On Mon, Nov 14, 2005 at 11:41:17AM -0500, Jim Razmus wrote:
> > > * Jimmy Scott <[EMAIL PROTECTED]> [051113 12:35]:
> > > >
> > > > [snipped]
> > > >
> > > > I finaly had some time to rearrange my network, and split it into 3
> > > > parts: LAN, DMZ, WAN.
> > > >
> > > > Basicly, the LAN (172.20) may not access the DMZ (172.16), but host
> > > > 172.20.1.10 can. the DMZ may not access the LAN, and both can go to
the
> > > > WAN.
> > > >
> > > > [snipped]
> > > >
> > [snipped]
>
> You might find this helpful:
>
> http://www.openbsd.org/faq/pf/filter.html#state
>
> [snipped]
Thank you very much for your time looking at the problem. This time I
will give out the pf.conf file itself to all people interested in the
final solution I made from it (snipped from personal things and/or
replaced with example rules, eg: port 22 on host exmp).
I took this approach because the example mentioned in my book was
not that restrictive towards local traffic (between DMZ and LAN).
For those who didn't bought it yet and want all topics by hand,
"Building Firewalls with OpenBSD and PF" is a very good book.
Here mine goes:
######################################################################
###### MACRO DEFINITIONS ######
######################################################################
# Interfaces
ext_if="sis0"
dmz_if="sis1"
lan_if="sis2"
# Hosts
enix="172.20.1.10"
exmp="172.16.1.10"
# Groups
staff="{" $enix "}"
######################################################################
###### TABLE DEFINITIONS ######
######################################################################
# Unwanted people
table <intruders> file "/etc/pf.deny"
######################################################################
###### OPTIONS ######
######################################################################
set require-order yes
set block-policy drop
set optimization normal
set loginterface $ext_if
######################################################################
###### TRAFFIC NORMALIZATION ######
######################################################################
# Normalize every packet, and give random id's on outgoing
scrub in all no-df
scrub out all no-df random-id
######################################################################
###### BANDWIDTH MANAGEMENT ######
######################################################################
# TODO
######################################################################
###### TRANSLATION ######
######################################################################
# NAT the internal networks
nat on $ext_if from $lan_if:network -> ($ext_if:0)
nat on $ext_if from $dmz_if:network -> ($ext_if:0)
######################################################################
###### REDIRECTION ######
######################################################################
# Redirect certain incomming requests
#rdr on $ext_if proto tcp from any to ($ext_if:0) port 22 -> $exmp port 22
# No redirects from LAN to DMZ and the other way around
no rdr on $lan_if proto tcp to $dmz_if:network
no rdr on $dmz_if proto tcp to $lan_if:network
# Redirect ftp requests through our ftp proxy with NAT
rdr on $lan_if proto tcp to ! $lan_if port ftp -> 127.0.0.1 port 8021
rdr on $dmz_if proto tcp to ! $dmz_if port ftp -> 127.0.0.1 port 8021
######################################################################
###### PACKET FILTERING ######
######################################################################
### DEFAULT RULES
# Block all packets
block in log all
block out log all
# Block broadcast and intruders quick without further processing
block in log quick on $ext_if from any to ($ext_if:broadcast)
block in log quick on $ext_if from <intruders> to any
### LOOPBACK
# Allow all valid loopback traffic quick
pass quick on lo0 from lo0:network
### LAN INTERFACE
# Allow net traffic except to DMZ, modulate tcp
pass in on $lan_if inet proto tcp from $lan_if:network to ! $dmz_if:network \
modulate
state
pass in on $lan_if inet proto {udp,icmp} from $lan_if:network to \
! $dmz_if:network keep state
# Allow staff members to access the DMZ
pass in on $lan_if inet proto {tcp,udp,icmp} from $staff \
to $dmz_if:network keep state
# Allow the firewall to access the LAN (for debugging problems)
#pass out on $lan_if inet proto {tcp,udp,icmp} from $lan_if \
# to $lan_if:network keep state
### DMZ INTERFACE
# Allow net traffic except to LAN, modulate tcp
pass in on $dmz_if inet proto tcp from $dmz_if:network to ! $lan_if:network \
modulate
state
pass in on $dmz_if inet proto {udp,icmp} from $dmz_if:network to \
! $lan_if:network keep state
# Allow staff members to access the DMZ
pass out on $dmz_if inet proto {tcp,udp,icmp} from $staff \
to $dmz_if:network keep state
# Allow access to external services running in the DMZ
# If you want LAN to access these you must permit so in the block above
pass out on $dmz_if inet proto tcp to $exmp port 22 keep state
# Allow the firewall to access the DMZ (for debugging problems)
#pass out on $dmz_if inet proto {tcp,udp,icmp} from $dmz_if \
# to $dmz_if:network keep state
### EXTERNAL INTERFACE
# Block quick anything that looks spoofed (restricted antispoof)
block in log quick on $ext_if inet from ($ext_if)
block in log quick on $ext_if inet from lo0:network
block in log quick on $ext_if inet from $dmz_if:network
block in log quick on $ext_if inet from $lan_if:network
# Block quick and return RST for connections to ident port
block return-rst in log quick on $ext_if inet proto tcp to ($ext_if:0) \
port auth
# Allow incomming connections to the ftp proxy
pass in log on $ext_if inet proto tcp to ($ext_if:0) port > 49151 flags S/SA
\
user proxy modulate
state
# Allow incomming connections to these hosts
pass in log on $ext_if inet proto tcp to $exmp port 22 flags S/SA \
synproxy
state
# Block outgoing packets that are not from our IP to disallow spoofing
block out log quick on $ext_if inet from !($ext_if:0) to any
# Allow all other outgoing connections (or just a few)
pass out log on $ext_if inet proto tcp to any modulate state
pass out log (all) on $ext_if inet proto {udp,icmp} to any keep state
Hope tis will help someday a person that is looking for the same.
Kind regards,
Jimmy Scott
--
The Four Horsemen of the Apocalypse: Death, Famine, War, and SNMP
[demime 1.01d removed an attachment of type application/pgp-signature]
