Hello,
I'm using OpenBSD 4.6, i have this ruleset in production.
Is there someone that can help me to improve it ?
Thank's
Code:
# MACROS AND TABLES
wifi="vr0"
lan="fxp0"
dmz="rl0"
wan="vr1"
gwftp="192.168.0.46"
server="172.17.2.100"
dhcpwifi="{ 10.10.10.10 - 10.10.10.15 }"
table <publicts> persist
table <publicftp> persist
#NO FILTERING LOOPBACK
set skip on lo
#BLOCK POLICY
set block-policy drop
#TRAFFIC STANDARDIZATION
match in all scrub (no-df max-mss 1440)
#NAT
nat on egress -> egress
#TRANSLATIONS
# ANCHOR TO PROTECT OUR FTP SERVER
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
#LAN TO FTP SERVER
rdr on $lan proto tcp from $lan:network to \
$server port 21 -> $gwftp \
port 21
#FTP ACCESS FROM A SPECIFIC IP ADDRESS
rdr on egress proto tcp from <publicftp> to any port 21 -> $gwftp port 21
#TS ACCESS FROM A SPECIFIC IP ADDRESS
rdr on egress proto tcp from <publicts> to any \
port 3389 -> $server port 3389
#FILTERING
# BLOCK ALL AND LOG !
block log all
#PROTECTION
antispoof for { $dmz, $lan, $wifi, egress }
#ALLOW PINGS FROM LAN
pass inet proto icmp from $lan:network \
to any icmp-type { echoreq, unreach }
#FW OUT
pass out quick on egress proto tcp from egress
pass out quick on egress proto udp from egress
# WIFI PORTS OUT https, smtp, et pop3
pass in quick on { !$lan, !$dmz } proto tcp from $dhcpwifi \
to any port { https, smtp, pop3 }
# WIFI DOMAIN PORT OUT
pass in quick on { !$lan, $dmz } proto udp from $dhcpwifi \
to any port domain
# ALLOW LAN TO ANYTHING
pass in quick on { !$wifi, !dmz } proto tcp from $lan:network
pass in quick on { !$wifi, $dmz } proto udp from $lan:network
#DMZ TS ACCESS FROM LAN AND WAN
pass out on $dmz proto tcp from $lan:network to $server port 3389
pass out on $dmz proto tcp from <publicts> to $server port 3389
pass in on egress proto tcp from <publicts> to $server port 3389
#DMZ FTP ACCESS
pass in on egress inet proto tcp from <publicftp> to $gwftp port 21 \
flags S/SA keep state
pass out on $dmz inet proto tcp to $server port 21 \
user proxy flags S/SA keep state
anchor "ftp-proxy/*"