Hi the rule set is this:
Code:
#macros
int_if="hme1"
ext_if="tun0"
tcp_services="{ 22,23 }"
icmp_types="echoreq"
#Port Macros
<port definitions - no SSH port here>
#Server Macros
<server IP's>
#Network Macros
<Network Ranges>
#Queueing
# The downstream is 8000kb, Voice services get 600Kb regardless,
# and can get more when nobody else wants theirs.
<inbound queues for tun0>
# The upstream is 900kb, Voice services get 600Kb regardless,
# and can get more when nobody else wants theirs.
<outbound queues for tun0>
#options
set block-policy return
set loginterface tun0
set skip on "{ lo }"
# scrub incoming packets
match in all scrub (no-df)
# Proxy rules
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021
#match rules
match out on tun0 from $int_net to any nat-to ($ext_if)
#filter rules
block in log
block out log
# activate spoofing protection for all interfaces
block in quick from urpf-failed
block in quick on $ext_if proto tcp to port $tcp_services
block out quick on $int_if proto tcp to port $tcp_services
pass out quick log
pass out quick on $ext_if from $int_net to any nat-to ($ext_if)
antispoof quick for { lo, hme1 }
pass in quick on $int_if inet proto tcp from $int_net to port $tcp_services queue ssh_in
pass in quick on $ext_if inet proto tcp to port $dns_ports rdr-to $<dns-server> synproxy state queue dns_in
pass in quick on $ext_if inet proto udp to port $dns_ports rdr-to $<dns-server> synproxy state queue dns_in
....
<more inbound port definitions for other services>
block in on egress inet proto icmp all icmp-type $icmp_types
pass in quick on $int_if
Minus the few posting adjustments I made that's the ruleset.
I have chedcked the rules over with the pfctl -s(x) command to see which ones are being used and what's happening but still I'm not quite sure.
Also the QoS services haven't been activated either 100% as I really needed them for the VoIP system however, on an 8Mb DSL line it's really not going to make much difference as my bandwidth is always fully in use.
After the event and posting here I devcided to add the rule:
Code:
block out quick on $int_if proto tcp to port $tcp_services
to ensure that anything SSH or telnet coming from the OBSD box is blocked and so far seems to work.
I'm just worried that this could have been something like a trojan horse or some other form of packet manipulations style attack?
I even am considering using Snort as an IDS/IPS solution however not sure if 400MHz + 360MB RAM would be able to cope with MySQL/Apache/Snort et el.... - things like Jnettop and Nload already slow the internet speeds down to a halt I found out. ?