PF with BGP & CARP for a router

[Laurent CARON]

Hi,

I'm currently setting up a redundant architecture using OpenBSD.
The goal is to have the following setup

ISP link hooked up to two openbsd boxes providing public IP connectivity 
to servers behind (via BGP)

bge0 is hooked to my ISP
em1 is the internal interface
em2 is used for pfsync


I'm basically trying to achieve the following:
- Prevent unauthorized access to the routers (OpenBSD boxes) from IPs 
other than admin IPs
- Prevent evil protocols from trying to connect to my servers (behind 
the bsd boxes) and prevent it from cluttering my logs
- Be able to declare IPs from the servers behind the routers to allow 
communication from/to them ($DECLAREDHOSTS)
- Be able to limit which ports are open from the internet to servers 
behind the routers.
- Be able to limit which ports are open from the servers behind the 
routers to the internet.

I did write a pf.conf which seems to do it, but this file seems rather 
huge to me, that's why i'm submitting here for any pf guru to be able to 
review it, and point my mistakes (I'm sure some can be found of course).

Thanks

Laurent

Here is my pf config:
LO="lo"
EXTIF001="bge0"
EXTIF002="em0"
INTIF="em1"
PFSYNCIF="em2"

set skip on {$LO, $PFSYNCIF}


PFSYNCALLOW="{172.16.1.1, 172.16.1.2}"

CARPALLOW="{Router internal IPs}"

SSHALLOW="{Trusted admin IPs}"

EBGPALLOW="ISP BGP Peer"

IBGPALLOW="{Internal BGP sessions}"

ROUTERSINTIFACES="{Internal IPs of routers (including carp)}"

DECLAREDHOSTS="{Active hosts on the internal interface}"

BAD_UDP_PORTS="{epmap, netbios-ns, netbios-dgm, netbios-ssn, microsoft-ds}"
BAD_TCP_PORTS="{telnet, finger, epmap, netbios-ns, netbios-dgm, 
netbios-ssn, microsoft-ds}"

ROUTER_ALLOW_OUT="{www, ftp, telnet, ssh, domain, https, imaps, smtp, 
smtps}"


SYNSTATE="flags S/SAFR synproxy state"
TCPSTATE="flags S/SAFR modulate state"
UDPSTATE="keep state"

### Stateful Options ###
EXTIFSTO="(max 9000, source-track rule, max-src-conn   2000, 
max-src-nodes 254)"
INTIFSTO="(max 250,  source-track rule, max-src-conn   100, 
max-src-nodes 254, max-src-conn-rate 75/20)"
POSTFIXSTO="(max 100,  source-track rule, max-src-states 5, 
max-src-nodes 30,  max-src-conn-rate 10/300, overload <BLACKLIST> flush 
global, tcp.established 45)"
SPAMDSTO="(max 500,  source-track rule, max-src-conn   10, 
max-src-nodes 300, max-src-conn-rate 2/300,  tcp.established 10)"
SSHSTO="(max 10,   source-track rule, max-src-states 10,   max-src-nodes 
5,   max-src-conn-rate 20/60, overload <OVERLOAD_SSH> flush global)"
PORTSCANSTO="(max 60,  source-track rule, max-src-conn 1, max-src-nodes 
60,  max-src-conn-rate 1/60, overload <BLACKLIST> flush global)"

### Tables ###
table <BLACKLIST> persist file "/etc/blacklist"
table <SLOWQUEUE> persist file "/etc/slowqueue"
table <OVERLOAD_SSH> persist

### Options ###
set debug urgent
set require-order yes
set block-policy drop
set loginterface $EXTIF001
set fingerprints "/etc/pf.os"
set ruleset-optimization none


### Timeout Options ###
set optimization aggressive
set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }

### Queueing ###
altq on $EXTIF001 bandwidth 30000Kb hfsc queue { ack, voip, dns, ssh, 
web, mail, bulk, spamd }
queue ack               bandwidth 60% priority 9 qlimit 500 hfsc 
(realtime 40%)
queue voip              bandwidth 10% priority 8 qlimit 500 hfsc 
(realtime 1%)
queue dns               bandwidth  6% priority 7 qlimit 500 hfsc 
(realtime  5%)
queue ssh               bandwidth  9% priority 6 qlimit 500 hfsc 
(realtime  5%) {ssh_login, ssh_bulk}
        queue ssh_login bandwidth 90% priority 6 qlimit 500 hfsc
        queue ssh_bulk  bandwidth 10% priority 5 qlimit 500 hfsc
queue web               bandwidth 10% priority 5 qlimit 500 hfsc 
(realtime 10%)
queue mail              bandwidth  3% priority 4 qlimit 500 hfsc 
(realtime  5%)
queue bulk              bandwidth  1% priority 3 qlimit 500 hfsc 
(realtime  5% default)
queue spamd             bandwidth  1% priority 1 qlimit 500 hfsc 
(upperlimit 3Kb)


antispoof log quick for { lo0 $EXTIF001 $INTIF }


block        log on $EXTIF001


pass quick on $PFSYNCIF inet proto pfsync       from $PFSYNCALLOW keep state
pass quick on $INTIF    inet proto carp         from $CARPALLOW keep state


block in quick on $EXTIF001 inet proto tcp from any to port $BAD_TCP_PORTS
block in quick on $EXTIF001 inet proto udp from any to port $BAD_UDP_PORTS


block        in log quick           from no-route to any
block        in log quick on $EXTIF001 from <SLOWQUEUE> to any 
probability 97%
block        in     quick on $EXTIF001 from <BLACKLIST> to any
block        in     quick on $EXTIF001 inet proto tcp from 
<OVERLOAD_SSH> to any port ssh
block        in     quick on $EXTIF001 from any to 255.255.255.255
block return in     quick on $INTIF from any to <BLACKLIST>
block return in     quick on $INTIF from any to 224.0.0.1


block in log on $EXTIF001 inet from any to $ROUTERSINTIFACES


pass in quick log on $EXTIF001 inet proto icmp from any to $EXTIF001 
icmp-type 8 code 0 $UDPSTATE
pass in log quick on $EXTIF001 inet proto icmp  from any to 
$ROUTERSINTIFACES icmp-type 8 code 0 $UDPSTATE
pass out log quick on $INTIF inet proto icmp  from any to $DECLAREDHOSTS 
icmp-type 8 code 0 $UDPSTATE


pass in log quick inet proto udp from any to $EXTIF001 port 33433 >< 
33626 keep state
pass in log quick on $EXTIF001 inet proto udp from any to 
$ROUTERSINTIFACES port 33433 >< 33626 keep state
pass out log quick on $INTIF inet proto udp from any to $DECLAREDHOSTS 
port 33433 >< 33626 keep state

pass in log quick inet proto {tcp, udp} from $EBGPALLOW to $EXTIF001 
port bgp


pass in quick log on $EXTIF001 inet proto tcp from $SSHALLOW to 
$EXTIF001 port ssh $SYNSTATE $SSHSTO queue (ssh_bulk, ssh_login) tag OPENSSH

pass in quick log on $EXTIF001 inet proto tcp  from $SSHALLOW to 
$ROUTERSINTIFACES port ssh $SYNSTATE $SSHSTO queue (ssh_bulk, ssh_login) 
tag OPENSSH
pass out quick log on $INTIF inet proto tcp  from $SSHALLOW to 
$DECLAREDHOSTS port ssh $SYNSTATE $SSHSTO queue (ssh_bulk, ssh_login) 
tag OPENSSH



pass in log quick on $EXTIF001 from any to $DECLAREDHOSTS


pass out log quick on $INTIF from any to $DECLAREDHOSTS


pass in log on $INTIF proto {tcp,udp} from $IBGPALLOW   to  $INTIF port 
bgp   $TCPSTATE $INTIFSTO


pass in log on $INTIF inet proto tcp  from $DECLAREDHOSTS to  $INTIF 
port ssh   $TCPSTATE $INTIFSTO
pass in log on $INTIF proto icmp  from $DECLAREDHOSTS to  $INTIF

pass in log on $INTIF inet proto icmp from $DECLAREDHOSTS to  $INTIF 
icmp-type 8 code 0 $UDPSTATE $INTIFSTO

pass out log on $EXTIF001 proto {tcp, udp} from $DECLAREDHOSTS to any 
port $ROUTER_ALLOW_OUT


pass out log on $EXTIF001 proto icmp from 
{$ROUTERSINTIFACES,$IBGPALLOW,$DECLAREDHOSTS} to any
pass out log on $EXTIF001 proto {tcp, udp} from 
{$ROUTERSINTIFACES,$IBGPALLOW} to any port $ROUTER_ALLOW_OUT

# IPv6 config not yet completed, will do once v4 fully done
pass    quick   inet6