Re: Default PF policy
"Joco Salvatti" <[EMAIL PROTECTED]> writes: > I don't want anyone from my local network to connect to MSN and P2P > programs, so I haven't created any rule to permit those kind of > packet traffic. Sounds like a sound policy. > But I'm facing a lot of problems due to this, because I have to > specify packets that should pass through my internal and external > interfaces. This is exactly the thing PF excels at. In the first place, you can write interface independent pass rules as well, ie pass proto tcp from $localnet to any port $allowedports keep state Assuming the localnet and allowedports macros (localnet or equivalent could easily be made into a table as well btw) have been sensibly defined. If you're interested in reading a PF tutorial written by a self-confessed PF rules readability zealot, you can find mine in various formats at http://www.bgnett.no/~peter/pf/ > I'd like any ideas or tips from PF gurus about how to improve my > firewall policies. I have an idea: allow everything at my internal > NIC and block all at my external NIC, so all I had to do was > specifying allowed incoming and outcomming traffics only at my > external NIC. But I'll be waiting for (better) proposals. Again, if all you want to do is simplify your rule set, go the interface independent route. There are situations where rules need to be interface specific, but you will discover those when you need to. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
Re: Default PF policy
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Joco Salvatti wrote:
> Hi all,
>
> I have a OpenBSD 3.9 machine acting as a firewall. It has two network
> interface cards, one connected to my local network and the other one
> connected to Internet. My default policy is blocking all traffic using
>
> block all
>
> I don't want anyone from my local network to connect to MSN and P2P
> programs, so I haven't created any rule to permit those kind of
> packet traffic. But I'm facing a lot of problems due to this, because
> I have to specify packets that should pass through my internal and external
> interfaces. I'd like any ideas or tips from PF gurus about how to
> improve my firewall policies. I have an idea: allow everything at my
> internal NIC and block all at my external NIC, so all I had to do was
> specifying allowed incoming and outcomming traffics only at my external
> NIC. But I'll be waiting for (better) proposals.
>
> By now thanks for the time spent reading with this e-mail.
>
You can approach this several different ways.
If going the route where you plan to pass all traffic in the internal
interface, use the 'skip' option:
set skip on $if_int
If you want to allow access out for certain ports, create a macro to
store the list of ports you want to allow, then use that macro in your
filters. This makes maintenance easy because you can add/remove tcp/udp
ports as needed. If you need to restrict access on a per host/port
basis, you will need separate rules for each designated host.
# MACROS
lan_tcp_out = "{ 22, 25, 80, 443 }"
lan_udp_out = "{ 53, 123 }"
# TABLES
table const { 2/8, 5/8, 7/8, ... }
# FILTERS
pass out on $if_ext inet proto tcp from $net_int to ! \
port $lan_tcp_out modulate state flags S/SA
pass out on $if_ext inet proto udp from $net_int to ! \
port $lan_udp_out keep state
In the snippets above, I use the table to store certain bogon
nets. See http://www.completewhois.com/bogons/ for a list of current
bogon nets. Instructions on automating the load of this data is
available on http://www.completewhois.com/bogons/bogons_usage.htm.
If you want to not allow all traffic from the internal network, you can
extend the above snippet to handle the traffic from your lan to your router:
# MACROS
lan_tcp_out = "{ 22, 25, 80, 443 }"
lan_udp_out = "{ 53, 123 }"
# TABLES
table { 0/8, 10/8, 20.20.20.0/24, 127/8, \
169.254/16, 172.16/12, 192.0.2/24, 192.168/16, 224/3, \
255.255.255.255/32 }
table const { 0/8, 10/8, 20.20.20.0/24, 127/8, \
169.254/16, 172.16/12, 192.0.2/24, 192.168/16, 224/3, \
255.255.255.255/32 }
table const { !, ! }
# FILTERS
pass in on $if_int inet proto tcp from $net_int to \
port $lan_tcp_out keep state
pass out on $if_ext inet proto tcp from $net_int to \
port $lan_tcp_out modulate state flags S/SA
pass in on $if_int inet proto udp from $net_int to \
port $lan_udp_out keep state
pass out on $if_ext inet proto udp from $net_int to \
port $lan_udp_out keep state
I just typed those up, so there may be inaccuracies. Hopefully you get
the idea behind the structure.
Axton Grams
iD8DBQFEjHZG2VxhVxhm8jIRAgT/AJ9DeGvQ56qK4H2coasV4X3zMzJ/2gCgqUni
5PowDKgZC+VscKI4R5RHFmE=
=hwvS
-END PGP SIGNATURE-
Re: Default PF policy
Joco Salvatti wrote: [ ... cut ... ] But I'm facing a lot of problems due to this, because I have to specify packets that should pass through my internal and external interfaces. I'd like any ideas or tips from PF gurus about how to improve my firewall policies. I have an idea: allow everything at my internal NIC and block all at my external NIC, so all I had to do was specifying allowed incoming and outcomming traffics only at my external NIC. But I'll be waiting for (better) proposals. Joel Knight et al., put a significant effort in creating special section for PF[*] in the official FAQ. If you happen to look at it, "Policy Filtering" via tags can be a time saver in many complicated and multi interface setups. (*): http://www.openbsd.org/faq/pf/tagging.html Regards, bdd
Default PF policy
Hi all, I have a OpenBSD 3.9 machine acting as a firewall. It has two network interface cards, one connected to my local network and the other one connected to Internet. My default policy is blocking all traffic using block all I don't want anyone from my local network to connect to MSN and P2P programs, so I haven't created any rule to permit those kind of packet traffic. But I'm facing a lot of problems due to this, because I have to specify packets that should pass through my internal and external interfaces. I'd like any ideas or tips from PF gurus about how to improve my firewall policies. I have an idea: allow everything at my internal NIC and block all at my external NIC, so all I had to do was specifying allowed incoming and outcomming traffics only at my external NIC. But I'll be waiting for (better) proposals. By now thanks for the time spent reading with this e-mail. -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]
