OpenBSD Firewall / PF

From Hackerspace ACKspace
Jump to: navigation, search
Project: OpenBSD Firewall / PF
Featured:
State Completed
Members Vicarious, PsychiC
GitHub No GitHub project defined. Add your project here.
Description building a gateway on openbsd
Picture
No project picture! Fill in form Picture or Upload a jpeg here

I have dumped the entire config so others can use this as template for their own PF setup or to shout OMGWTFBBQ u freakin' n00b you should do it like XYZ.

In the latter case either drop me an e-mail (psychic [monkeytailthingie] ackspace [lowerroundthingie] nl , join ACKspace and help out or simply STFU =D


MEUK

Meer devices maken anders breekt DHCP enzo.... gewoon genoeg aanmaken, hier worden er 20 extra bijgemaakt.

`cd /dev;for i in {10..30}; do ./MAKEDEV bpf$i ; done`


Pad toevoegen om packages te downen

export PKG_PATH=http://ftp.bit.nl/mirror/OpenBSD/5.0/packages/i386/

zet in ~/.profile


/etc/mygate is default gateway



RULESDUMP 26-November-2102 Namen etc verwijderd :)

GW2 (GW1 = RIP)

# PF Rules ACKspace gateway 2


############################
### Macros / Definitions ###
############################

## Interfaces ##

# WAN interface
ext_if = "fxp0"

# LAN interface
int_if = "fxp1"

# VLAN interfaces (VLAN30 + VLAN33 Excluded)
vlan_if = "{ \
vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 \
vlan20 vlan21 vlan22 vlan23 vlan24 vlan25 vlan26 vlan27 vlan28 vlan29 \
vlan31 vlan32 vlan34 vlan35 vlan36 vlan37 vlan38 vlan39 \
vlan40 vlan41 vlan42 vlan43 vlan44 vlan45 vlan46 vlan47 vlan48 vlan49 \
vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan56 vlan57}"


## IP adresses ##

# WAN adress
gw2_ext = "213.125.94.212"

# Local adress ranges
private_networks = "{ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32 127.0.0.0/8 }"


########################
### Default Policies ###
########################

# Skip any filtering if it is on interface localhost
set skip on lo

# Provide nice blocked messages
set block-policy return

# Block all unless a allow rule exists
block all


#######################
### Cleanup Packets ###
#######################

# Reassemble packets
set reassemble yes

# Scrub packets
match in all scrub (max-mss 1472)
match out all scrub (random-id)

# Antispoof
antispoof quick for { $ext_if } inet

# Block bogus packets
block in quick on $ext_if from no-route to any
block in quick on $ext_if from any to 255.255.255.255
block in quick on $ext_if from any to $private_networks
block in quick on $ext_if from $private_networks to any
block return out quick on $ext_if from any to $private_networks


############
### NAT ####
############

# NAT all interfaces to WAN
match out on $ext_if from any to any nat-to $gw2_ext


#####################
### SPECIAL rules ###
#####################

# Help with Active and Passive FTP
anchor "ftp-proxy/*"
pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021


######################
### Pass IN rules  ###
######################

# Allow incoming GRE (VPN) protocal on WAN interface
pass in on $ext_if proto gre all keep state

# Allow incoming SSH and ICMP on WAN interface
pass in on $ext_if inet proto tcp from any to $gw2_ext port 22
pass in on $ext_if inet proto icmp from any to $gw2_ext icmp-type echoreq

# Allow incoming ALL on LAN interfaces
pass in on $int_if

# Allow incoming ALL on VLAN Interfaces
pass in on $vlan_if


######################
### Redirect rules ###
######################


### VPN ###

# Redirect port 1723 to 10.0.10.101

pass in on $ext_if inet proto tcp from any to $gw2_ext port 1723 rdr-to 10.0.10.101
pass in on $ext_if inet proto udp from any to $gw2_ext port 500 rdr-to 10.0.10.101
pass in on $ext_if inet proto udp from any to $gw2_ext port 5500 rdr-to 10.0.10.101
pass in on $ext_if inet proto udp from any to $gw2_ext port 1701 rdr-to 10.0.10.101

######################
### Pass OUT rules ###
######################

# Allow outgoing traffic on WAN from any
# pass out on $ext_if from any
pass out on $ext_if proto { tcp udp icmp esp gre } from any modulate state


# Allow outgoing traffic on LAN from LAN
pass out on $int_if from $int_if

# Allow outgoing traffic to VLAN50 and VLAN57 from non-private range 10.0.0.0/8
# Somehow it doesnt work with variables. Don't use any to prevent other vlans from entering.
pass out on vlan10 from ! 10.0.0.0/8
pass out on vlan50 from ! 10.0.0.0/8
pass out on vlan57 from ! 10.0.0.0/8


# Allow outgoing traffic on VLAN from same VLAN (Block InterVLAN)
pass out on vlan10 from vlan10:network
pass out on vlan11 from vlan11:network
pass out on vlan12 from vlan12:network
pass out on vlan13 from vlan13:network
pass out on vlan14 from vlan14:network
pass out on vlan15 from vlan15:network
pass out on vlan16 from vlan16:network
pass out on vlan17 from vlan17:network
pass out on vlan18 from vlan18:network
pass out on vlan19 from vlan19:network
pass out on vlan20 from vlan20:network
pass out on vlan21 from vlan21:network
pass out on vlan22 from vlan22:network
pass out on vlan23 from vlan23:network
pass out on vlan24 from vlan24:network
pass out on vlan25 from vlan25:network
pass out on vlan26 from vlan26:network
pass out on vlan27 from vlan27:network
pass out on vlan28 from vlan28:network
pass out on vlan29 from vlan29:network
# pass out on vlan30 from vlan30:network ()
pass out on vlan31 from vlan31:network
pass out on vlan32 from vlan32:network
# pass out on vlan33 from vlan33:network ()
pass out on vlan34 from vlan34:network
pass out on vlan35 from vlan35:network
pass out on vlan36 from vlan36:network
pass out on vlan37 from vlan37:network
pass out on vlan38 from vlan38:network
pass out on vlan39 from vlan39:network
pass out on vlan40 from vlan40:network
pass out on vlan41 from vlan41:network
pass out on vlan42 from vlan42:network
pass out on vlan43 from vlan43:network
pass out on vlan44 from vlan44:network
pass out on vlan45 from vlan45:network
pass out on vlan46 from vlan46:network
pass out on vlan47 from vlan47:network
pass out on vlan48 from vlan48:network
pass out on vlan49 from vlan49:network
pass out on vlan50 from vlan50:network
pass out on vlan51 from vlan51:network
pass out on vlan52 from vlan52:network
pass out on vlan53 from vlan53:network
pass out on vlan54 from vlan54:network
pass out on vlan55 from vlan55:network
pass out on vlan56 from vlan56:network
pass out on vlan57 from vlan57:network

# Allow outgoing traffic from/to VLANS 50-55, VLAN 57

intervlan_interfaces = "{vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan57}"
intervlan_network = "{vlan50:network vlan51:network vlan52:network vlan53:network vlan54:network vlan55:network vlan56:network vlan57:network}"

pass out on $intervlan_interfaces from $intervlan_network


# VPN TEST
pass in on $ext_if proto gre all keep state
pass out on $ext_if proto gre all keep state


PUTGRAAF


# PF Rules ACKspace gateway Putgraaf


############################
### Macros / Definitions ###
############################

## Interfaces ##

# WAN interface
ext_if = "em0"

# LAN interface
int_if = "em1"

# VLAN interfaces
vlan_if = "{ vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 vlan20 }"


## IP adresses ##

# WAN adress
gw_ext = $ext_if:0

# Local address ranges
private_networks = "{ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32 127.0.0.0/8 }"



####
# IPV6
####


# Allow incoming IPv6 traffic
pass in quick on $ext_if inet proto ipv6 keep state
pass in quick on gif0 inet6 all

# Allow outgoing IPv6 traffic
pass out quick on $ext_if inet proto ipv6 keep state
pass out quick on gif0 inet6 all keep state
pass out quick on vlan20 inet6 all keep state
pass out quick on vlan10 inet6 all keep state



########################
### Priority         ###
########################

altq on $ext_if priq bandwidth 10000Kb queue { q_ack, q_dns, q_ssh, q_web, q_normal, q_bittorrent }
queue q_ack priority 7
queue q_dns priority 6
queue q_ssh priority 5
queue q_web priority 4
queue q_normal priority 1 priq(default)
queue q_bittorrent priority 0


########################
### Default Policies ###
########################

# Skip any filtering if it is on interface localhost
set skip on lo

# Provide nice blocked messages
set block-policy return

# Block all unless a allow rule exists
block all


#######################
### Cleanup Packets ###
#######################

# Reassemble packets
set reassemble yes

# Scrub packets
match in all scrub (max-mss 1472)
match out all scrub (random-id)

# Antispoof
antispoof quick for { $ext_if } inet

# Block bogus packets
block in quick on $ext_if from no-route to any
block in quick on $ext_if from any to 255.255.255.255
block in quick on $ext_if from any to $private_networks
block in quick on $ext_if from $private_networks to any
block return out quick on $ext_if from any to $private_networks


############
### NAT ####
############

# NAT all interfaces to WAN
match out on $ext_if inet from !($ext_if:network) to any nat-to $gw_ext


#####################
### SPECIAL rules ###
#####################

# Help with Active and Passive FTP
anchor "ftp-proxy/*"
pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021


######################
### Pass IN rules  ###
######################

# Allow incoming SSH and ICMP on WAN interface
pass in on $ext_if inet proto tcp from any to $gw_ext port 22
pass in on $ext_if inet proto icmp from any to $gw_ext icmp-type echoreq

# Prioritize ACK states
pass in on $ext_if inet proto tcp from any to $ext_if flags S/SA modulate state queue (q_normal, q_ack)


# Allow incoming ALL on LAN interfaces
pass in on $int_if

# Allow incoming ALL on VLAN Interfaces
pass in on $vlan_if


######################
### Redirect rules ###
######################




## ACKspace CAM /  10.1.10.253
#
# TCP port 25380 to port 80 (HTTP)
 pass in on $ext_if proto tcp from any to $gw_ext port 25380 rdr-to 10.1.10.253 port 80
##

## ACKspace CAM2 / 10.1.10.252
#
# TCP port 25280 to port 80 (HTTP)
 pass in on $ext_if proto tcp from any to $gw_ext port 25280 rdr-to 10.1.10.252 port 80
##

## ACKspace ZoneMinder / 10.1.10.119
#
# TCP port 11980 to port 80 (HTTP)
 pass in on $ext_if proto tcp from any to $gw_ext port 11980 rdr-to 10.1.10.119 port 80
##

## VM Debian OpenVPN / 10.1.20.13
#
# TCP port 13022 to port 22 (SSH)
  pass in on $ext_if inet proto tcp from any to $gw_ext port 13022 rdr-to 10.1.20.13 port 22
# TCP port 13443 to port 443(VPN TUNNEL TCP)
  pass in on $ext_if inet proto tcp from any to $gw_ext port 13443 rdr-to 10.1.20.13 port 443
# TCP port 443 (HTTPS / VPN TUNNEL TCP)
  pass in on $ext_if inet proto tcp from any to $gw_ext port 443 rdr-to 10.1.20.13
# UDP port 1194 (OpenVPN / VPN TUNNEL UDP)
  pass in on $ext_if inet proto udp from any to $gw_ext port 1194 rdr-to 10.1.20.13
##

## Mailman / 10.1.20.19
#
# TCP port 25 to port 25 (SMTP)
  pass in on $ext_if inet proto tcp from any to $gw_ext port 25 rdr-to 10.1.20.19 port 25
# TCP port 19080 to port 80 (HTTP)
  pass in on $ext_if inet proto tcp from any to $gw_ext port 19080 rdr-to 10.1.20.19 port 80


## Gforge / 10.1.20.20
#
# TCP port 20080 to port 20080 (HTTP)
  pass in on $ext_if inet proto tcp from any to $gw_ext port 20080 rdr-to 10.1.20.20 port 20080

pass in on $ext_if inet6 proto udp from any to  any
pass in on gif0 inet6 proto udp from any to any



## VM Debian / 10.1.20.22
#
# TCP port 22022 to port 22 (SSH)
  pass in on $ext_if inet proto tcp from any to $gw_ext port 22022 rdr-to 10.1.20.22 port 22


## Playstation / 10.1.10.230
#

# match out log on $ext_if from !10.1.10.230 to any received-on $int_if tag EGRESS nat-to ($ext_if:0)
# match out log on $ext_if from 10.1.10.230 to any received-on $int_if tag EGRESS nat-to ($ext_if:0) static-port
# pass out quick on $ext_if from 10.1.10.230
# pass in quick on $ext_if inet proto { tcp udp } from 198.107.156.152 to $gw_ext rdr-to 10.1.10.230

#pass in quick on $ext_if inet proto tcp from any to $gw_ext port 1723 rdr-to 10.1.11.103 port 1723

# TCP + UDP port 3478,3479,3658,5223,9293
#pass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3074 rdr-to 10.1.10.126 port 3074
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3478 rdr-to 10.1.10.126 port 3478
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3479 rdr-to 10.1.10.126 port 3479
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3658 rdr-to 10.1.10.126 port 3658
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 5223 rdr-to 10.1.10.126 port 5223
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 9293 rdr-to 10.1.10.126 port 9293

##  Xbox 360 / 10.1.15.1
#
# TCP + §UDP ports 3074, UDP ports 88
pass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3074 rdr-to 10.1.15.1 port 3074
pass in quick on $ext_if inet proto udp from any to $gw_ext port 88 rdr-to 10.1.15.1 port 88

######################
### Pass OUT rules ###
######################

# Allow outgoing traffic on WAN from any
pass out on $ext_if proto { tcp udp icmp esp gre } from any modulate state

# Prioritize
pass out on $ext_if proto tcp from $ext_if to any flags S/SA modulate state queue (q_nomal, q_ack)
pass out on $ext_if proto tcp from $ext_if to any port { 80, 443 } flags S/SA modulate state queue (q_web, q_ack)

# Allow outgoing traffic on LAN from LAN
pass out on $int_if from $int_if

# Allow outgoing traffic to VLANxx from non-private range 10.1.0.0/8
# Somehow it doesnt work with variables
pass out on vlan10 from ! 10.1.0.0/8
pass out on vlan20 from ! 10.1.0.0/8

# Allow outgoing traffic on VLAN from same VLAN (Block InterVLAN)
pass out on vlan10 from vlan10:network
pass out on vlan11 from vlan11:network
pass out on vlan12 from vlan12:network
pass out on vlan13 from vlan13:network
pass out on vlan14 from vlan14:network
pass out on vlan15 from vlan15:network
pass out on vlan16 from vlan16:network
pass out on vlan17 from vlan17:network
pass out on vlan18 from vlan18:network
pass out on vlan19 from vlan19:network
pass out on vlan20 from vlan20:network

# Allow outgoing traffic from/to VLAN 10, VLAN20

intervlan_interfaces = "{vlan10 vlan20}"
intervlan_network = "{vlan10:network vlan20:network}"

pass out on $intervlan_interfaces from $intervlan_network

pass out on $int_if from vlan20:network
pass out on vlan20 from $int_if:network