DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 1st November 2011
scrummie02 scrummie02 is offline
Port Guard
 
Join Date: Nov 2011
Posts: 15
Thanked 0 Times in 0 Posts
Default Help with PF NAT configuration

Hello all, I am replacing a Cisco ASA with an OpenBSD PF NAT box for a couple of reasons: I'm tired of paying Cisco money just to receive updates, tired of the license limits and the device is about six years old.

So I have an atom server with three interfaces one for public/dmz/internal.

The current config with the ASA is the following:

external (fxp1) --->Firewall ---> DMZ (192.168.100.0/24) (fxp0) --->Inetrnal (192.168.200.0/24) (re0).

I don't really want to re-IP the nodes in the DMZ so if possible I'd like to keep everything the same. I've purchased the book of PF version 2 but still need some assistance. Here is my pf.conf:
Code:
#MACROS
_int="re0"
lan="re0:network"

_dmz="fxp0"
dmz="192.168.100.0/24"

mailserver="192.168.100.2"
ftpwebserver="192.168.100.1"
RFC1918="{ 10/8 172.16/12 192.168/16 }"
 
#TABLES
 
#OPTIONS
set skip on lo
set block-policy drop
 
#NORMALIZE  TRAFFIC
match in all scrub ( no-df max-mss 1440 )
 
#NAT
match out on egress from $lan to any nat-to egress
match out on egress from $dmz to any nat-to egress
 
#REDIRECTIONS
match in on egress inet proto tcp from any to any port 25 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 110 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 587 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 465 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 25 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 995 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 443 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 110 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 80 \
    rdr-to $ftpwebserver
 
#BLOCK POLICY
block log all
 
#PROTECTION
antispoof for { lo0 re0 fxp0 fxp1 }
block in on egress from $RFC1918 to any
block out on egress from any to $RFC1918
 
#AUTHORIZE PINGS
pass inet proto icmp all icmp-type { echoreq, unreach }
 
#FORWARDING OUT
pass out on egress inet proto tcp from any to any 
pass out on egress inet proto udp from any to any 

#LAN SERVICES 
anchor "ftp-proxy/*"
pass in on $_int proto tcp from any to any port ftp \
    rdr-to 127.0.0.1 port 8021

#AUTHORIZED SERVICES 
pass in on $_int proto tcp from $lan to any port \
    { 80 22 3000 4567 443 53 69 } 
pass in quick on $_int proto udp from $lan to any port { domain 69 }

#CONSOLE ACCESS 
#pass in on egress proto tcp from any to egress port 22 

#DMZ SERVICES
pass in on egress proto tcp from any to $mailserver port \
    { 25 110 443 587 465 995 }
pass out on $_dmz proto tcp from any to $mailserver port \
    { 25 110 443 587 465 995 }
pass in on $_dmz proto tcp from $mailserver to any port \
    { 25 110 587 465 995 }

#ACCESS WEB SERVICES
pass in on egress inet proto tcp from any to $ftpwebserver port 80
pass out on $_int inet proto tcp from any to $ftpwebserver port 80

basically I want the internal network to be able to access the DMZ but obviously not the other way around. I'm having some issues with that part.

Last edited by ocicat; 1st November 2011 at 05:05 PM. Reason: Please use [code] & [/code] tags when posting command output.
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
router configuration !! wlm2 OpenBSD General 1 11th July 2011 01:51 PM
PF NAT configuration help ikevinjpdev OpenBSD Security 0 7th August 2010 04:41 PM
PF Configuration for newbie slakic OpenBSD Security 1 20th August 2009 02:35 PM
ssh and PuTTY Configuration rtwingfield FreeBSD Security 4 8th June 2009 09:55 PM
k3b, configuration. maxrussell FreeBSD Ports and Packages 4 3rd March 2009 04:23 AM


All times are GMT. The time now is 06:44 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick