DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 30th October 2011
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 282
Thanked 5 Times in 5 Posts
Default help to make best PF rules and high performance

after long time I find new job , and they want me I make NAT server for internet sharing . so I want use FreeBSD with PF,
they want me only make NAT and do not block ports , they want all ports must be open , and they want only NAT , and do not want block by PF , can I use these rules for make NAT only or no
please help me to improve this rule
Code:
ns# cat  /usr/local/pf/pf.conf
# $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18 mlaier Exp $
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
# Edited by: mfaridi

################################ MACROS ############################################################

ext_if          = "sk0"
int_if          = "re0"
External_net    = "10.10.10.192/27"
Local_net       = "192.168.0.0/24"
Local_Web       = "192.168.0.10"
Local_Srv       = "192.168.0.1"
Prtcol          = "{ tcp, udp }"
Admin_IP        = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types      = "{ echorep, unreach, squench, echoreq, timex }"

#Define ports for common internet services
#TCP_SRV         = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443 }"
#UDP_SRV         = "{ 53 }"
TCP_SRV         = "{ 80, 443 }"
UDP_SRV         = "{ }"
Samba_TCP       = "{ 139, 445 }"
Samba_UDP       = "{ 137, 138 }"


SERVER          = "10.10.10.200"
NAT1            = "10.10.10.194"
NAT2            = "10.10.10.195"
NAT3            = "10.10.10.196"
NAT4            = "10.10.10.197"
NAT5            = "10.10.10.198"
NAT6            = "10.10.10.199"
NAT7            = "10.10.10.201"
NAT8            = "10.10.10.202"
NAT9            = "10.10.10.203"
NAT10           = "10.10.10.204"
NAT11           = "10.10.10.205"
NAT12           = "10.10.10.206"
NAT13           = "10.10.10.207"
NAT14           = "10.10.10.208"
NAT15           = "10.10.10.209"
NAT16           = "10.10.10.210"
NAT17           = "10.10.10.211"
NAT18           = "10.10.10.212"
NAT19           = "10.10.10.213"
NAT20           = "10.10.10.214"
NAT21           = "10.10.10.215"
NAT22           = "10.10.10.216"
NAT23           = "10.10.10.217"
NAT24           = "10.10.10.218"
NAT25           = "10.10.10.219"

#### All IP of Groups which can be connect to Internet
paltalk1        = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
paltalk2        = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
paltalk3        = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28, 192.168.0.29 }"
webdsgn1        = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
webdsgn2        = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
webdsgn3        = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
webdsgn4        = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
webdsgn5        = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
webdsgn6        = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
webdsgn7        = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
webdsgn8        = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53, 192.168.0.54 }"
rased1          = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
rased2          = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
rased3          = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
rased4          = "{ 192.168.0.69, 192.168.0.70 }"
rased5          = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202, 192.168.0.203, 192.168.0.204, 192.168.0.205 }"
rased6          = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208, 192.168.0.209, 192.168.0.210, 192.168.0.211 }"
rased7          = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214, 192.168.0.215, 192.168.0.216, 192.168.0.217 }"
rased8          = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220, 192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224, 192.168.0.225  }"
admin1          = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
admin2          = "{ 192.168.0.58, 192.168.0.59 }"

############################### TABLES ############################################################

#Define privileged network address sets
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12, 10.0.0.0/8, 0.0.0.0/8, \
                          14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23, 224.0.0.0/3 }
table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
table <hackers> persist file "/usr/local/pf/Network/hackers.lst"

#Define Favoured client hosts
table <Admin>   persist file "/usr/local/pf/Network/Admin.lst"
table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
table <Rased>   persist file "/usr/local/pf/Network/Rased.lst"
table <LocalHost> const { self }

############################### OPTIONS ############################################################
#Default behaviour
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
#set state-policy if-bound


############################### TRAFFIC NORMALIZATION ##############################################
#Filter traffic for unusual packets
scrub in all


############################### TRANSLATION ######################################################

#NAT for the external traffic
#Mask internal ip addresses with actual external ip address
#nat pass on $ext_if from $Local_net to any -> $SERVER

nat pass on $ext_if from $paltalk1 to any -> $NAT1
nat pass on $ext_if from $paltalk2 to any -> $NAT2
nat pass on $ext_if from $paltalk3 to any -> $NAT3
nat pass on $ext_if from $webdsgn1 to any -> $NAT4
nat pass on $ext_if from $webdsgn2 to any -> $NAT5
nat pass on $ext_if from $webdsgn3 to any -> $NAT6
nat pass on $ext_if from $webdsgn4 to any -> $NAT7
nat pass on $ext_if from $webdsgn5 to any -> $NAT8
nat pass on $ext_if from $webdsgn6 to any -> $NAT9
nat pass on $ext_if from $webdsgn7 to any -> $NAT10
nat pass on $ext_if from $webdsgn8 to any -> $NAT11
nat pass on $ext_if from $rased1   to any -> $NAT12
nat pass on $ext_if from $rased2   to any -> $NAT13
nat pass on $ext_if from $rased3   to any -> $NAT14
nat pass on $ext_if from $rased4   to any -> $NAT15
nat pass on $ext_if from $rased5   to any -> $NAT16
nat pass on $ext_if from $rased6   to any -> $NAT17
nat pass on $ext_if from $rased7   to any -> $NAT18
nat pass on $ext_if from $rased8   to any -> $NAT19
nat pass on $ext_if from $admin1   to any -> $NAT20
nat pass on $ext_if from $admin2   to any -> $NAT21


#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 5900 -> 192.168.0.100 port 5900
#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 2222 -> 192.168.0.50 port 22

############################### PACKET FILTERING #################################################

# Default Rule
pass quick on { $ext_if, $int_if } all keep state




# End of File: pf.conf
can I use this rule for NAT ?
I want only NAT and I do not want another thing like block torrent ports or something else

I would be grateful if you can help my to modify this rule , I think this rule has a lot of problems
do you think I need add some rules to this rules or no ?
for has better NAT with high performance , what I must do ?
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
High Definition Audio classicmanpro NetBSD General 0 12th April 2011 07:03 PM
high cpu usage by system process badkuk OpenBSD General 7 19th October 2010 03:17 AM
Bad ftp performance Randux NetBSD Package System (pkgsrc) 2 4th January 2009 09:17 PM
resolution too high!!! =| ? what? seadog109 Other BSD and UNIX/UNIX-like 19 18th October 2008 04:25 AM
Bill Joy's high school matt Off-Topic 9 27th May 2008 06:01 PM


All times are GMT. The time now is 09:36 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick