DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th November 2011
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default help to make best PF rules and high performance

Thanks
after long time I want use OpenBSD and do not use FreeBSD . so I download last OpenBSD tonight and I will start use it
can I use my first rule in this post in OpenBSD 5 or no ?
which part I must change ?


REMARK from Administrator:

Because mfaridi decided see whether a change to OpenBSD will solve the "hangs" of ruleset on FreeBSD, this thread actually is a continuation of the following topic in the FreeBSD section: http://www.daemonforums.org/showthre...6479#post41206
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.

Last edited by J65nko; 13th November 2011 at 02:58 AM. Reason: Explaining the rationale of the edit
Reply With Quote
  #2   (View Single Post)  
Old 4th November 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

From http://www.openbsd.org/faq/pf/nat.html#config

Quote:
NAT is specified as an optional nat-to parameter to an outbound pass rule. Often, rather than being set directly on the pass rule, a match rule is used. When a packet is selected by a match rule, parameters (e.g. nat-to) in that rule are remembered and are applied to the packet when a pass rule matching the packet is reached. This permits a whole class of packets to be handled by a single match rule and then specific decisions on whether to allow the traffic can be made with block and pass rules.

The general format in pf.conf looks something like this:

Code:
    match out on interface [af] \
       from src_addr to dst_addr \
       nat-to ext_addr [pool_type] [static-port]
    ...
    pass out [log] on interface [af] [proto protocol] \
       from ext_addr [port src_port] \
       to dst_addr [port dst_port]
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 12th November 2011
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default

after I read openbsd site documents about NAT in PF , I understand , if I want my pf.conf work good in OpenBSD 5 . I must change it and I make this new pf.conf
Code:
############################### MACROS ############################################################

ext_if          = "sk0"
int_if          = "re0"
External_net    = "10.10.10.192/27"
Local_net       = "192.168.0.0/24"
Local_Web       = "192.168.0.10"
Local_Srv       = "192.168.0.1"
Prtcol          = "{ tcp, udp }"
Admin_IP        = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types      = "{ echorep, unreach, squench, echoreq, timex }"

#Define ports for common internet services
#TCP_SRV         = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443 }"
#UDP_SRV         = "{ 53 }"
TCP_SRV         = "{ 80, 443 }"
UDP_SRV         = "{ }"
Samba_TCP       = "{ 139, 445 }"
Samba_UDP       = "{ 137, 138 }"


SERVER          = "10.10.10.200"
NAT1            = "10.10.10.194"
NAT2            = "10.10.10.195"
NAT3            = "10.10.10.196"
NAT4            = "10.10.10.197"
NAT5            = "10.10.10.198"
NAT6            = "10.10.10.199"
NAT7            = "10.10.10.201"
NAT8            = "10.10.10.202"
NAT9            = "10.10.10.203"
NAT10           = "10.10.10.204"
NAT11           = "10.10.10.205"
NAT12           = "10.10.10.206"
NAT13           = "10.10.10.207"
NAT14           = "10.10.10.208"
NAT15           = "10.10.10.209"
NAT16           = "10.10.10.210"
NAT17           = "10.10.10.211"
NAT18           = "10.10.10.212"
NAT19           = "10.10.10.213"
NAT20           = "10.10.10.214"
NAT21           = "10.10.10.215"
NAT22           = "10.10.10.216"
NAT23           = "10.10.10.217"
NAT24           = "10.10.10.218"
NAT25           = "10.10.10.219"

#### All IP of Groups which can be connect to Internet
paltalk1        = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
paltalk2        = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
paltalk3        = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28, 192.168.0.29 }"
webdsgn1        = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
webdsgn2        = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
webdsgn3        = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
webdsgn4        = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
webdsgn5        = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
webdsgn6        = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
webdsgn7        = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
webdsgn8        = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53, 192.168.0.54 }"
rased1          = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
rased2          = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
rased3          = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
rased4          = "{ 192.168.0.69, 192.168.0.70 }"
rased5          = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202, 192.168.0.203, 192.168.0.204, 192.168.0.205 }"
rased6          = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208, 192.168.0.209, 192.168.0.210, 192.168.0.211 }"
rased7          = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214, 192.168.0.215, 192.168.0.216, 192.168.0.217 }"
rased8          = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220, 192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224, 192.168.0.225  }"
admin1          = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
admin2          = "{ 192.168.0.58, 192.168.0.59 }"

############################### TABLES ############################################################

#Define privileged network address sets
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12, 10.0.0.0/8, 0.0.0.0/8, \
                          14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23, 224.0.0.0/3 }
table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
table <hackers> persist file "/usr/local/pf/Network/hackers.lst"

#Define Favoured client hosts
table <Admin>   persist file "/usr/local/pf/Network/Admin.lst"
table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
table <Rased>   persist file "/usr/local/pf/Network/Rased.lst"
table <LocalHost> const { self }

############################### OPTIONS ############################################################
#Default behaviour
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
#set state-policy if-bound


############################### TRAFFIC NORMALIZATION ##############################################
#Filter traffic for unusual packets
scrub in all


############################### TRANSLATION ######################################################

#NAT for the external traffic
#Mask internal ip addresses with actual external ip address
#nat pass on $ext_if from $Local_net to any -> $SERVER


match out on egress inet from !(paltalk1) to any nat-to (NAT1)

match out on egress inet from !(paltalk2) to any nat-to (NAT2)

match out on egress inet from !(paltalk3) to any nat-to (NAT3)

match out on egress inet from !(webdsgn1) to any nat-to (NAT4)

match out on egress inet from !(webdsgn2) to any nat-to (NAT5)

match out on egress inet from !(webdsgn3) to any nat-to (NAT6)

match out on egress inet from !(webdsgn4) to any nat-to (NAT7)

match out on egress inet from !(webdsgn5) to any nat-to (NAT8)

match out on egress inet from !(webdsgn6) to any nat-to (NAT9)

match out on egress inet from !(webdsgn7) to any nat-to (NAT10)

match out on egress inet from !(webdsgn8) to any nat-to (NAT11)

match out on egress inet from !(rased1) to any nat-to (NAT12:0)

match out on egress inet from !(rased2) to any nat-to (NAT13)

match out on egress inet from !(rased3) to any nat-to (NAT14)

match out on egress inet from !(rased4) to any nat-to (NAT15)

match out on egress inet from !(rased5) to any nat-to (NAT16)

match out on egress inet from !(rased6) to any nat-to (NAT17)

match out on egress inet from !(rased7) to any nat-to (NAT18)

match out on egress inet from !(rased8) to any nat-to (NAT19)

match out on egress inet from !(admin1) to any nat-to (NAT20)

match out on egress inet from !(admin2) to any nat-to (NAT21)



############################### PACKET FILTERING #################################################

# Default Rule
pass quick on { $ext_if, $int_if } all keep state
please help me to find mistake in this new pf.conf .
I have 27 valid or static IPs and I want each Static IPs or valid IPs work with 3 invalid IPs.

please help me id I have mistake in this pf.conf . solve it .
thanks in advance
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
help to make best PF rules and high performance mfaridi FreeBSD Security 12 13th November 2011 02:51 AM
High Definition Audio classicmanpro NetBSD General 0 12th April 2011 07:03 PM
Bad ftp performance Randux NetBSD Package System (pkgsrc) 2 4th January 2009 09:17 PM
resolution too high!!! =| ? what? seadog109 Other BSD and UNIX/UNIX-like 19 18th October 2008 04:25 AM
Bill Joy's high school matt Off-Topic 9 27th May 2008 06:01 PM


All times are GMT. The time now is 04:43 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick