|
|||
improve ruleset
Hello,
I'm using OpenBSD 4.6, i have this ruleset in production. Is there someone that can help me to improve it ? Thank's Code:
# MACROS AND TABLES wifi="vr0" lan="fxp0" dmz="rl0" wan="vr1" gwftp="192.168.0.46" server="172.17.2.100" dhcpwifi="{ 10.10.10.10 - 10.10.10.15 }" table <publicts> persist table <publicftp> persist #NO FILTERING LOOPBACK set skip on lo #BLOCK POLICY set block-policy drop #TRAFFIC STANDARDIZATION match in all scrub (no-df max-mss 1440) #NAT nat on egress -> egress #TRANSLATIONS # ANCHOR TO PROTECT OUR FTP SERVER nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" #LAN TO FTP SERVER rdr on $lan proto tcp from $lan:network to \ $server port 21 -> $gwftp \ port 21 #FTP ACCESS FROM A SPECIFIC IP ADDRESS rdr on egress proto tcp from <publicftp> to any port 21 -> $gwftp port 21 #TS ACCESS FROM A SPECIFIC IP ADDRESS rdr on egress proto tcp from <publicts> to any \ port 3389 -> $server port 3389 #FILTERING # BLOCK ALL AND LOG ! block log all #PROTECTION antispoof for { $dmz, $lan, $wifi, egress } #ALLOW PINGS FROM LAN pass inet proto icmp from $lan:network \ to any icmp-type { echoreq, unreach } #FW OUT pass out quick on egress proto tcp from egress pass out quick on egress proto udp from egress # WIFI PORTS OUT https, smtp, et pop3 pass in quick on { !$lan, !$dmz } proto tcp from $dhcpwifi \ to any port { https, smtp, pop3 } # WIFI DOMAIN PORT OUT pass in quick on { !$lan, $dmz } proto udp from $dhcpwifi \ to any port domain # ALLOW LAN TO ANYTHING pass in quick on { !$wifi, !dmz } proto tcp from $lan:network pass in quick on { !$wifi, $dmz } proto udp from $lan:network #DMZ TS ACCESS FROM LAN AND WAN pass out on $dmz proto tcp from $lan:network to $server port 3389 pass out on $dmz proto tcp from <publicts> to $server port 3389 pass in on egress proto tcp from <publicts> to $server port 3389 #DMZ FTP ACCESS pass in on egress inet proto tcp from <publicftp> to $gwftp port 21 \ flags S/SA keep state pass out on $dmz inet proto tcp to $server port 21 \ user proxy flags S/SA keep state anchor "ftp-proxy/*" Last edited by Carpetsmoker; 22nd January 2010 at 12:23 AM. Reason: Added [code] tags |
Tags |
pf use 4.6 |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
first match vs last match ruleset design (pf vs iptables) | zelut | FreeBSD Security | 5 | 12th July 2009 08:13 AM |
Improve searches | maxrussell | Feedback and Suggestions | 3 | 19th June 2009 09:45 AM |
ipfw ruleset double check | l2fl2f | FreeBSD Security | 3 | 26th March 2009 06:32 AM |
FTP ruleset questions | hitete | OpenBSD Security | 2 | 25th November 2008 05:30 PM |
improve proxy cache and replace gif MIME | milo974 | OpenBSD General | 1 | 10th July 2008 12:14 PM |