I would like to know what I can do to improve my firewall ruleset. This exact set
protects my own internal LAN (8 computers), and includes P2P rules. I have similar
rulesets protecting other networks I have worked on, none with more than 300 clients
though.
# pF.conf working for Wall
# Variables & Tables
int_dev="xl0" # Internal network device.
ext_dev="ep0" # External network device.
cwork="{ bunch of IPs here }"
overpeer="{ 64.15.228.160/27 }"
max_mss="1432"
unrouteable="{ 0/8, 10/8, 127/8, 169.254/16, 172.16/12, 192.0.2/24, 192.168/16 }"
ext_bandwidth="1544Kb"
# Options
set optimization conservative
set loginterface $ext_dev
# Normalize (defragment) packets on External Interface
scrub in on $ext_dev all fragment reassemble
scrub out on $ext_dev all max-mss $max_mss fragment reassemble
# NAT Rules
# only internal LAN gets NAT currently
nat on $ext_dev from 192.168.1.0/24 to any -> $ext_dev
# Port Forwarding Rules
rdr on $ext_dev proto tcp from any to any port 443 -> 192.168.1.2 port 443
rdr on $ext_dev proto tcp from any to any port 892 -> 192.168.1.2 port 892
rdr on $ext_dev proto udp from any to any port 4665 -> 192.168.1.2 port 4665
rdr on $ext_dev proto tcp from any to any port 4662 -> 192.168.1.2 port 4662
rdr on $ext_dev proto tcp from any to any port 2000 -> 192.168.1.2 port 2000
rdr on $ext_dev proto tcp from any to any port 222 -> 192.168.1.2 port 222
rdr on $ext_dev proto tcp from any to any port 6774 -> 192.168.1.2 port 6774
rdr on $ext_dev proto tcp from any to any port 3389 -> 192.168.1.2 port 3389
rdr on $ext_dev proto tcp from any to any port 6699 -> 192.168.1.2 port 6699
rdr on $ext_dev proto udp from any to any port 6257 -> 192.168.1.2 port 6257
rdr on $ext_dev proto udp from any to any port 1494 -> 192.168.1.2 port 1494
# Deny all connections - default packet filter rule
block in log on $ext_dev from any to any label "block_in_all"
# pass all loopback traffic
pass in quick on lo0 all
pass out quick on lo0 all
# block out all Microsoft AD & Netbios traffic
# mainly a paranoia rule
block out log quick on $ext_dev inet proto tcp from any to any port 445
block out log quick on $ext_dev inet proto udp from any to any port { 138, 137, 139
}
# Outbound Connection Rules for External Interface
pass out quick on $ext_dev proto tcp all modulate state
pass out quick on $ext_dev proto udp all keep state
pass out quick on $ext_dev proto icmp all keep state
# Block in all invalid combos of TCP flags & Log them
# these rules exist mainly to log these packets so I can curse at the bad people
block in log quick on $ext_dev inet proto tcp from any to any flags /UAPRSF
block in log quick on $ext_dev inet proto tcp from any to any flags F/AF
block in log quick on $ext_dev inet proto tcp from any to any flags P/AP
block in log quick on $ext_dev inet proto tcp from any to any flags U/UA
block in log quick on $ext_dev inet proto tcp from any to any flags RF/RF
block in log quick on $ext_dev inet proto tcp from any to any flags SF/SF
block in log quick on $ext_dev inet proto tcp from any to any flags RS/RS
block in log quick on $ext_dev inet proto tcp from any to any flags UPF/UAPRSF
block in log quick on $ext_dev inet proto tcp from any to any flags UPSF/UAPRSF
block in log quick on $ext_dev inet proto tcp from any to any flags UARSF/UAPRSF
block in log quick on $ext_dev inet proto tcp from any to any flags UAPRSF/UAPRSF
# Rules to allow incoming traffic for internal services & P2P traffic
pass in quick on $ext_dev proto tcp from any to 192.168.1.2 port
{443,892,222,1494,3389,2000} flags S/SA modulate state
pass in quick on $ext_dev proto tcp from any to $ext_dev port=22 flags S/SA modulate
state
pass in log quick on $ext_dev proto tcp from any to $ext_dev port=25 flags S/SA
modulate state
pass in on $ext_dev proto udp from any to 192.168.1.2 port {4665,6257} keep state
pass in on $ext_dev proto tcp from any to 192.168.1.2 port {4662,6774,6699} modulate
state
# block and log incoming packets from reserved address space and invalid addresses
block in log on $ext_dev inet from $unrouteable to any
# properly respond to ident protocol also
block return-rst in proto tcp from any to any port { 111, 6000, 6667 }
block return-icmp in proto udp from any to any port { 137 }
# block Overpeer shit
block in on $ext_dev inet from $overpeer to any
