# Packet Filter - example for two interfaces
# $FreeBSD: src/etc/pf.conf,v 1.1.2.1 2004/09/17 18:27:14 mlaier Exp $
# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last
match.
##################################################
# MACROS #
##################################################
# Macros: define common values, so they can be referenced and changed
easily.
localhost_if="lo0"
ext_ip="a.b.34.148"
not_ext_ip="!a.b.34.148"
ext_if="rl0"
int_ip="10.11.1.1"
int_if="rl1"
local_network="10.11.1.0/24"
not_local_network="!10.11.1.0/24"
gateway="a.b.34.129"
#Block all Netbios service (MS/Windows sharing services)
#137=name, 138=datagram, 139=session, 445=microsoft-ds, 81=MS/Windows hosts2
name server requests
#199 SMUX used localy by SNMP
block_in_tcp_ports="{ 137, 138, 139, 81, 445, 199 }"
# permit 25=SMTP 110=POP3 143=IMAP 443=HTTPS 783=Spamassassin 993=IMAPS
80=HTTP 21=FTP 20=FTP-data
permit_in_tcp_ports="{ 22, 25, 53, 110, 143, 783, 993, 953, 80 }"
# permit some ports used for openvpn v1.5
#permit_in_udp_ports="{ 5003, 5004, 5005, 5006 }"
permit_in_udp_ports="{ 53, 953 }"
#block reserved_networks
#192.168.0.0/16 #RFC 1918 private IP
#172.16.0.0/12 #RFC 1918 private IP
#10.0.0.0/8 #RFC 1918 private IP
#127.0.0.0/8 #loopback
#0.0.0.0/8 #loopback
#169.254.0.0/16 #DHCP auto-config
#224.0.0.0/3 #Class D & E multicast
#204.152.64.0/23 #Sun cluster interconnect
#192.0.2.0/24 #reserved for doc's
reserved_networks="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8,
0.0.0.0/8, 169.254.0.0/16, 224.0.0.0/3, 204.152.64.0/23, 192.0.2.0/24 }"
##################################################
# TABLES #
##################################################
# Tables: similar to macros, but more flexible for many addresses.
#table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
##################################################
# OPTIONS #
##################################################
# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
##################################################
# PACKET NORMALIZATION #
##################################################
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
scrub in all
##################################################
# PACKET QUEUEING - ALTQ #
##################################################
# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
#############
#altq on $local_if cbq bandwidth 256Kb qlimit 10000 queue { std, http, mail,
ftp, ssh }
#queue std bandwidth 10% cbq(default)
#queue ftp bandwidth 100% cbq(borrow) priority 0
#queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk }
#queue ssh_interactive bandwidth 100% priority 7
#queue ssh_bulk bandwidth 100% priority 0
##################################################
# TRANSLATION #
##################################################
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net
will
# get translated as coming from the address of $ext_if, a state is created
for
# such packets, and incoming packets will be redirected to the internal
address.
nat on $ext_if from $local_network to any -> $ext_ip
# rdr: packets coming in on $ext_if with destination $external_addr:1234
will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 ->
10.1.1.1 port 5678
# rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# spamd-setup puts addresses to be redirected into table .
#table persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025
##################################################
# PACKET FILTERING #
##################################################
# localhost interface - lo0 - pass everything
pass out quick on $localhost_if
pass in quick on $localhost_if
# local network interface - rl1 - pass everything
pass out quick on $int_if
#pass in quick on $int_if from 10.11.1.0/26 to $int_ip
#block in quick on $int_if from 10.11.1.0/26 to any
pass in quick on $int_if
# anti-scan
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
# Block all in/out_bound traffic to non-routable or reserved address spaces
for ext_if
block in log quick on $ext_if from $reserved_networks to any
block out log quick on $ext_if from any to $reserved_networks
# general rules for in
pass in quick on $ext_if inet proto icmp from any to $ext_ip icmp-type 8
code 0
pass in quick on $ext_if inet proto tcp from any to $ext_ip port
$permit_in_tcp_ports flags S/SA keep state
#pass in quick on $ext_if inet proto tcp from $permit_in_ip to $ext_ip port
22 flags S/SA keep state
block return-rst in log quick inet proto tcp all
block return-icmp in log quick inet proto udp all # don't block - used
by openvpn
block in quick on $ext_if from any to $not_ext_ip # DON'T log in
packets NOT to my IP
block in quick log all
# general rules for out
pass out quick on $ext_if all flags S/SA keep state
block out quick log all
# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Florin Iamandi
Sent: Monday, December 11, 2006 8:22 PM
To: Romanian Linux Users Group
Subject: Re: [rlug] DNS FreeBSD
Sergiu Icobescu dixit (2006-12-11, 19:06:02):
> Eu cred ca e o problema de firewall, dar nu stiu unde sa mai caut
`pfctl -vvsr' te-ar ajuta sa vezi ce reguli ai in PF in timp ce pe noi ne-ar
ajuta daca ai posta pf.conf-ul tau mai mult decat ne ajuta lista
port-urilor.
Daca nu vrei sa ne arati pf.conf-ul atunci pune "log" in toate regulile
"block" si `set loginterface $interfata_exterioara' in pf.conf si fa un
`tcpdump -e -n -i pflog0' sa vezi daca o regula iti blocheaza taficul.
NB: faza cu tcpdump merge in OpenBSD, nu stiu daca tcpdump-ul din FreeBSD
face aceleasi treburi.
--
Digitally yours,
Florin Iamandi (Slippery)
Reason is the first victim of emotion. -- Scytale, Dune Messiah
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
