DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th June 2017
bsdsource bsdsource is offline
Port Guard
 
Join Date: Apr 2014
Posts: 34
Default block specific Lan IP from internet

I would like to block a specific IP address (10.200.200.109) on my Lan from inbound and outbound traffic to the internet. All my Lan computers still need to be able to access that computer and vice versa since it's my NAS. Here is my current pf.conf:

Code:
#*************************
# macros
#*************************
wan="em0"
lan="em1"
nas="10.200.200.109"
ps4="10.200.200.110"
xbox="10.200.200.114"

#*************************
# table
#*************************
table <private_ips> const { 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 }

#*************************
# options
#*************************
set reassemble yes
set optimization normal
set limit states 395000
set limit src-nodes 395000
set block-policy drop
set loginterface $wan
set skip on lo0

#********************************************
# traffic normalization
#********************************************
match in all scrub (no-df random-id max-mss 1440)

#****************************
# network address translation
#****************************
match out on $wan inet from $ps4 to any nat-to ($wan:0) static-port
match out on $wan inet from $xbox to any nat-to ($wan:0) static-port
match out on $wan inet from $lan:network to any nat-to ($wan:0) port 1024:65535

#*****************************
# block spoofed or forged IP's
#*****************************
antispoof quick for ($wan)

#*****************************
# block non-routable addresses
#*****************************
block in quick on $wan from no-route to any
block out quick on $wan from any to no-route

#**************************************
# check unicast reverse path forwarding
#**************************************
block in quick on $wan from urpf-failed to any

#*********************************************
# block private address blocks outside network
#*********************************************
block in quick on $wan from <private_ips> to any

#********************
# block IPv6 traffic
#********************
block quick inet6 all

#********************
# block everything
#********************
block inet all

#**********************************
# allow traffic out to the Internet
#**********************************
pass out inet allow-opts

#*****************************************
# port forward xbox one ports for open nat
#*****************************************
pass in quick on $wan proto udp from any port 3544 to ($wan) port 3074 rdr-to $xbox port 3074
pass in quick on $wan proto {tcp,udp} from any port 3075 to ($wan) port 3075 rdr-to $xbox port 3075

#*****************************************
# port forward ps4 ports for open nat
#*****************************************
pass in quick on $wan proto {tcp,udp} from any port 3478 to ($wan) port 3478 rdr-to $ps4
pass in quick on $wan proto {tcp,udp} from any port 3479 to ($wan) port 3479 rdr-to $ps4
pass in quick on $wan proto tcp from any port 3480 to ($wan) port 3480 rdr-to $ps4

#*****************************************
# allow ping (for console purposes)
#*****************************************
pass in quick inet proto icmp all icmp-type echoreq

#***************************************
# allow all internal lan traffic to pass
#***************************************
pass in on $lan inet
Reply With Quote
  #2   (View Single Post)  
Old 4th June 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

You have a blend of rules with the "quick" option, and rules without it. Because of this complication, I recommend adding new "quick" rules relatively early in your rule set, perhaps before any other quick rules, as your redirects are less specific than this example below.

Keep in mind that you can get tangled up with "in" "out" and "on" when trying to match traffic, or ... trying NOT to match traffic. And as well, the blend of quick and standard rules can sometimes be difficult to manage.

Code:
block quick on $wan from any to 10.200.200.109
block quick on $wan from 10.200.200.109 to any
Reply With Quote
  #3   (View Single Post)  
Old 5th June 2017
bsdsource bsdsource is offline
Port Guard
 
Join Date: Apr 2014
Posts: 34
Default

Thanks jggimi. I had to put the rules you provided before my match out rules otherwise it wouldn't work. Internet is restricted but LAN traffic works as intended.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting a specific IPv6 address using DHCP (or not) nyg OpenBSD General 7 11th February 2017 07:30 PM
Specific DHCP config on OpenBSD avayax OpenBSD General 3 8th January 2016 11:37 PM
AIX: Which Application is Using a Specific Port vermaden Guides 5 12th April 2009 04:01 AM
Where to go for specific freebsd router problems? borngeniusat1974 FreeBSD General 3 19th June 2008 11:21 PM
OpenBSD specific books I have WeakSauceIII OpenBSD General 1 25th May 2008 09:40 PM


All times are GMT. The time now is 11:36 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick