM >>>> > Hi, > > I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy > Who installed it left our company some months ago. > I spent some years far from iptables, now i have to migrate this firewall to > PF. > THere are some 'special' features on this firewall, i need some > documentation > or help about implementing this features at new firewall ( PF ). > > This is the iptables scripts: > > #!/bin/bash > FW=/sbin/iptables > LOAD=/sbin/modprobe > #__________________________________________________________________________ > > # Carregando Modulo do IPTABLES > . /etc/rc.d/init.d/prodata/fw_modulos > > # Carregando Variaveis > . /etc/rc.d/init.d/prodata/fw_variaveis > > if [ $KERNEL = "sim" ] > then . /etc/rc.d/init.d/prodata/fw_kernel > fi > > #___________________________________________________________________________ > # Cria politicas de LOGs > #___________________________________________________________________________ > > if [ $LOGS = "sim" ] > then . /etc/rc.d/init.d/prodata/fw_politicas > fi > > Normal rules here > #################################################################### EOF > > > > /etc/rc.d/init.d/prodata/fw_modulos > #$LOAD nfnetlink > > $LOAD ip_conntrack > $LOAD ip_conntrack_ftp > #$LOAD ip_conntrack_pptp ## > #$LOAD ip_conntrack_netlink ## > #$LOAD ip_conntrack_tftp ## > > #$LOAD ip_nat > $LOAD ip_nat_ftp > $LOAD ip_gre > #$LOAD ip_nat_pptp ## > #$LOAD ip_nat_tftp ## > $LOAD ip_queue ## > $LOAD ip_tables > > $LOAD iptable_filter > $LOAD iptable_nat > $LOAD iptable_mangle > > $LOAD ipt_helper > $LOAD ipt_LOG > $LOAD ipt_limit > $LOAD ipt_state > #$LOAD ipt_layer7 ## > $LOAD ipt_MASQUERADE > $LOAD ipt_multiport > #$LOAD ipt_string > $LOAD ipt_tcpmss > $LOAD ipt_TCPMSS > ######################################################### EOF > > > /etc/rc.d/init.d/prodata/fw_kernel > #___________________________________________________________________________ > # Protecao do KERNEL > #___________________________________________________________________________ > #Enable forwarding in kernel > echo 1 > /proc/sys/net/ipv4/ip_forward > > #Disabling IP Spoofing attacks. > if [ $IPSEC = "sim" ] > then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f > done > else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 > $f > done > fi > > #Don't respond to broadcast pings (Smurf-Amplifier-Protection) > echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > > #Block source routing > echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route > > #Kill timestamps > echo 0 > /proc/sys/net/ipv4/tcp_timestamps > > #Enable SYN Cookies > #echo 1 > /proc/sys/net/ipv4/tcp_syncookies > > #Kill redirects > echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects > > #Enable bad error message protection > echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > > #Log martians (packets with impossible addresses) > echo 1 > /proc/sys/net/ipv4/conf/all/log_martians > > #Set out local port range > echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range > > #Reduce DoS'ing ability by reducing timeouts > echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout > echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time > echo 0 > /proc/sys/net/ipv4/tcp_window_scaling > echo 0 > /proc/sys/net/ipv4/tcp_sack > ################################################################### EOF > > > > /etc/rc.d/init.d/prodata/fw_politicas > #___________________________________________________________________________ > # LOG - Politica de Negacao de frames > #___________________________________________________________________________ > > LOGLIMIT="2/s" > LOGLIMITBURST="10" > # Overall Limit for TCP-SYN-Flood detection > TCPSYNLIMIT="5/s" > # Burst Limit for TCP-SYN-Flood detection > TCPSYNLIMITBURST="10"> $FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT > --limit-burst > $LOGLIMITBURST > -j LOG --log-prefix "fp=TCP:1 a=DROP " > $FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst > $LOGLIMITBURST > -j LOG --log-prefix "fp=UDP:2 a=DROP " > $FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst > $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP " > $FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST > -j LOG --log-prefix "fp=VPN:4 a=DROP " > $FW -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j > LOG --log-prefix "fp=FRAGMENT:5 a=DROP " > $FW -A LOG_DROP -p tcp ! --syn -m state --state NEW -j LOG --log-prefix > "fp=NEW nao SYN: " > $FW -A LOG_DROP -j DROP > > #___________________________________________________________________________ > # LOG - Politica de Liberacao de frames > #___________________________________________________________________________ > > $FW -N LOG_OK > $FW -A LOG_OK -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG > --log-level 3 --log-prefix "fp=LOG_OK:3 a=ACCEPT " > $FW -A LOG_OK -j ACCEPT > > #___________________________________________________________________________ > # LOG - Politica de Negacao TCP-SYN-Flood > #___________________________________________________________________________ > > $FW -N LSYNFLOOD > $FW -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j > LOG --log-prefix "fp=SYNFLOOD:1 a=DROP " > $FW -A LSYNFLOOD -j DROP > > #___________________________________________________________________________ > # TCP - Politica para Aceitar conexoes TCP verificando SYN-Floods > #___________________________________________________________________________ > > $FW -N TCPACCEPT > $FW -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst > $TCPSYNLIMITBURST -j ACCEPT > $FW -A TCPACCEPT -p tcp -m state --state ESTABLISHED,RELATED --syn -m limit > --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT > $FW -A TCPACCEPT -p tcp --syn -j LSYNFLOOD > $FW -A TCPACCEPT -p tcp ! --syn -j ACCEPT > > #___________________________________________________________________________ > # SMB - Rejeita frames SMB (Netbios) > #___________________________________________________________________________ > > $FW -N SMB > $FW -A SMB -p tcp --dport 137 -j DROP > $FW -A SMB -p tcp --dport 138 -j DROP > $FW -A SMB -p tcp --dport 139 -j DROP > $FW -A SMB -p tcp --dport 445 -j DROP > $FW -A SMB -p udp --dport 137 -j DROP > $FW -A SMB -p udp --dport 138 -j DROP > $FW -A SMB -p udp --dport 139 -j DROP > $FW -A SMB -p udp --dport 445 -j DROP > > $FW -A SMB -p tcp --sport 137 -j DROP > $FW -A SMB -p tcp --sport 138 -j DROP > $FW -A SMB -p tcp --sport 139 -j DROP > $FW -A SMB -p tcp --sport 445 -j DROP > $FW -A SMB -p udp --sport 137 -j DROP > $FW -A SMB -p udp --sport 138 -j DROP > $FW -A SMB -p udp --sport 139 -j DROP > $FW -A SMB -p udp --sport 445 -j DROP > > > #___________________________________________________________________________ > # ICMP/TRACEROUTE (IN) > #___________________________________________________________________________ > > #Logging of possible Ping-Floods > > $FW -N LPINGFLOOD > $FW -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j > LOG --log-prefix "fp=PINGFLOOD:1 a=DROP " > $FW -A LPINGFLOOD -j DROP > > #___________________________________________________________________________ > > $FW -N ICMPINBOUND > > #Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be > logged/dropped > $FW -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit > $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT > $FW -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD > > #Block ICMP-Redirects (Should already be catched by sysctl-options, if > enabled) > $FW -A ICMPINBOUND -p icmp --icmp-type redirect -j LOG_DROP > > #Block ICMP-Timestamp (Should already be catched by sysctl-options, if > enabled) > $FW -A ICMPINBOUND -> #Block ICMP-address-mask (can help to prevent > OS-fingerprinting) > $FW -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LOG_DROP > $FW -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LOG_DROP > > #Allow all other ICMP in > $FW -A ICMPINBOUND -p icmp -j ACCEPT > > > #___________________________________________________________________________ > # ICMP/TRACEROUTE (OUT) > #___________________________________________________________________________ > > > $FW -N ICMPOUTBOUND > > #Block ICMP-Redirects (Should already be catched by sysctl-options, if > enabled) > $FW -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LOG_DROP > > #Block ICMP-TTL-Expired > #MS Traceroute (MS uses ICMP instead of UDp for tracert) > $FW -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LOG_DROP > $FW -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j > LOG_DROP > > #Block ICMP-Parameter-Problem > $FW -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LOG_DROP > > #Block ICMP-Timestamp (Should already be catched by sysctl-options, if > enabled) > $FW -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LOG_DROP > $FW -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LOG_DROP > > #Block ICMP-address-mask (can help to prevent OS-fingerprinting) > $FW -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LOG_DROP > $FW -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LOG_DROP > > ##Accept all other ICMP going out > $FW -A ICMPOUTBOUND -p icmp -j ACCEPT > > > #___________________________________________________________________________ > # PING Server - Libera ICMP > #___________________________________________________________________________ > > $FW -N icmp_packets > $FW -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT > $FW -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT > > #___________________________________________________________________________ > # PING Client - Libera ICMP > #___________________________________________________________________________ > > $FW -N icmp_ping > $FW -A icmp_ping -p ICMP --icmp-type 8 -j ACCEPT > $FW -A icmp_ping -p ICMP --icmp-type 11 -j ACCEPT > > -- http://www.openbsd.org/lyrics.html
