Re: Default PF policy
"Joco Salvatti" <[EMAIL PROTECTED]> writes: > I don't want anyone from my local network to connect to MSN and P2P > programs, so I haven't created any rule to permit those kind of > packet traffic. Sounds like a sound policy. > But I'm facing a lot of problems due to this, because I have to > specify packets that should pass through my internal and external > interfaces. This is exactly the thing PF excels at. In the first place, you can write interface independent pass rules as well, ie pass proto tcp from $localnet to any port $allowedports keep state Assuming the localnet and allowedports macros (localnet or equivalent could easily be made into a table as well btw) have been sensibly defined. If you're interested in reading a PF tutorial written by a self-confessed PF rules readability zealot, you can find mine in various formats at http://www.bgnett.no/~peter/pf/ > I'd like any ideas or tips from PF gurus about how to improve my > firewall policies. I have an idea: allow everything at my internal > NIC and block all at my external NIC, so all I had to do was > specifying allowed incoming and outcomming traffics only at my > external NIC. But I'll be waiting for (better) proposals. Again, if all you want to do is simplify your rule set, go the interface independent route. There are situations where rules need to be interface specific, but you will discover those when you need to. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
Re: Default PF policy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joco Salvatti wrote: > Hi all, > > I have a OpenBSD 3.9 machine acting as a firewall. It has two network > interface cards, one connected to my local network and the other one > connected to Internet. My default policy is blocking all traffic using > > block all > > I don't want anyone from my local network to connect to MSN and P2P > programs, so I haven't created any rule to permit those kind of > packet traffic. But I'm facing a lot of problems due to this, because > I have to specify packets that should pass through my internal and external > interfaces. I'd like any ideas or tips from PF gurus about how to > improve my firewall policies. I have an idea: allow everything at my > internal NIC and block all at my external NIC, so all I had to do was > specifying allowed incoming and outcomming traffics only at my external > NIC. But I'll be waiting for (better) proposals. > > By now thanks for the time spent reading with this e-mail. > You can approach this several different ways. If going the route where you plan to pass all traffic in the internal interface, use the 'skip' option: set skip on $if_int If you want to allow access out for certain ports, create a macro to store the list of ports you want to allow, then use that macro in your filters. This makes maintenance easy because you can add/remove tcp/udp ports as needed. If you need to restrict access on a per host/port basis, you will need separate rules for each designated host. # MACROS lan_tcp_out = "{ 22, 25, 80, 443 }" lan_udp_out = "{ 53, 123 }" # TABLES table const { 2/8, 5/8, 7/8, ... } # FILTERS pass out on $if_ext inet proto tcp from $net_int to ! \ port $lan_tcp_out modulate state flags S/SA pass out on $if_ext inet proto udp from $net_int to ! \ port $lan_udp_out keep state In the snippets above, I use the table to store certain bogon nets. See http://www.completewhois.com/bogons/ for a list of current bogon nets. Instructions on automating the load of this data is available on http://www.completewhois.com/bogons/bogons_usage.htm. If you want to not allow all traffic from the internal network, you can extend the above snippet to handle the traffic from your lan to your router: # MACROS lan_tcp_out = "{ 22, 25, 80, 443 }" lan_udp_out = "{ 53, 123 }" # TABLES table { 0/8, 10/8, 20.20.20.0/24, 127/8, \ 169.254/16, 172.16/12, 192.0.2/24, 192.168/16, 224/3, \ 255.255.255.255/32 } table const { 0/8, 10/8, 20.20.20.0/24, 127/8, \ 169.254/16, 172.16/12, 192.0.2/24, 192.168/16, 224/3, \ 255.255.255.255/32 } table const { !, ! } # FILTERS pass in on $if_int inet proto tcp from $net_int to \ port $lan_tcp_out keep state pass out on $if_ext inet proto tcp from $net_int to \ port $lan_tcp_out modulate state flags S/SA pass in on $if_int inet proto udp from $net_int to \ port $lan_udp_out keep state pass out on $if_ext inet proto udp from $net_int to \ port $lan_udp_out keep state I just typed those up, so there may be inaccuracies. Hopefully you get the idea behind the structure. Axton Grams iD8DBQFEjHZG2VxhVxhm8jIRAgT/AJ9DeGvQ56qK4H2coasV4X3zMzJ/2gCgqUni 5PowDKgZC+VscKI4R5RHFmE= =hwvS -END PGP SIGNATURE-
Re: Default PF policy
Joco Salvatti wrote: [ ... cut ... ] But I'm facing a lot of problems due to this, because I have to specify packets that should pass through my internal and external interfaces. I'd like any ideas or tips from PF gurus about how to improve my firewall policies. I have an idea: allow everything at my internal NIC and block all at my external NIC, so all I had to do was specifying allowed incoming and outcomming traffics only at my external NIC. But I'll be waiting for (better) proposals. Joel Knight et al., put a significant effort in creating special section for PF[*] in the official FAQ. If you happen to look at it, "Policy Filtering" via tags can be a time saver in many complicated and multi interface setups. (*): http://www.openbsd.org/faq/pf/tagging.html Regards, bdd
Default PF policy
Hi all, I have a OpenBSD 3.9 machine acting as a firewall. It has two network interface cards, one connected to my local network and the other one connected to Internet. My default policy is blocking all traffic using block all I don't want anyone from my local network to connect to MSN and P2P programs, so I haven't created any rule to permit those kind of packet traffic. But I'm facing a lot of problems due to this, because I have to specify packets that should pass through my internal and external interfaces. I'd like any ideas or tips from PF gurus about how to improve my firewall policies. I have an idea: allow everything at my internal NIC and block all at my external NIC, so all I had to do was specifying allowed incoming and outcomming traffics only at my external NIC. But I'll be waiting for (better) proposals. By now thanks for the time spent reading with this e-mail. -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]