DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 22nd December 2008
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Default DMZ zone - I can't find a mistake...

Hello,
I must create a DMZ zone for my second local net: 192.168.1.0/16

this is my pf.conf:

----
Code:
### macros
int_if = "re0"
dmz_if = "re1"
ext_if = "pppoe0"

tcp_services = "{ 20, 21, 22, 25, 80, 110, 113 }"
udp_service = "{ 53, 5060 }"

icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16 }"
dmz_net = "192.168.1.0/16"

bnd_upstream="512Kb"
bnd_downstream="7168Kb"

host_usr1="192.168.0.1"
host_usr4="192.168.0.4"
host_usr5="192.168.0.5"
host_usr6="192.168.0.6"
host_usr8="192.168.0.8"
host_usr9="192.168.0.9"
host_usr10="192.168.0.10"
host_usr11="192.168.0.11"
host_usr12="192.168.0.12"
host_usr13="192.168.1.13"
host_usr14="192.168.1.14"
host_usr15="192.168.0.15"
host_usr16="192.168.0.16"
host_usr17="192.168.0.17"
host_usr18="192.168.0.18"


### options
set optimization normal
set block-policy return
set loginterface $ext_if
set skip on lo0


### scrub
scrub in all
scrub out on $ext_if max-mss 1440


### altq
altq on $ext_if cbq bandwidth $bnd_upstream   queue { up_def }
altq on $int_if cbq bandwidth $bnd_downstream queue { dn_def }

queue up_def    bandwidth   100% cbq(default) { up_host1 up_host4 up_host5 up_host6 up_host8 up_host9 up_host10 up_host11 up_host12 up_host13 up_host14 up_host15 up_host16 up_host17 up_host18 }
        queue up_host1   bandwidth   13% cbq(borrow)
        queue up_host4   bandwidth    7% cbq(borrow)
        queue up_host5   bandwidth    7% cbq(borrow)
        queue up_host6   bandwidth    7% cbq(borrow)
        queue up_host8   bandwidth    6% cbq(borrow)
        queue up_host9   bandwidth    6% cbq(borrow)
        queue up_host10  bandwidth    6% cbq(borrow)
        queue up_host11  bandwidth    6% cbq(borrow)
        queue up_host12  bandwidth    6% cbq(borrow)
        queue up_host13  bandwidth    6% cbq(borrow)
        queue up_host14  bandwidth    6% cbq(borrow)
        queue up_host15  bandwidth    6% cbq(borrow)
        queue up_host16  bandwidth    6% cbq(borrow)
        queue up_host17  bandwidth    6% cbq(borrow)
        queue up_host18  bandwidth    6% cbq(borrow)

queue dn_def    bandwidth   100% cbq(default) { dn_host1 dn_host4 dn_host5 dn_host6 dn_host8 dn_host9 dn_host10 dn_host11 dn_host12 dn_host13 dn_host14 dn_host15 dn_host16 dn_host17 dn_host18}
        queue dn_host1   bandwidth   13% cbq(borrow)
        queue dn_host4   bandwidth    7% cbq(borrow)
        queue dn_host5   bandwidth    7% cbq(borrow)
        queue dn_host6   bandwidth    7% cbq(borrow)
        queue dn_host8   bandwidth    6% cbq(borrow)
        queue dn_host9   bandwidth    6% cbq(borrow)
        queue dn_host10  bandwidth    6% cbq(borrow)
        queue dn_host11  bandwidth    6% cbq(borrow)
        queue dn_host12  bandwidth    6% cbq(borrow)
        queue dn_host13  bandwidth    6% cbq(borrow)
        queue dn_host14  bandwidth    6% cbq(borrow)
        queue dn_host15  bandwidth    6% cbq(borrow)
        queue dn_host16  bandwidth    6% cbq(borrow)
        queue dn_host17  bandwidth    6% cbq(borrow)
        queue dn_host18  bandwidth    6% cbq(borrow)
### nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $dmz_if:network to any -> ($ext_if)
#redirect per nucleo, anima, xaser ed enjoy
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {4001:4005, 1063:1083} -> $host_usr1
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1000:1020 -> $host_usr8
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {1021:1041, 3724, 6112 } -> $host_usr9
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1042:1062 -> $host_usr10


### filter rules
block all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
block drop in quick on $ext_if from $dmz_net to any
block drop out quick on $ext_if from any to $dmz_net

pass in on $int_if proto { tcp udp } from $host_usr1  to any queue up_host1
pass in on $int_if proto { tcp udp } from $host_usr4  to any queue up_host4
pass in on $int_if proto { tcp udp } from $host_usr5  to any queue up_host5
pass in on $int_if proto { tcp udp } from $host_usr6  to any queue up_host6
pass in on $int_if proto { tcp udp } from $host_usr8  to any queue up_host8
pass in on $int_if proto { tcp udp } from $host_usr9  to any queue up_host9
pass in on $int_if proto { tcp udp } from $host_usr10 to any queue up_host10
pass in on $int_if proto { tcp udp } from $host_usr11 to any queue up_host11
pass in on $int_if proto { tcp udp } from $host_usr12 to any queue up_host12
pass in on $dmz_if proto { tcp udp } from $host_usr13 to any queue up_host13
pass in on $dmz_if proto { tcp udp } from $host_usr14 to any queue up_host14
pass in on $int_if proto { tcp udp } from $host_usr15 to any queue up_host15
pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host16
pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host17
pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host18

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_service keep state
pass in on $ext_if inet proto { tcp udp } from any to ($dmz_if) keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any
pass in on $dmz_if all keep state


pass out on $int_if proto { tcp udp } from any to $host_usr1  queue dn_host1
pass out on $int_if proto { tcp udp } from any to $host_usr4  queue dn_host4
pass out on $int_if proto { tcp udp } from any to $host_usr5  queue dn_host5
pass out on $int_if proto { tcp udp } from any to $host_usr6  queue dn_host6
pass out on $int_if proto { tcp udp } from any to $host_usr8  queue dn_host8
pass out on $int_if proto { tcp udp } from any to $host_usr9  queue dn_host9
pass out on $int_if proto { tcp udp } from any to $host_usr10 queue dn_host10
pass out on $int_if proto { tcp udp } from any to $host_usr11 queue dn_host11
pass out on $int_if proto { tcp udp } from any to $host_usr12 queue dn_host12
pass out on $dmz_if proto { tcp udp } from any to $host_usr13 queue dn_host13
pass out on $dmz_if proto { tcp udp } from any to $host_usr14 queue dn_host14
pass out on $int_if proto { tcp udp } from any to $host_usr15 queue dn_host15
pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host16
pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host17
pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host18

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $int_if from any to $int_if:network
pass out on $dmz_if all keep state


###Deny spoofing
antispoof for $ext_if
antispoof for $dmz_if
antispoof for $int_if
------------------

I need to leave open ALL TCP AND UDP ports on the dmz network and this is not happen with this firewall...
And, I can ping from server/router every ip of 192.168.1.0 but from pc of lan (in the 192.168.0.0) I can't ping a pc in the dmz...where is the mistake?!
Thanks a lot.
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."

Last edited by maurobottone; 22nd December 2008 at 08:21 PM.
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
K3b cannot find growisofs maxrussell FreeBSD General 5 26th April 2009 12:20 PM
hahaha noob mistake, file called -z... michaelrmgreen FreeBSD General 8 9th December 2008 12:12 AM
pkg inside non-global zone? nacredata Solaris 2 30th September 2008 11:50 PM
pkg_add g95;g95 x.f95: cannot find g95 enpey OpenBSD Packages and Ports 8 27th August 2008 12:48 AM
Zone problem c0mrade General software and network 3 22nd June 2008 03:31 PM


All times are GMT. The time now is 02:45 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick