On Wed, May 6, 2009 02:41, TomC!E! BodE>C!r wrote: > I think,that in case of pf is good start point this site > http://home.nuug.no/~peter/pf/ and then FAQ parts
it always helps me to read https://calomel.org/ when in doubt. :) (the new photo looks cool also =] ) matheus > 2009/5/5 William Chivers <william.chiv...@newcastle.edu.au>: >> Hello Ricardo, >> >> This is not a beginners' mailing list, people here expect questions to >> 1. be very specific, and >> 2. demonstrate that you have spent a lot of time trying to solve the >> problem > yourself, reading the documentation etc. >> >> Start with http://www.openbsd.org/faq/pf/index.html >> If you still need help, there are several books on pf, for example "The >> Book > of PF" (http://nostarch.com/pf.htm). >> >> Look back through the misc mailing list to see how specific questions >> about > pf are. When you have a specific question, the best help available is > right > here. >> >> Bill >> >> --------------------------------------------- >> William J. Chivers >> Lecturer in Information Technology >> School of DCIT >> Faculty of Science and Information Technology >> University of Newcastle---Ourimbah Campus >> PO Box 127, Ourimbah, NSW 2259 >> Australia >> CRICOS Provider Number: 00109J >> >> phone: B +61 2 4349 4473 >> fax: B B +61 2 4349 4565 >> email: B william.chiv...@newcastle.edu.au >> --------------------------------------------- >>>>> Ricardo Augusto de Souza <ricardo.so...@cmtsp.com.br> 05/06/09 5:08 >>>>> AM >>>> >> Thanks for this 'polite' reply. >> As I Said i spent some years away from Unix/Linux world, >> I worked with business intelligence this years. >> Now i AM back to network administration and B i got this Project to B >> do. >> I used openbsd before version 3. I do like B it. >> >> This is my current senario. >> - B 2 firewalls with 2 carp+pfsync that B Will handle 2 internet > connections, B 1 >> mpls connection, 1 lan to handle around 60 bus company that transport 2 >> million users per Day, each user has your own myfair card. Each bus has >> a >> system that store this data in a file. This files Will be imported to > Oracle >> later. After this import, there are a lot of specific applications that > uses >> this informations. >> - behind this 2 firewalls B we have around 30 servers: ( most Windows) > iis, >> file transfer servers,ws, and some other servers like some red hat > enterprise >> running Oracle 10g. >> - at the beginning the firewalls Will do Nat B + filter B + gateway + > mpd5+squid >> ( the fucking operators Who need Access to the Windows servers were >> surfing > on >> web from there. ) >> - our applications has around 5,000 users per Day, but we have a lot of >> web >> services and some etl process ( i dont have statistics about volume yet) >> >> So that B is it. >> >> >> -----Mensagem original----- >> De: William Chivers [mailto:william.chiv...@newcastle.edu.au] >> Enviada em: segunda-feira, 4 de maio de 2009 22:46 >> Para: Ricardo Augusto de Souza; misc@openbsd.org >> Assunto: Re: Migration from IPTABLES to PF >> >> This is a great advertisement for OpenBSD, PF, and keeping things simple >> in >> general, mind if I use it Ricardo? >> >> As for your original question, I wouldn't even try to convert your > iptables, >> especially using some magic tool to do it. Decide what you want your > firewall >> to do and start from scratch with PF. That way you will know it is >> working > and >> you will be able to maintain it reliably. >> >> Cheers, Bill >> >> >> --------------------------------------------- >> William J. Chivers >> Lecturer in Information Technology >> School of DCIT >> Faculty of Science and Information Technology >> University of Newcastle---Ourimbah Campus >> PO Box 127, Ourimbah, NSW 2259 >> Australia >> CRICOS Provider Number: 00109J >> >> phone: B +61 2 4349 4473 >> fax: B B +61 2 4349 4565 >> email: B william.chiv...@newcastle.edu.au >> --------------------------------------------- >>>>> Ricardo Augusto de Souza <ricardo.so...@cmtsp.com.br> 05/05/09 3:17 >>>>> AM >>>>> >> Hi, >> >> I have a firewall running on a Fedora Core 4 (STentz) with iptables. The > Guy >> Who installed it left our company some months ago. >> I spent some years far from iptables, now i have to migrate this >> firewall > to >> PF. >> THere are some 'special' features on this firewall, B i need some >> documentation >> or help about implementing this features at new firewall ( PF ). >> >> This is the iptables scripts: >> >> #!/bin/bash >> FW=/sbin/iptables >> LOAD=/sbin/modprobe >> #__________________________________________________________________________ >> >> # Carregando Modulo do IPTABLES >> . /etc/rc.d/init.d/prodata/fw_modulos >> >> # Carregando Variaveis >> . /etc/rc.d/init.d/prodata/fw_variaveis >> >> if [ $KERNEL = "sim" ] >> B then . /etc/rc.d/init.d/prodata/fw_kernel >> fi >> >> > #___________________________________________________________________________ >> # Cria politicas de LOGs >> > #___________________________________________________________________________ >> >> if [ $LOGS = "sim" ] >> B then . /etc/rc.d/init.d/prodata/fw_politicas >> fi >> >> Normal rules here >> #################################################################### EOF >> >> >> >> /etc/rc.d/init.d/prodata/fw_modulos >> #$LOAD nfnetlink >> >> $LOAD ip_conntrack >> $LOAD ip_conntrack_ftp >> #$LOAD ip_conntrack_pptp ## >> #$LOAD ip_conntrack_netlink ## >> #$LOAD ip_conntrack_tftp ## >> >> #$LOAD ip_nat >> $LOAD ip_nat_ftp >> $LOAD ip_gre >> #$LOAD ip_nat_pptp ## >> #$LOAD ip_nat_tftp ## >> $LOAD ip_queue ## >> $LOAD ip_tables >> >> $LOAD iptable_filter >> $LOAD iptable_nat >> $LOAD iptable_mangle >> >> $LOAD ipt_helper >> $LOAD ipt_LOG >> $LOAD ipt_limit >> $LOAD ipt_state >> #$LOAD ipt_layer7 ## >> $LOAD ipt_MASQUERADE >> $LOAD ipt_multiport >> #$LOAD ipt_string >> $LOAD ipt_tcpmss >> $LOAD ipt_TCPMSS >> ######################################################### EOF >> >> >> /etc/rc.d/init.d/prodata/fw_kernel >> > #___________________________________________________________________________ >> # Protecao do KERNEL >> > #___________________________________________________________________________ >> #Enable forwarding in kernel >> echo 1 > /proc/sys/net/ipv4/ip_forward >> >> #Disabling IP Spoofing attacks. >> if [ $IPSEC = "sim" ] >> B then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f >> B done >> else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 > $f >> B done >> fi >> >> #Don't respond to broadcast pings (Smurf-Amplifier-Protection) >> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts >> >> #Block source routing >> echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route >> >> #Kill timestamps >> echo 0 > /proc/sys/net/ipv4/tcp_timestamps >> >> #Enable SYN Cookies >> #echo 1 > /proc/sys/net/ipv4/tcp_syncookies >> >> #Kill redirects >> echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects >> >> #Enable bad error message protection >> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses >> >> #Log martians (packets with impossible addresses) >> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians >> >> #Set out local port range >> echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range >> >> #Reduce DoS'ing ability by reducing timeouts >> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout >> echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time >> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling >> echo 0 > /proc/sys/net/ipv4/tcp_sack >> ################################################################### EOF >> >> >> >> /etc/rc.d/init.d/prodata/fw_politicas >> > #___________________________________________________________________________ >> # LOG - Politica de Negacao de frames >> > #___________________________________________________________________________ >> >> LOGLIMIT="2/s" >> LOGLIMITBURST="10" >> # Overall Limit for TCP-SYN-Flood detection >> TCPSYNLIMIT="5/s" >> # Burst Limit for TCP-SYN-Flood detection >> TCPSYNLIMITBURST="10" >> # Overall Limit for Ping-Flood-Detection >> PINGLIMIT="5/s" >> # Burst Limit for Ping-Flood-Detection >> PINGLIMITBURST="1" >> >> $FW -N LOG_DROP >> $FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst >> $LOGLIMITBURST >> -j LOG --log-prefix "fp=TCP:1 a=DROP " >> $FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst >> $LOGLIMITBURST >> -j LOG --log-prefix "fp=UDP:2 a=DROP " >> $FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst >> $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP " >> $FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst > $LOGLIMITBURST >> -j LOG --log-prefix "fp=VPN:4 a=DROP " >> $FW -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst >> $LOGLIMITBURST > -j >> LOG --log-prefix "fp=FRAGMENT:5 a=DROP " >> $FW -A LOG_DROP -p tcp ! --syn -m state --state NEW -j LOG --log-prefix >> "fp=NEW nao SYN: " >> $FW -A LOG_DROP -j DROP >> >> > #___________________________________________________________________________ >> # LOG - Politica de Liberacao de frames >> > #___________________________________________________________________________ >> >> $FW -N LOG_OK >> $FW -A LOG_OK B -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST >> -j > LOG >> --log-level 3 --log-prefix "fp=LOG_OK:3 a=ACCEPT " >> $FW -A LOG_OK -j ACCEPT >> >> > #___________________________________________________________________________ >> # LOG - Politica de Negacao TCP-SYN-Flood >> > #___________________________________________________________________________ >> >> $FW -N LSYNFLOOD >> $FW -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST >> -j >> LOG --log-prefix "fp=SYNFLOOD:1 a=DROP " >> $FW -A LSYNFLOOD -j DROP >> >> > #___________________________________________________________________________ >> # TCP - Politica para Aceitar conexoes TCP verificando SYN-Floods >> > #___________________________________________________________________________ >> >> $FW -N TCPACCEPT >> $FW -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT >> --limit-burst >> $TCPSYNLIMITBURST -j ACCEPT >> $FW -A TCPACCEPT -p tcp -m state --state ESTABLISHED,RELATED --syn -m >> limit >> --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT >> $FW -A TCPACCEPT -p tcp --syn -j LSYNFLOOD >> $FW -A TCPACCEPT -p tcp ! --syn -j ACCEPT >> >> > #___________________________________________________________________________ >> # SMB - Rejeita frames SMB (Netbios) >> > #___________________________________________________________________________ >> >> $FW -N SMB >> $FW -A SMB -p tcp --dport 137 -j DROP >> $FW -A SMB -p tcp --dport 138 -j DROP >> $FW -A SMB -p tcp --dport 139 -j DROP >> $FW -A SMB -p tcp --dport 445 -j DROP >> $FW -A SMB -p udp --dport 137 -j DROP >> $FW -A SMB -p udp --dport 138 -j DROP >> $FW -A SMB -p udp --dport 139 -j DROP >> $FW -A SMB -p udp --dport 445 -j DROP >> >> $FW -A SMB -p tcp --sport 137 -j DROP >> $FW -A SMB -p tcp --sport 138 -j DROP >> $FW -A SMB -p tcp --sport 139 -j DROP >> $FW -A SMB -p tcp --sport 445 -j DROP >> $FW -A SMB -p udp --sport 137 -j DROP >> $FW -A SMB -p udp --sport 138 -j DROP >> $FW -A SMB -p udp --sport 139 -j DROP >> $FW -A SMB -p udp --sport 445 -j DROP >> >> >> > #___________________________________________________________________________ >> # ICMP/TRACEROUTE (IN) >> > #___________________________________________________________________________ >> >> #Logging of possible Ping-Floods >> >> $FW -N LPINGFLOOD >> $FW -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst >> $LOGLIMITBURST > -j >> LOG --log-prefix "fp=PINGFLOOD:1 a=DROP " >> $FW -A LPINGFLOOD -j DROP >> >> > #___________________________________________________________________________ >> >> $FW -N ICMPINBOUND >> >> #Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will >> be >> logged/dropped >> $FW -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit >> $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT >> $FW -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD >> >> #Block ICMP-Redirects (Should already be catched by sysctl-options, if >> enabled) >> $FW -A ICMPINBOUND -p icmp --icmp-type redirect -j LOG_DROP >> >> #Block ICMP-Timestamp (Should already be catched by sysctl-options, if >> enabled) >> $FW -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LOG_DROP >> $FW -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LOG_DROP >> >> #Block ICMP-address-mask (can help to prevent OS-fingerprinting) >> $FW -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LOG_DROP >> $FW -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LOG_DROP >> >> #Allow all other ICMP in >> $FW -A ICMPINBOUND -p icmp -j ACCEPT >> >> >> > #___________________________________________________________________________ >> # ICMP/TRACEROUTE (OUT) >> > #___________________________________________________________________________ >> >> >> $FW -N ICMPOUTBOUND >> >> #Block ICMP-Redirects (Should already be catched by sysctl-options, if >> enabled) >> $FW -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LOG_DROP >> >> #Block ICMP-TTL-Expired >> #MS Traceroute (MS uses ICMP instead of UDp for tracert) >> $FW -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j >> LOG_DROP >> $FW -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j >> LOG_DROP >> >> #Block ICMP-Parameter-Problem >> $FW -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LOG_DROP >> >> #Block ICMP-Timestamp (Should already be catched by sysctl-options, if >> enabled) >> $FW -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LOG_DROP >> $FW -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LOG_DROP >> >> #Block ICMP-address-mask (can help to prevent OS-fingerprinting) >> $FW -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LOG_DROP >> $FW -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LOG_DROP >> >> ##Accept all other ICMP going out >> $FW -A ICMPOUTBOUND -p icmp -j ACCEPT >> >> >> > #___________________________________________________________________________ >> # PING Server - Libera ICMP >> > #___________________________________________________________________________ >> >> $FW -N icmp_packets >> $FW -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT >> $FW -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT >> >> > #___________________________________________________________________________ >> # PING Client - Libera ICMP >> > #___________________________________________________________________________ >> >> $FW -N icmp_ping >> $FW -A icmp_ping -p ICMP --icmp-type 8 -j ACCEPT >> $FW -A icmp_ping -p ICMP --icmp-type 11 -j ACCEPT >> >> > > > > -- > http://www.openbsd.org/lyrics.html > > -- We will call you cygnus, The God of balance you shall be
