Example pf.conf for OpenBSD Firewall

Why?
I won’t get into the full setup of an OpenBSD firewall. If you need this kind of information I recommend the OpenBSD website as it’s documentation is stellar. This is just a starting point for someone looking for a secure firewall with QOS running OpenBSD. NOTE: PF IS THE R0XoR 31337 Firewall! Add in CARP Failover and kiss those dumb sidewinders goodbye!

This file would go in /etc/pf.conf You would need to make sure that pf is enabled in /etc/rc.conf and /etc/sysctl.conf Without further wait…here it is!


# Block those DDOS people
set limit { states 20000, frags 20000 }

# Optimize those packets!
set optimization aggressive

# Ha you know you were blocked!
set block-policy return

ext_if = “fxp0″
int_if = “xl0″

# Apparently this helps with something way above my head
TCP_OPTIONS = “flags S/SAFRUP keep state”

# List of private nets
# http://www.iana.org/assignments/ipv4-address-space
# http://rfc.net/rfc1918.html
reserved = ” {
0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8,
169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
224.0.0.0/3, 255.255.255.255 } ”

# Things opened to server
tcp_services = “{ 22, 443 }”

# Linboxen stuff i open in/out
linboxen = “192.168.1.102″

# Vonage ata box
vonage = “192.168.1.105″

# Ports and such
emuleTCP = “4662″
emuleUDP = “4672″
dcc = “6789″

# We are going to block ssh people trying to hack in
table persist

# There is a rule if you want to set what internal network has access to
allowed_outgoing = “{ ssh, smtp, finger, http, https, pop3, nntp, cvspserver,
5190, 6667 , 7070, 11371 }”

####
# scrub rules.
#

# scrub in all # borks with linux nfs
scrub in on $ext_if all # so we do it only on ext_if
scrub in on $int_if all no-df # but no-df fixes it again :)

####
# altq rules.
#
altq on $ext_if priq bandwidth 768Kb queue { std_out, vonage_out }
queue vonage_out priority 10 priq(red)
queue std_out priority 5 priq(red default)

####
# Nat rules
#

nat on $ext_if inet from $int_if/24 to any -> ($ext_if)

# Let ssh go to linboxen if connect is on 2222
rdr on $ext_if inet proto tcp from any to ($ext_if) port 2222 -> $linboxen port ssh

# Transparent squid
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128

# FTP Proxy
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

####
# pf rules
#

# remove the log-keyword if im getting ganked by crackers ddossed.
block out log on $ext_if all
block in log on $ext_if all

# Try a fake return scan on me….HA!
block return-rst out on $ext_if proto tcp all
block return-rst in on $ext_if proto tcp all
block return-icmp out on $ext_if proto udp all
block return-icmp in on $ext_if proto udp all

# screw with nmap
block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF

# silently drop broadcasts (cable modem noise)
block in quick on $ext_if from any to 255.255.255.255

####
# ALIENS/SPOOFERS
#

# These guys must be spoofing.
block in quick on $ext_if from $reserved to any
block out quick on $ext_if from $reserved to any

# antispoof _has_ to be preceeded with pass in quick on lo0 all.
pass in quick on lo0 all
antispoof for { lo0, $int_if, $ext_if }

####
# ICMP
#

# Only let ping in and out
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

####
# UDP
#

# outgoing UDP
pass out quick on $ext_if proto udp all keep state

# incoming UDP

# Only if you are running a public dns-server.
# pass in on $ext_if proto udp from any to any port 53 keep state

# pass in quick on $ext_if proto udp from (what every my remote static is) port = isakmp to \
# $ext_if port = isakmp keep state
# pass out quick on $ext_if proto udp from $ext_if port = isakmp to \
# (what every my remote static is) port = isakmp keep state

####
# TCP
#

####
# Outgoing TCP

# This is easy: pass out all TCP connections. I think I can trust the inside network :)
pass out quick on $ext_if proto tcp all keep state queue std_out

# This is much more secure. Exploits like with bind/irssi configure
# scripts wont work any more. But it’s more work.
# Protocols allowed to get out.
# pass out quick on $ext_if inet proto tcp from $ext_if to \
# any port $allowed_outgoing keep state

# # FTP proxy to allow passive connections to go out:

pass out quick on $ext_if inet proto tcp from ($ext_if) to any port ftp $TCP_OPTIONS
pass out quick on $ext_if inet proto tcp from ($ext_if) to any user proxy $TCP_OPTIONS

# # FTP Proxy to allow active connections to get in:
pass in quick on $ext_if inet proto tcp from any to ($ext_if) user proxy $TCP_OPTIONS

# Squid Proxy
pass out on $ext_if inet proto tcp from any to any port www keep state

####
# Incoming TCP

# This is the list with specific services that are allowed on my
# machines.
#pass in quick on $ext_if inet proto tcp from any to (ext_if) port $server $TCP_OPTIONS

# dcc for IRC
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 6789 $TCP_OPTIONS

# Vonage
pass out on $ext_if inet proto udp from $vonage to any keep state queue vonage_out

# Emule traffic
pass in quick on $ext_if inet proto tcp from any to $linboxen port $emuleTCP $TCP_OPTIONS

# Torrent traffic
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 6881:6891 $TCP_OPTIONS

# Squid Proxy
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state

# enemy territory
pass in quick on $ext_if proto udp from any to $int_if port 27960 keep state

# to the server!
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

# Block script kiddies trying to get in on ssh
block in log quick on $ext_if proto tcp from to any port 22