|
|||
improve ruleset
Hello,
I'm using OpenBSD 4.6, i have this ruleset in production. Is there someone that can help me to improve it ? Thank's Code:
# MACROS AND TABLES wifi="vr0" lan="fxp0" dmz="rl0" wan="vr1" gwftp="192.168.0.46" server="172.17.2.100" dhcpwifi="{ 10.10.10.10 - 10.10.10.15 }" table <publicts> persist table <publicftp> persist #NO FILTERING LOOPBACK set skip on lo #BLOCK POLICY set block-policy drop #TRAFFIC STANDARDIZATION match in all scrub (no-df max-mss 1440) #NAT nat on egress -> egress #TRANSLATIONS # ANCHOR TO PROTECT OUR FTP SERVER nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" #LAN TO FTP SERVER rdr on $lan proto tcp from $lan:network to \ $server port 21 -> $gwftp \ port 21 #FTP ACCESS FROM A SPECIFIC IP ADDRESS rdr on egress proto tcp from <publicftp> to any port 21 -> $gwftp port 21 #TS ACCESS FROM A SPECIFIC IP ADDRESS rdr on egress proto tcp from <publicts> to any \ port 3389 -> $server port 3389 #FILTERING # BLOCK ALL AND LOG ! block log all #PROTECTION antispoof for { $dmz, $lan, $wifi, egress } #ALLOW PINGS FROM LAN pass inet proto icmp from $lan:network \ to any icmp-type { echoreq, unreach } #FW OUT pass out quick on egress proto tcp from egress pass out quick on egress proto udp from egress # WIFI PORTS OUT https, smtp, et pop3 pass in quick on { !$lan, !$dmz } proto tcp from $dhcpwifi \ to any port { https, smtp, pop3 } # WIFI DOMAIN PORT OUT pass in quick on { !$lan, $dmz } proto udp from $dhcpwifi \ to any port domain # ALLOW LAN TO ANYTHING pass in quick on { !$wifi, !dmz } proto tcp from $lan:network pass in quick on { !$wifi, $dmz } proto udp from $lan:network #DMZ TS ACCESS FROM LAN AND WAN pass out on $dmz proto tcp from $lan:network to $server port 3389 pass out on $dmz proto tcp from <publicts> to $server port 3389 pass in on egress proto tcp from <publicts> to $server port 3389 #DMZ FTP ACCESS pass in on egress inet proto tcp from <publicftp> to $gwftp port 21 \ flags S/SA keep state pass out on $dmz inet proto tcp to $server port 21 \ user proxy flags S/SA keep state anchor "ftp-proxy/*" Last edited by Carpetsmoker; 22nd January 2010 at 12:23 AM. Reason: Added [code] tags |
|
|||
Some of your rules still could use quick.
If you do not use IPv6, you could use inet proto tcp in all rules. In some rules you already use it, so why not be consistent? You still use S/SA keep state in some tcp rules. This has been the default for quite some time. Do a verbose listing of your rules to see this Code:
# pfctl -vvnf /etc/pf.conf
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Tags |
pf use 4.6 |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
first match vs last match ruleset design (pf vs iptables) | zelut | FreeBSD Security | 5 | 12th July 2009 08:13 AM |
Improve searches | maxrussell | Feedback and Suggestions | 3 | 19th June 2009 09:45 AM |
ipfw ruleset double check | l2fl2f | FreeBSD Security | 3 | 26th March 2009 06:32 AM |
FTP ruleset questions | hitete | OpenBSD Security | 2 | 25th November 2008 05:30 PM |
improve proxy cache and replace gif MIME | milo974 | OpenBSD General | 1 | 10th July 2008 12:14 PM |