Hello all, I am replacing a Cisco ASA with an OpenBSD PF NAT box for a
couple of reasons: I'm tired of paying Cisco money just to receive
updates, tired of the license limits and the device is about six years
old.
So I have an atom server with three interfaces one for public/dmz/
internal.
The current config with the ASA is the following:
external (now fxp1) --->Firewall ---> DMZ (192.168.100.0/24) (now
fxp0) --->Inetrnal (192.168.200.0/24) (now re0).
I don't really want to re-IP the nodes in the DMZ so if possible I'd
like to keep everything the same. I've purchased the book of PF
version 2 but still need some assistance. Here is my pf.conf:
#MACROS
_int="re0"
lan="re0:network"
_dmz="fxp0"
dmz="192.168.100.0/24"
mailserver="192.168.100.2"
ftpwebserver="192.168.100.1"
RFC1918="{ 10/8 172.16/12 192.168/16 }"
#TABLES
#OPTIONS
set skip on lo
set block-policy drop
#NORMALIZE TRAFFIC
match in all scrub ( no-df max-mss 1440 )
#NAT
match out on egress from $lan to any nat-to egress
match out on egress from $dmz to any nat-to egress
#REDIRECTIONS
match in on egress inet proto tcp from any to any port 25 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 110 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 587 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 465 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 25 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 995 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 443 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 110 \
rdr-to $mailserver
match in on egress inet proto tcp from any to any port 80 \
rdr-to $ftpwebserver
#BLOCK POLICY
block log all
#PROTECTION
antispoof for { lo0 re0 fxp0 fxp1 }
block in on egress from $RFC1918 to any
block out on egress from any to $RFC1918
#AUTHORIZE PINGS
pass inet proto icmp all icmp-type { echoreq, unreach }
#FORWARDING OUT
pass out on egress inet proto tcp from any to any
pass out on egress inet proto udp from any to any
#LAN SERVICES
anchor "ftp-proxy/*"
pass in on $_int proto tcp from any to any port ftp \
rdr-to 127.0.0.1 port 8021
#AUTHORIZED SERVICES
pass in on $_int proto tcp from $lan to any port \
{ 80 22 3000 4567 443 53 69 }
pass in quick on $_int proto udp from $lan to any port { domain 69 }
#CONSOLE ACCESS
#pass in on egress proto tcp from any to egress port 22
#DMZ SERVICES
pass in on egress proto tcp from any to $mailserver port \
{ 25 110 443 587 465 995 }
pass out on $_dmz proto tcp from any to $mailserver port \
{ 25 110 443 587 465 995 }
pass in on $_dmz proto tcp from $mailserver to any port \
{ 25 110 587 465 995 }
#ACCESS WEB SERVICES
pass in on egress inet proto tcp from any to $ftpwebserver port 80
pass out on $_int inet proto tcp from any to $ftpwebserver port 80
basically I want the internal network to be able to access the DMZ but
obviously not the other way around.
