HOWTO’s
Example pf.conf for OpenBSD Firewall
Why?
I won’t get into the full setup of an OpenBSD firewall. If you need this kind of information I recommend the OpenBSD website as it’s documentation is stellar. This is just a starting point for someone looking for a secure firewall with QOS running OpenBSD. NOTE: PF IS THE R0XoR 31337 Firewall! Add in CARP Failover and kiss those dumb sidewinders goodbye!
This file would go in /etc/pf.conf You would need to make sure that pf is enabled in /etc/rc.conf and /etc/sysctl.conf Without further wait…here it is!
# Block those DDOS people
set limit { states 20000, frags 20000 }
# Optimize those packets!
set optimization aggressive
# Ha you know you were blocked!
set block-policy return
ext_if = “fxp0″
int_if = “xl0″
# Apparently this helps with something way above my head
TCP_OPTIONS = “flags S/SAFRUP keep state”
# List of private nets
# http://www.iana.org/assignments/ipv4-address-space
# http://rfc.net/rfc1918.html
reserved = ” {
0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8,
169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
224.0.0.0/3, 255.255.255.255 } ”
# Things opened to server
tcp_services = “{ 22, 443 }”
# Linboxen stuff i open in/out
linboxen = “192.168.1.102″
# Vonage ata box
vonage = “192.168.1.105″
# Ports and such
emuleTCP = “4662″
emuleUDP = “4672″
dcc = “6789″
# We are going to block ssh people trying to hack in
table
# There is a rule if you want to set what internal network has access to
allowed_outgoing = “{ ssh, smtp, finger, http, https, pop3, nntp, cvspserver,
5190, 6667 , 7070, 11371 }”
####
# scrub rules.
#
# scrub in all # borks with linux nfs
scrub in on $ext_if all # so we do it only on ext_if
scrub in on $int_if all no-df # but no-df fixes it again 
####
# altq rules.
#
altq on $ext_if priq bandwidth 768Kb queue { std_out, vonage_out }
queue vonage_out priority 10 priq(red)
queue std_out priority 5 priq(red default)
####
# Nat rules
#
nat on $ext_if inet from $int_if/24 to any -> ($ext_if)
# Let ssh go to linboxen if connect is on 2222
rdr on $ext_if inet proto tcp from any to ($ext_if) port 2222 -> $linboxen port ssh
# Transparent squid
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128
# FTP Proxy
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
####
# pf rules
#
# remove the log-keyword if im getting ganked by crackers ddossed.
block out log on $ext_if all
block in log on $ext_if all
# Try a fake return scan on me….HA!
block return-rst out on $ext_if proto tcp all
block return-rst in on $ext_if proto tcp all
block return-icmp out on $ext_if proto udp all
block return-icmp in on $ext_if proto udp all
# screw with nmap
block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF
# silently drop broadcasts (cable modem noise)
block in quick on $ext_if from any to 255.255.255.255
####
# ALIENS/SPOOFERS
#
# These guys must be spoofing.
block in quick on $ext_if from $reserved to any
block out quick on $ext_if from $reserved to any
# antispoof _has_ to be preceeded with pass in quick on lo0 all.
pass in quick on lo0 all
antispoof for { lo0, $int_if, $ext_if }
####
# ICMP
#
# Only let ping in and out
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
####
# UDP
#
# outgoing UDP
pass out quick on $ext_if proto udp all keep state
# incoming UDP
# Only if you are running a public dns-server.
# pass in on $ext_if proto udp from any to any port 53 keep state
# pass in quick on $ext_if proto udp from (what every my remote static is) port = isakmp to \
# $ext_if port = isakmp keep state
# pass out quick on $ext_if proto udp from $ext_if port = isakmp to \
# (what every my remote static is) port = isakmp keep state
####
# TCP
#
####
# Outgoing TCP
# This is easy: pass out all TCP connections. I think I can trust the inside network
pass out quick on $ext_if proto tcp all keep state queue std_out
# This is much more secure. Exploits like with bind/irssi configure
# scripts wont work any more. But it’s more work.
# Protocols allowed to get out.
# pass out quick on $ext_if inet proto tcp from $ext_if to \
# any port $allowed_outgoing keep state
# # FTP proxy to allow passive connections to go out:
pass out quick on $ext_if inet proto tcp from ($ext_if) to any port ftp $TCP_OPTIONS
pass out quick on $ext_if inet proto tcp from ($ext_if) to any user proxy $TCP_OPTIONS
# # FTP Proxy to allow active connections to get in:
pass in quick on $ext_if inet proto tcp from any to ($ext_if) user proxy $TCP_OPTIONS
# Squid Proxy
pass out on $ext_if inet proto tcp from any to any port www keep state
####
# Incoming TCP
# This is the list with specific services that are allowed on my
# machines.
#pass in quick on $ext_if inet proto tcp from any to (ext_if) port $server $TCP_OPTIONS
# dcc for IRC
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 6789 $TCP_OPTIONS
# Vonage
pass out on $ext_if inet proto udp from $vonage to any keep state queue vonage_out
# Emule traffic
pass in quick on $ext_if inet proto tcp from any to $linboxen port $emuleTCP $TCP_OPTIONS
# Torrent traffic
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 6881:6891 $TCP_OPTIONS
# Squid Proxy
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
# enemy territory
pass in quick on $ext_if proto udp from any to $int_if port 27960 keep state
# to the server!
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
# Block script kiddies trying to get in on ssh
block in log quick on $ext_if proto tcp from
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Comments are closed.
