Hello all,
With the help of the PF Faq on the OpenBSD website, The Book of PF (2nd
Edition) and of course from the nice folks here on this mailing list I have a
pf.conf someone might find useful.
This configuration file is for an OpenBSD box with three interfaces assuming
you want one interface for internal, external and DMZ. I really wanted to use
packet tagging to keep things a little easier to manage and visualize in my
head.
It allows all traffic from the LAN out - which you can filter obviously -
filters DMZ traffic outbound and provides some basic services inbound from the
internet to some DMZ servers. It will also allow users from the internal LAN
to access the DMZ services which one might also want to restrict if they
wish.
It's taken me a few days to get it configured with a lot of watching TCPDump
on the screen. I've run multiple NMAP scans against my network just to ensure
no unwanted ports were open. I also ran TCPDump on the dmz interface and
tried to access the internet with some unwanted protocols to ensure they would
be filtered and so far so good.
Also, on the outbound DMZ traffic I decided to log all traffic so I could see
where my servers were going when they left my network.
######MACROS
int = "re0"
dmz = "fxp0"
ext = "fxp1"
int_net = "192.168.1.0/24"
dmz_net = "192.168.10.0/24"
RFC1918="{ 10/8 172.16/12 192.168/16 }"
webserver = "192.168.10.1"
mailserver = "192.168.10.5"
dmz_services = "{ 80, 25, 53, 443 }"
web_services = "{ 80, 3000, 4567 }"
mail_services = "{ 25, 110, 443 }"
######TABLES
table <spamd> persist file "/etc/spammers"
table <bastards> persist file "/etc/bastards"
######OPTIONS
set skip on lo
set block-policy drop
set loginterface fxp1
######NORMALIZE TRAFFIC
match in all scrub ( no-df max-mss 1440 )
##### NAT RULES
match out on $ext tag LAN_TO_INET tagged LAN nat-to ($ext)
match out on $ext tag DMZ_TO_INET tagged DMZ nat-to ($ext)
match out on $ext tag FTP_PROXY nat-to ($ext)
####### BLOCKING AND PACKET TAGGING
block log all
antispoof for { lo0 re0 fxp0 fxp1 }
block in on $ext from $RFC1918 to any
block out on $ext from any to $RFC1918
block in on $ext from <bastards>
#LAN OUT
pass in on $int from $int_net tag LAN
pass in on $int from $int_net to $dmz_net tag LAN_TO_DMZ
#DMZ OUT
#pass in log on $dmz from $dmz_net tag DMZ
pass in log on $dmz proto { tcp, udp } from $dmz_net to any port $dmz_services
tag DMZ
#Allow FTP from DMZ to install programs from ports collection
anchor "ftp-proxy/*"
pass in log quick on $dmz proto tcp from $dmz_net to any port 21 rdr-to
127.0.0.1 port 8021 tag FTP_PROXY
#SPAMD AND FTP PROXY
pass in on $ext proto tcp from <spamd> to port smtp tag SPAMD rdr-to 127.0.0.1
port 8025 tag SPAMD
#NAT INBOUND TO DMZ
pass in on $ext proto tcp from any to any port $web_services rdr-to $webserver
tag INET_TO_DMZ
pass in on $ext proto tcp from any to any port $mail_services rdr-to
$mailserver tag INET_TO_DMZ
#POLICY ENFORCEMENT
pass in quick on $ext tagged SPAMD
pass out quick on $ext tagged FTP_PROXY
pass out quick on $ext tagged LAN_TO_INET
pass out quick on $ext tagged DMZ_TO_INET
pass out quick on $dmz tagged LAN_TO_DMZ
pass out quick on $dmz tagged INET_TO_DMZ
I've been running the firewall on an OpenBSD 4.9 box with an Atom 330 and the
performance has been fantastic. I was tired of dealing with Cisco and having
to pay money just to get access to download new software.
In any case, I hope someone might find this useful in someway and since I
received some help from here I'd thought I post back my results...
regards,
Dain
