Firewalls
firewall configuration framework May 20 2008 08:44PM
Gustavo V G C Rios (vieira rios gmail com)
Dear friends,

in order to reduce some time settings network firewalls i wrote a
framework i would like your comments on. Of course, i did not to pass
the ideia of being a lazy professional, but there are settings all the
same everywhere. For instance, rule to prevent packets incoming with a
source address different from that of the interface network (IP
spoofing attack).

I am using openbsd, so for filter rules, the last match wins, for
packet rewrite (nat/rdr) the first match winds. Do you have any
suggestions on what i could improve. I am working on OpenBSD 4.3 and
here you got my /etc/pf.conf. Any another rule is loaded by usage of a
loaded externally, from a file.
I am providing /etc/pf.conf file and two other to be loaded with a
load firewall directive, they are: /etc/pf/feif and /etc/pf/fiif_0.

Any comments and suggestions are highly appreciated.

# /etc/pf.conf
#
# Macros
#
########

EIF = ""
IIF_0 = ""
IIF_1 = ""
IIF_2 = ""

########
#
# Tables
#
########

table <rfc1918> persist const { 10/8 172.16/12 192.168/16 }
table <net> persist { $IIF_0:network $IIF_1:network $IIF_2:network }
table <badhosts> persist

#########
#
# Options
#
#########

set loginterface $EIF
set skip on lo0
set debug misc
set state-policy if-bound
set block-policy return

#######################
#
# Traffic Normalization
#
#######################

scrub out on $EIF max-mss 1452

##########
#
# Queueing
#
##########

#############
#
# Translation (first match wins). Only appliable if $EIF is a public address.
#
#############

nat-anchor "ftp-proxy/*"

nat-anchor neif on $EIF
nat-anchor niif_0 on $IIF_0
nat-anchor niif_1 on $IIF_1
nat-anchor niif_2 on $IIF_2

rdr-anchor "ftp-proxy/*"

rdr-anchor reif on $EIF
rdr-anchor riif_0 on $IIF_0

rdr-anchor riif_1 on $IIF_1
rdr-anchor riif_2 on $IIF_2

##################
#
# Packet Filtering (last match wins)
#
##################

# let's block everything by default
block log all

anchor "ftp-proxy/*"

anchor feif on $EIF
anchor fiif_0 on $IIF_0
anchor fiif_1 on $IIF_1
anchor fiif_2 on $IIF_2

# default on loopback interface
block in log on !lo0 from (lo0:network)

# default on each internal interface (private address)
block in log on $IIF_0 from ($IIF_0:broadcast)
block in log on !$IIF_0 from ($IIF_0:network)
block in log on !$IIF_0 to ($IIF_0:broadcast)
block in log on $IIF_0 to 127/8 ! tagged RDR_0

block in log on $IIF_1 from ($IIF_1:broadcast)
block in log on !$IIF_1 from ($IIF_1:network)
block in log on !$IIF_1 to ($IIF_1:broadcast)
block in log on $IIF_1 to 127/8 ! tagged RDR_1

block in log on $IIF_2 from ($IIF_2:broadcast)
block in log on !$IIF_2 from ($IIF_2:network)
block in log on !$IIF_2 to ($IIF_2:broadcast)
block in log on $IIF_2 to 127/8 ! tagged RDR_2

# default on external interface (public address)
block in log on !$EIF from ($EIF)
block in log on $EIF to 127/8 ! tagged RDR

# default general rules
block in log from 255.255.255.255
block in log to 0/8

# /etc/pf/feif
#
# Macros
#
########

EIF = ""

# this host itself
pass in log to ($EIF) ! tagged RDR
pass out log from ($EIF) ! tagged NAT

pass out log proto tcp from ($EIF) to any port { www https } tagged NAT

# /etc/pf/fiif_0
#
# Macros
#
########

IIF_0 = ""

# this host itself
pass in log from ($IIF_0:network) to { ($IIF_0) ($IIF_0:broadcast) }
pass out log from ($IIF_0) to ($IIF_0:network)

pass in log proto tcp from ($IIF_0:network) to !($IIF_0) port { www https }
pass in log proto tcp from ($IIF_0:network) to (lo0:0) port 8021 tagged RDR_0

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus