Date: Tue, 17 May 2005 16:19:44 -0400 From: "dave" <dmehler26@woh.rr.com> To: "Odhiambo Washington" <wash@wananchi.com>, <freebsd-pf@freebsd.org> Subject: Re: pf and mpd Message-ID: <000701c55b1d$c422c780$0200a8c0@satellite> References: <000201c55b1c$66036e80$0200a8c0@satellite> <20050517201441.GB59011@ns2.wananchi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Thanks for your reply. Ok, below is my pf.conf file. Thanks. Dave. # pf.conf # for use on gateway box # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # define the two interface macros EXT = "ep0" LAN = "ep1 # define some address macros LAN_SERVER = "192.168.0.3" LAN_FIREWALL = "192.168.0.254" LAN_CLIENTS = "192.168.0.0/24" LAN_ADMIN = "192.168.0.0/24" # define some non-routeable addresses used in spoof attacks originating from the internet PRIVATE_BLOCKS = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 !10.40.224.1 }" # define some service macros LAN_TO_INT_SERVICES = "{ ftp-data, ftp, domain, cvsup, ssh, smtp, http, pop3, imap, https, imaps, pop3s, 8000, 8880,8080, 1793, 1794, 1795, 1790, 1791, 1792 }" INT_TO_LAN_SERVICES = "{ www, https, ssh, smtp, pop3, pop3s, 8000, 1723 }" LAN_TO_FW_SERVICES = "{ ssh }" FW_to_LAN_services = "{ ssh }" # options # expire state connections early set optimization aggressive set block-policy drop set require-order yes set fingerprints "/etc/pf.os" # normalize packets to prevent fragmentation attacks scrub in on $EXT all # translate lan client addresses to that of EXT nat on $EXT from $LAN_CLIENTS to any -> ($EXT) # redirections rdr on $EXT proto tcp from any to any port 80 -> 192.168.0.3 port 80 rdr on $EXT inet proto tcp from any os "Windows" to any port 25 -> 127.0.0.1 port 8025 # redirect lan client active FTP requests (to an FTP server's control port 21) # to the ftp-proxy running on the firewall host (via inetd on port 8081) rdr on ep1 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # pass loopback traffic pass quick on lo0 all # block windows email relays block in quick on $EXT inet proto tcp from any os "Windows" to any port 25 # immediately prevent IPv6 traffic from entering or leaving all interfaces block quick inet6 all # silently block and drop broadcast cable modem noise block in quick on $EXT from any to 255.255.255.255 # Block bad tcp flags from malicious people and nmap scans block in quick on $EXT proto tcp from any to any flags /S block in quick on $EXT proto tcp from any to any flags /SFRA block in quick on $EXT proto tcp from any to any flags /SFRAU block in quick on $EXT proto tcp from any to any flags A/A block in quick on $EXT proto tcp from any to any flags F/SFRA block in quick on $EXT proto tcp from any to any flags U/SFRAU block in quick on $EXT proto tcp from any to any flags SF/SF block in quick on $EXT proto tcp from any to any flags SF/SFRA block in quick on $EXT proto tcp from any to any flags SR/SR block in quick on $EXT proto tcp from any to any flags FUP/FUP block in quick on $EXT proto tcp from any to any flags FUP/SFRAUPEW block in quick on $EXT proto tcp from any to any flags SFRAU/SFRAU block in quick on $EXT proto tcp from any to any flags SFRAUP/SFRAUP block in quick on $EXT proto tcp all flags FUP/FUP # immediately prevent packets with invalid addresses from entering or exiting EXT (anti-spoofing measure) block drop in quick on $EXT inet from $PRIVATE_BLOCKS to any #block drop out quick on $EXT inet from any to $PRIVATE_BLOCKS # prevent lan originated spoofing from occurring antispoof for $EXT inet # block everything from entering EXT block in on $EXT all # preventing invalid internet UDP and TCP requests from timing out block return in on $EXT proto { udp, tcp } all # allow internet requests to enter EXT # in order to contact our lan server (keep state on this connection pass in on $EXT \ inet proto tcp \ from any to 192.168.0.3 \ port $INT_TO_LAN_SERVICES \ flags S/AUPRFS \ synproxy state # Allow remote FTP servers (on data port 20) to respond to the proxy's # active FTP requests by contacting it on the port range specified in inetd.conf pass in on $EXT \ inet proto tcp \ from any port 20 \ to $EXT port 55000 >< 57000 \ user proxy \ flags S/SA keep state # block everything from exiting EXT block out on $EXT all # allow UDP requests to port 53 from firewall to exit EXT # in order to contact internet nameservers (keep state on this connection) pass out on $EXT \ inet proto udp \ from $EXT to any \ port 53 \ keep state # Allow UDP requests to port 67/68 from firewall to exit EXT # in order to contact internet dhcp servers (keep state on this connection) pass out log on $EXT \ proto udp \ from $EXT to any \ port { 67, 68, 123 } \ keep state # allow lan traffic from internet clients to exit EXT # (after natting is performed) in order to contact internet web servers # (keep state on this connection) pass out on $EXT \ inet proto tcp \ from $EXT to any \ port $LAN_TO_INT_SERVICES \ flags S/AUPRFS modulate state # allow ICMP requests from firewall to exit EXT (after natting is performed) # in order to ping/traceroute internet hosts on the behalf of lan admin pass out on $EXT \ inet proto icmp \ from $EXT to any \ icmp-type 8 \ keep state # allow ftp active requests out pass out on $EXT \ inet proto tcp \ from $EXT to any \ port 20 \ flags S/AUPRFS modulate state # allow firewall to contact ftp server on behalf of passive ftp client # on control port 21 pass out on $EXT \ inet proto tcp \ from $EXT to any \ port 21 \ flags S/AUPRFS modulate state # allow firewall to contact ftp server on behalf of passive ftp client # on standard unprivileged port range ( > 1024 ) pass out on $EXT \ inet proto tcp \ from $EXT to any \ port > 1024 \ flags S/AUPRFS modulate state # block everything from entering LAN block in on $LAN all # allow UDP requests to port 53 from lan clients to enter LAN # in order to perform dns queries on the firewall (keep state on this connection) pass in on $LAN \ inet proto udp \ from $LAN_clients to $LAN_firewall \ port 53 \ keep state # allow lan traffic from lan clients to enter lan # in order to contact internet web servers (keep state on this connection) pass in on $LAN \ inet proto tcp \ from $LAN_clients to any \ port $LAN_TO_INT_SERVICES \ flags S/AUPRFS modulate state # lan admin connects to firewall via ssh for administrative purposes pass in on $LAN \ inet proto tcp \ from $LAN_admin to $LAN_firewall \ port $LAN_to_FW_services \ modulate state # allow requests from lan admin to enter LAN # in order to ping/traceroute any system (firewall, dmz server, and internet hosts) pass in on $LAN \ inet proto icmp \ from $LAN_admin to any \ icmp-type 8 \ keep state # block everything from exiting LAN block out on $LAN all # allow internet requests to exit lan # in order to contact our web server (keep state on this connection) pass out on $LAN \ inet proto tcp \ from any to $LAN_server \ port $INT_TO_LAN_SERVICES \ flags S/AUPRFS synproxy state # firewall connects to the lan server via scp/ssh for backup purposes pass out on $LAN \ inet proto tcp \ from $LAN_firewall to $LAN_server \ port $FW_to_LAN_services \ modulate state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000701c55b1d$c422c780$0200a8c0>