Hi !
Here is an old pf.conf I found that u can use as an example or template (it
will work in OpenBSD 3.4)...
Hope it will give you some hints. By the way... The examples in OpenBSD 3.4 is
not bad and should be easy to use as a template. Note that some rows are
market out and not used.
The config is for a local LAN with a separate DMZ segment and two static IP:s
on the Internet side. Note that queueing is defined but not used...
--snip--
#============================================#
# Filter created by: Per-Olov Sjoholm #
# E-mail: peo_s at incedo org #
#============================================#
####################################
####### VARIABLES, INTERFACES ######
####### AND GLOBAL OPTIONS ######
####################################
# -- Interfaces -- #
LAN_INT="fxp0"
DMZ1_INT="fxp1"
INTERNET_INT="fxp2"
ALL_INTERFACES="{" $LAN_INT $DMZ1_INT $INTERNET_INT "}"
INTERNET_INT_IP1="200.200.200.201"
INTERNET_INT_IP2="200.200.200.202"
# -- Networks and hosts -- #
RFC1918="{ 10.0.0.0/8 , 172.16.0.0/12 , 192.168.0.0/16 , 127.0.0.0/8 ,
255.255.255.255 , 0.0.0.0/8 , 169.254.0.0/16 , 192.0.2.0/24 }"
DMZ1_SERVERTEST1="192.168.1.12"
DMZ1_SERVERTEST2="192.168.1.13"
DMZ1_SERVERTEST3="192.168.1.14"
DNS_SERVERS="{ 81.26.228.2 , 192.71.220.10 , 81.26.228.3 , 192.71.180.46 }"
NTP_SERVERS="{ 192.36.133.17 , 192.36.133.25 , 62.119.40.98 , 62.119.40.99 ,
192.36.144.22 , 192.36.144.23 }"
# -- Global options -- #
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 5000, adaptive.end 12000 }
set limit { states 10000, frags 10000 }
set optimization aggressive
scrub in on $INTERNET_INT all fragment reassemble
######################################
######## DEFINING QUEUEING ###########
######################################
altq on $INTERNET_INT cbq bandwidth 8Mb queue { low_ext, std_ext, high_ext,
super_high_ext }
queue low_ext priority 0 cbq(borrow ecn)
queue std_ext priority 1 cbq(default)
queue high_ext priority 3 cbq
queue super_high_ext priority 5 cbq
#altq on $DMZ1_INT cbq bandwidth 100% queue { low_dmz1, std_dmz1, high_dmz1,
super_high_dmz1 }
altq on $DMZ1_INT cbq bandwidth 90Mb queue { low_dmz1, std_dmz1, high_dmz1,
super_high_dmz1 }
queue low_dmz1 priority 0 cbq(borrow ecn)
queue std_dmz1 priority 1 cbq(default)
queue high_dmz1 priority 3 cbq
queue super_high_dmz1 priority 5 cbq
altq on $LAN_INT cbq bandwidth 100% queue { low_lan, std_lan, high_lan,
super_high_lan }
queue low_lan priority 0 cbq(borrow ecn)
queue std_lan priority 1 cbq(default)
queue high_lan priority 3 cbq
queue super_high_lan priority 5 cbq
#######################################
######## NATTING AND REDIRECTING ######
#######################################
# Natting networks at DMZ and LAN to the
# firewall external address. We also
# redirect a few ports to DMZ private
# addresses.
nat on $INTERNET_INT from $LAN_INT:network to any -> $INTERNET_INT_IP1
nat on $INTERNET_INT from $DMZ1_INT:network to any -> $INTERNET_INT_IP1
binat on $INTERNET_INT from $DMZ1_SERVERTEST3 to any -> $INTERNET_INT_IP2
rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP1 port 8080 ->
$DMZ1_SERVERTEST1 port 22
rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP1 port 8081 ->
$DMZ1_SERVERTEST2 port 22
rdr on $LAN_INT proto tcp from $LAN_INT:network to any port 21 -> 127.0.0.1
port 8021
rdr on $DMZ1_INT proto tcp from $DMZ1_INT:network to any port 21 -> 127.0.0.1
port 8021
########################################
####### SETTING THE DEFAULTS #######
########################################
# If there is no pass in the rulesets
# below the packet will be denied.
block log all
#block in log all
#block return-rst in log proto tcp all
#block return-icmp in log proto udp all
# Permitting the FW to talk to itself
pass quick on lo0 all keep state
# I do not want to log these annoying ports
# They would be blocked (and logged) by the
# default rule if I remove these rows
block in quick on $INTERNET_INT inet proto tcp from any to $INTERNET_INT port
{ 135 139 445 }
block in quick on $INTERNET_INT inet proto udp from any to $INTERNET_INT port
137
block in quick on $INTERNET_INT inet proto tcp from any to $DMZ1_SERVERTEST3
port { 135 139 445 }
block in quick on $INTERNET_INT inet proto udp from any to $DMZ1_SERVERTEST3
port 137
# Blocking illegal flag combinations.
# They could eventually be blocked by "scrub"
# Will check that !
block in log quick on $ALL_INTERFACES inet proto tcp from any to any flags
UAPRSF/UAPRSF
# Preventing NMAP OS fingerprinting attempts
block in log quick on $ALL_INTERFACES inet proto tcp from any to any flags
PUF/PUF
# Preventing Smurf attacks
block in quick on $ALL_INTERFACES inet from any to $LAN_INT:broadcast
block in quick on $ALL_INTERFACES inet from any to $DMZ1_INT:broadcast
# Denies incoming request from Internet for the RFC1918 addresses
block in log quick on $INTERNET_INT inet from $RFC1918 to any
# Setting some antispoofing stuff for the
# directly connected networks
antispoof for $ALL_INTERFACES inet
# Open all outgoing connections from FW.
# Note: No "quick" keyword here !
# Later "pass out" can occour for the QUEUING purpose
pass out on $ALL_INTERFACES inet proto {udp, icmp} all keep state
pass out on $ALL_INTERFACES inet proto tcp all keep state
# QUEUING goes here
# These rules can be removed, but then you loose the queuing feature.
# No security implication if removed. If you remove these you can remove
# the queue option from certain "pass" rules below.
#pass out quick on $INTERNET_INT inet proto tcp from any to any port 25 flags
S/SA keep state queue (low_ext)
#pass out quick on $DMZ1_INT inet proto tcp from any to any port 25 flags S/SA
keep state queue (low_dmz1)
########################################
######### MY RULESETS GOES HERE ########
########################################
# -- From LAN -- #
# Permit SSH from the LAN network to everywhere
pass in quick on $LAN_INT inet proto tcp from $LAN_INT:network to any port 22
flags S/SA keep state
# Permit the LAN to use the DHCP server on the FW
pass in log quick on $LAN_INT inet proto udp from any to $LAN_INT port 67
keep state
#UDP Services running on the FW machine
pass in quick on $LAN_INT inet proto udp from $LAN_INT:network to $LAN_INT
port { 53 137 138 } keep state
# TCP services running on the FW machine (except SSH)
pass in quick on $LAN_INT inet proto tcp from $LAN_INT:network to $LAN_INT
port { 25 80 135 139 143 443 631 993 } flags S/SA keep state
# Permit passive and active ftp from LAN to Internet and the FTP server on the
FW itself
pass in log quick on $LAN_INT inet proto tcp from $LAN_INT:network to
127.0.0.1 port { 8021 } flags S/SA keep state
pass in log quick on $LAN_INT inet proto tcp from $LAN_INT:network to {
$LAN_INT $INTERNET_INT_IP1 } port { 49151 >< 49182 } flags S/SA keep state
# Permit user traffic from LAN to the Internet
pass in quick on $LAN_INT inet proto icmp from $LAN_INT:network to any
icmp-type { 11 code 0 , 3 code 1 , 8 code 0 } keep state
pass in quick on $LAN_INT inet proto tcp from $LAN_INT:network to {
!$DMZ1_INT:network } flags S/SA keep state
pass in quick on $LAN_INT inet proto udp from $LAN_INT:network to {
!$DMZ1_INT:network } keep state
# -- From DMZ1 -- #
# Permit SSH traffic from the DMZ1 network to everywhere
pass in quick on $DMZ1_INT inet proto tcp from $DMZ1_INT:network to any port
22 flags S/SA keep state
#UDP Services running on the FW machine
pass in quick on $DMZ1_INT inet proto udp from $DMZ1_INT:network to
$DMZ1_INT port 53 keep state
# TCP services running on the FW machine (except SSH)
pass in quick on $DMZ1_INT inet proto tcp from $DMZ1_INT:network to $DMZ1_INT
port { 25 } flags S/SA keep state
# Permit passive and active ftp from DMZ1 to Internet and the FTP server on
the FW itself
pass in log quick on $DMZ1_INT inet proto tcp from $DMZ1_INT:network to
127.0.0.1 port { 8021 } flags S/SA keep state
pass in log quick on $DMZ1_INT inet proto tcp from $DMZ1_INT:network to
{$DMZ1_INT $INTERNET_INT_IP1 } port { 49151 >< 49182 } flags S/SA keep state
# Permit whole DMZ1 network to use free NTP on the Internet
pass in quick on $DMZ1_INT inet proto udp from $DMZ1_INT:network to
$NTP_SERVERS port 123 keep state
# -- From INTERNET -- #
# Permit SSH traffic to SERVERTEST1 and SERVERTEST2 from the Internet
pass in quick on $INTERNET_INT inet proto tcp from any to {
$DMZ1_SERVERTEST1 $DMZ1_SERVERTEST2 } port 22 flags S/SA keep state
# Permit the ugly Internet to ping the FW
# pass in quick on $INTERNET_INT inet proto icmp from any to $INTERNET_INT
icmp-type { 8 code 0 , 3 code 3 , 11 code 0 } keep state
# FTP backchannel rule for active FTP
pass in log quick on $INTERNET_INT inet proto tcp from any to
$INTERNET_INT_IP1 port { 49151 >< 49182 } flags S/SA user proxy keep state
# TCP services running on the FW machine
pass in log quick on $INTERNET_INT inet proto tcp from any to
$INTERNET_INT_IP1 port { 21 22 25 80 443 993 49151 >< 49182 } flags S/SA keep
state
--snip--
Hope it will be usable
/Per-Olov
On Tuesday 30 December 2003 13.46, stan wrote:
> I'm still trying to configure a working pf configuration, without success.
>
> I'm building a 3.4 OpenBSD machine to replace an old OpenBSD machine that
> used ipf, and seperate nat. I have a meium sized home network that connects
> via a cablemode. The cablenmode apppears (based upon existin laogfiles) to
> be a vary hostilee environment. So I wan "default deny" configuration. I've
> been able to build a working config, using "default allow" but I can't even
> seem to come close on the "default deny" one.
>
> I want all the internal machiones to have pretty much unrestrcted outbound
> access (including ftp), and I wna inbound ssh, http, mail, and sftp
> redirected transparently to various amchines on the internal network.
>
> I've treid starting with the default /etc/of.conf, and
> /usr/share/pf/faq-example1 without much success. Can anyone point me to
> some good examples?
>
> Is htere any way to convert my old ipf.bat rules to the new syntax?
