DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 21st January 2010
wesley wesley is offline
Real Name: Wesley
Shell Scout
 
Join Date: Aug 2009
Location: Reunion Island
Posts: 92
Post improve ruleset

Hello,

I'm using OpenBSD 4.6, i have this ruleset in production.
Is there someone that can help me to improve it ?
Thank's

Code:
# MACROS AND TABLES
wifi="vr0"
lan="fxp0"
dmz="rl0"
wan="vr1"
gwftp="192.168.0.46"
server="172.17.2.100"
dhcpwifi="{ 10.10.10.10 - 10.10.10.15 }"
table <publicts> persist
table <publicftp> persist

#NO FILTERING LOOPBACK
set skip on lo

#BLOCK POLICY
set block-policy drop

#TRAFFIC STANDARDIZATION
match in all scrub (no-df max-mss 1440) 

#NAT
nat on egress -> egress

#TRANSLATIONS
# ANCHOR TO PROTECT OUR FTP SERVER 
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

#LAN TO FTP SERVER 
rdr on $lan proto tcp from $lan:network to \
	$server port 21 -> $gwftp \
	port 21

#FTP ACCESS FROM A SPECIFIC IP ADDRESS
rdr on egress proto tcp from <publicftp> to any port 21 -> $gwftp port 21 

#TS ACCESS FROM A SPECIFIC IP ADDRESS
rdr on egress proto tcp from <publicts> to any \
port 3389 -> $server port 3389
 
#FILTERING
# BLOCK ALL AND LOG !
block log all

#PROTECTION
antispoof for { $dmz, $lan, $wifi, egress } 

#ALLOW PINGS FROM LAN
pass inet proto icmp from $lan:network \
to any icmp-type { echoreq, unreach }

#FW OUT
pass out quick on egress proto tcp from egress 
pass out quick on egress proto udp from egress 

# WIFI PORTS OUT https, smtp, et pop3
pass in quick on { !$lan, !$dmz } proto tcp from $dhcpwifi \
	to any port { https, smtp, pop3 }

# WIFI DOMAIN PORT OUT
pass in quick on { !$lan, $dmz } proto udp from $dhcpwifi \
	to any port domain

# ALLOW LAN TO ANYTHING
pass in quick on { !$wifi, !dmz } proto tcp from $lan:network
pass in quick on { !$wifi, $dmz } proto udp from $lan:network

#DMZ TS ACCESS FROM LAN AND WAN
pass out on $dmz proto tcp from $lan:network to $server port 3389
pass out on $dmz proto tcp from <publicts> to $server port 3389
pass in on egress proto tcp from <publicts> to $server port 3389 

#DMZ FTP ACCESS
pass in on egress inet proto tcp from <publicftp> to $gwftp port 21 \
	flags S/SA keep state
pass out on $dmz inet proto tcp to $server port 21 \
	user proxy flags S/SA keep state
anchor "ftp-proxy/*"

Last edited by Carpetsmoker; 22nd January 2010 at 12:23 AM. Reason: Added [code] tags
Reply With Quote
 

Tags
pf use 4.6

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
first match vs last match ruleset design (pf vs iptables) zelut FreeBSD Security 5 12th July 2009 08:13 AM
Improve searches maxrussell Feedback and Suggestions 3 19th June 2009 09:45 AM
ipfw ruleset double check l2fl2f FreeBSD Security 3 26th March 2009 06:32 AM
FTP ruleset questions hitete OpenBSD Security 2 25th November 2008 05:30 PM
improve proxy cache and replace gif MIME milo974 OpenBSD General 1 10th July 2008 12:14 PM


All times are GMT. The time now is 10:46 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick