Hello,
I'm a newbie myself, isn't it best to lock out all
inbound connections and then open up only the services you want to
provide? Can anyone tell me if this would be an appropriate
configuration for a trusted network w/ a 2 port router? I placed
questions in the configuration for points of my concern. What
improvements would you suggest to balance between log size and
information effective for auditing? I could only test part of the
configuration, because I have a LinkSYS doing NAT and my machine is
headless in the basement. Needless to say I didn't want to lock myself
out playing with NAT on a private network. Hopefully this doesn't
stretch the bounds of an appropriate question for this mailing list.
Thanks for any help.
Regards,
Nathan
# BEGIN /etc/pf.conf
#----- variables -----
ExtIF="dc1"
IntraIF="dc0"
IntraNet="192.168.0.0/16"
IPv4="x.x.x.x"
IPv4wMask="x.x.x.x/32"
# all private IP's, network address, broadcast address, loopback, and MS
# autoconfig
PrivateIPs="{ 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16,
172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 }"
# substitute server IP's accordingly
Http="port { http, https }"
Http_IP="192.168.0.4"
Mail="port smtp"
Mail_IP="192.168.0.5"
Tcp="proto tcp"
NonTcp="proto {udp, icmp}"
FlagsSynAwkSeq="flags S/SA"
FlagsOSfinger="flags FUP/FUP"
#----- end variables -----
# reassemble packets
scrub in all
# IPv4 nat
nat on $ExtIF from $IntraNet to any -> $IPv4
#---- quick blocks -----
# immediate block of private IP's
block in log quick on $ExtIF inet from $PrivateIPs to any
block out log quick on $ExtIF inet from any to $PrivateIPs
# immediate block of IPv6 (I think)
block out log quick on $ExtIF from !$IPv4 to any
# immediate block of nmap style OS finger printing
block in log quick on $ExtIF inet $Tcp from any to any $FlagsOSfinger
#---- end quick blocks -----
# block all inbound connections open up services below
block in on $ExtIF all
#----- stateful services -----
# Is this section correct?
# http server
rdr in log on $ExtIF inet $Tcp from any to $IPv4wMask $Http ->
$Http_IP $Http $FlagsSynAwkSeq modulate state
# mail server
rdr in log on $ExtIF inet $Tcp from any to $IPv4wMask $Mail ->
$Mail_IP $Mail $FlagsSynAwkSeq modulate state
#---- end services -----
# block all outbound and make stateful connections
block out on $ExtIF inet $Tcp all
# Would logging be appropriate here even with a trusted network?
pass out on $ExtIF inet $Tcp all $FlagsSynAwkSeq modulate state
pass out on $ExtIF inet $NonTcp keep state
# END /etc/pf.conf
