take a look here, it may help http://www.xscanners.org/cgi-bin/index.cgi?action=viewnews&id=9
David Jobes - CISSP [EMAIL PROTECTED] > Jason Williams wrote: > > Evening everyone. Well, I wont beat around the bush. I'll get right to > the point. > I'm pretty new to OpenBSD and PF but i'm having a blast learning it > all. It's a lot of fun, but I have much to learn. I've read as much > documentation as I can find on both PF and IPF. I've gone through the > How-To as well as the archives and Man Pages. > I feel like it's slowly sinking in, but I still have some questions. I > wanted to post my rules here and have some people take a look at it, > tell me what im missing, what I need/dont need and some good all > around advice. I just want to make sure i'm understanding the concept. > So if someone could give me some tips, i'd be very greatful. > > So here goes: > My network: > > Cable Modem that issues Dynamic IP > OpenBSD 3.1 Firewall/Gateway, running PF and NAT. > Internal LAN has 4 boxes, running private IP address of 192.168.1.0/16 > No internal webservers, email servers or DNS servers. > I want no internet/outside world access to my firewall or my internal > LAN. > Want the internal LAN to have access to the internet, FTP and ISP's > mail server. > > The rules: > > #Declare interfaces and the works > ExtIf = "dc0" #Untrusted (from cable modem) side > IntIf = "dc1" #Trusted (to switch) side > Loop = "lo0" > > #Scrub/Normalize packets > scrub out all > scrub in all > > > #BLOCK SPOOFED/PRIVATE IP ADDRESSES: > block in all > block in quick on $ExtIf from 192.168.0.0/16 to any > block in quick on $ExtIf from 172.16.0.0/12 to any > block in quick on $ExtIf from 10.0.0.0/8 to any > block in quick on $ExtIf from 0.0.0.0/8 to any > block in quick on $ExtIf from 169.254.0.0/16 to any > block in quick on $ExtIf from 192.0.2.0/24 to any > block in quick on $ExtIf from 224.0.0.0/3 to any > block in log quick on $ExtIf from 20.20.20.0/24 to any > block in log quick on $ExtIf from any to 20.20.20.0/32 > block in log quick on $ExtIf from any to 20.20.20.255/32 > pass out quick on $ExtIf proto tcp/udp from 192.168.1.0/16 to any > keep state > pass out quick on $ExtIf proto icmp from 192.168.1.0/16 to any > keep state > > #silently drop broadcasts (cable modem noise) > block in quick on $ExtIf from any to 255.255.255.255 > > #TO BLOCK SPOOFED TRAFFIC FROM LAN!! > > block out log quick on $ExtIf from any to 192.0.2.0/24 > block out log quick on $ExtIf from any to 172.16.0.0/12 > block out log quick on $ExtIf from any to 169.254.0.0/16 > block out log quick on $ExtIf from any to 0.0.0.0/8 > block out log quick on $ExtIf from any to 204.152.64.0/23 > block out log quick on $ExtIf from any to 224.0.0.0/3 > pass out quick on $ExtIf proto icmp from 192.168.1.0/16 to any > icmp-type 8 keep state > block out log quick on $ExtIf from any to any > > > I'm pretty sure i left out a lot. But that's why Im asking. Seeking > help to fine tune my rules and get a better grasp. > Also would like my internal LAN to be able to PING, DIG, NSLOOKUP etc. > etc on the outside world. > > I appreciate everyones help. Looking forward to see how my work is so > far. > > Thanks everyone. > > Jason > > >
