Setting up a firewall
A structured page about configuring PF, the OpenBSD firewall program, is coming soon. In the mean time you might like to view my /etc/pf.conf file below. It has comments to make things more clear.
You can also download it:
- pf.conf (plaintext)
- pf.conf.gz (gzipped)
My /etc/pf.conf:
# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
#
# <bof>
#########################################
# *** START MACRO & TABLE DEFINITIONS ***
#
# (Device)names of network interfaces
loc_if = "lo0"
int_if = "xl0"
ext_if = "rl0"
# IP addresses of network interfaces
loc_addr = "127.0.0.1"
int_addr = "192.168.0.3"
ext_addr = "132.175.118.161"
# CIDR address spaces of our networks
loc_net = "127.0.0.1/32"
int_net = "192.168.0.0/24"
ext_net = "132.175.118.161/32"
# Port intervals, icmp-types, etc
ftp_ports = "{ 50042 >< 52042 }"
icmp_types = "echoreq"
# Stateful packet filtering options macros for clarity pf rules
sf_udp = "keep state"
sf_icmp = "keep state"
sf_tcp = "flags S/SA modulate state"
# Restrictive access tables (for POP3 & syslog)
table <popxs> { 180.126.21.182, 243.73.176.15, 243.73.158.228 }
table <syslxs> { 132.175.117.104 }
#
# *** END MACRO & TABLE DEFINITIONS ***
#######################################
###################################################
# *** START OPTIONS, SCRUBBING & QUEUEING RULES ***
#
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"
# Options that suit us better than the defaults
set block-policy return
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 15Kb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
#
# *** END OPTIONS, SCRUBBING & QUEUEING RULES ***
#################################################
#######################################
# *** START NAT & REDIRECTION RULES ***
#
# NAT: Do some NAT favors for the internal net (-:
nat on $ext_if from $int_net to any -> $ext_addr
# RDR: Redirect eDonkey2000/Overnet and WinMX traffic to my laptop
rdr on $ext_if proto tcp to $ext_if port 4662 -> 192.168.0.110 port 4662 # eDonkey
rdr on $ext_if proto udp to $ext_if port 4665 -> 192.168.0.110 port 4665 # eDonkey
rdr on $ext_if proto tcp to $ext_if port 6699 -> 192.168.0.110 port 6699 # WinXM
rdr on $ext_if proto udp to $ext_if port 6257 -> 192.168.0.110 port 6257 # WinXM
# RDR: Redirect outgoing FTP requests to the ftp-proxy
rdr on $int_if proto tcp from any to any port ftp -> $loc_if port 8021
# RDR: spamd-setup puts addresses to be redirected into table <spamd>.
table <spamd> persist
no rdr on $loc_if all
rdr inet proto tcp from <spamd> to any port smtp -> $loc_if port 8025
#
# *** END NAT & REDIRECTION RULES ***
######################################
#########################################
# *** START (STATEFUL) FIREWALL RULES ***
#
# External interface: anti-spoofing measures; with logging
block drop in quick log on $ext_if from 127.0.0.1/8 to any
block drop in quick log on $ext_if from 172.16.0.0/12 to any
block drop in quick log on $ext_if from 192.168.0.0/16 to any
block drop in quick log on $ext_if from $ext_addr to any
# External interface: drop ASAP Windows SMB & MS-SQL related packets; no logging
block drop in quick on $ext_if proto { tcp, udp } to port { 135, 137, 138, 139, 1433 }
block drop in quick on $ext_if proto { tcp, udp } from port { 135, 137, 138, 139, 1433 }
# External interface: drop UDP port 4669 crap without logging
block drop in quick on $ext_if proto udp to port 4669
# External inferface: drop ASAP spammers; no logging
block drop in quick on $ext_if from 202.84.15.0/24 to any # Hongkong.com crap
# External interface: drop crap we don't want to see in our logs
block drop in quick on $ext_if to 0.0.0.0/32
block drop in quick on $ext_if from 0.0.0.0/32
block drop in quick on $ext_if to 224.0.0.0/4
block drop out quick on $ext_if to 224.0.0.0/4
block drop in quick on $ext_if to 255.255.255.255/32
block drop in quick on $ext_if from 255.255.255.255/32
# Local interface: TCP/UDP/ICMP incoming/outgoing connection
pass in quick on $loc_if all
pass out quick on $loc_if all
# Internal interface: TCP/UDP/ICMP incoming/outgoing connection
pass in quick on $int_if all
pass out quick on $int_if all
# External interface: incoming eDonkey2000/Overnet and WinMX traffic to my laptop
pass in quick on $ext_if proto tcp to 192.168.0.110 port 4662 # eDonkey
pass in quick on $ext_if proto udp to 192.168.0.110 port 4665 # eDonkey
pass in quick on $ext_if proto tcp to 192.168.0.110 port 6699 # WinXM
pass in quick on $ext_if proto udp to 192.168.0.110 port 6257 # WinXM
# External interface: UDP incoming connections
pass in quick on $ext_if proto udp to $ext_if port 53 $sf_udp
pass in quick on $ext_if proto udp from <syslxs> to $ext_if port 514 $sf_udp
# Externel interface: TCP incoming connections
pass in quick on $ext_if proto tcp to $ext_if port 22 $sf_tcp
pass in quick on $ext_if proto tcp to $ext_if port 25 $sf_tcp
pass in quick on $ext_if proto tcp to $ext_if port 80 $sf_tcp
pass in quick on $ext_if proto tcp from <popxs> to $ext_if port 110 $sf_tcp
pass in quick on $ext_if proto tcp to $ext_if port 113 $sf_tcp
pass in quick on $ext_if proto tcp to $loc_if port 8025 $sf_tcp
pass in quick on $ext_if proto tcp from any port 20 to $ext_if port $ftp_ports user proxy $sf_tcp
# Externel interface: ICMP incoming connections
pass in quick on $ext_if proto icmp to $ext_if icmp-type $icmp_types $sf_icmp
# Externel interface: TCP outgoing connections
pass out quick on $ext_if proto tcp all $sf_tcp
pass out quick on $ext_if proto { udp, icmp } all $sf_udp
# All interfaces: block everything by default
block log quick all
#
# *** END (STATEFUL) FIREWALL RULES ***
#######################################
#####################################################
# *** START QUEUE ASSIGNMENTS FOR OUTGOING TRAFIC ***
#
# Assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
#
# *** END QUEUE ASSIGNMENTS FOR OUTGOING TRAFIC ***
###################################################
# <eof>
|