DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th October 2011
Scott7 Scott7 is offline
OpenBSD / XP
 
Join Date: Jan 2009
Posts: 7
Default PF Help 4.6 to 4.7

Hi there, I've been running my 4.6 firewall since release. I'm now going to do a fresh install.

I need a little bit of help replacing rdr with match rules etc.

Below is my edited 4.6 pf.conf for 4.9:

Code:
intIF = "rl0"
extIF = "vr0"


##### States Queues #####
synState="flags S/SA synproxy state"
tcpState="flags S/SA modulate state"
udpState="keep state"


##### Ports #####
# P2 #
p2ports = "{ 80, 20, 21, 49163:49173, 58939 }"
# ICMP #
icmpTypes = "echoreq unreach"
# PC #
pcports = "{ 58938 }"

##### LAN Info #####
# Local #
myNet = "192.168.1.0/24"
# P2 #
p2 = "192.168.1.3"
# PC #
pc = "192.168.1.2"

##### Banned #####
#fIP   = "{}"


##### Block Timeout #####
#set ruleset-optimization none
set debug urgent
set block-policy return
set optimization normal
set fingerprints "/etc/pf.os"
set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }
set limit { states 100000, frags 100000, src-nodes 50000 }
set skip on lo0


##### Scrub #####
#scrub log on $extIF all random-id min-ttl 128 max-mss 1460 set-tos\
	throughput reassemble tcp fragment reassemble


##### NAT #####
#match out on $extIF inet from $xbox360 to any -> $extIF static-port
match out on $extIF from $myNet nat-to ($extIF)


##### Block #####
block log all
antispoof log quick for { $extIF, $intIF }


##### Ban's #####
#block in quick on $intIF from $fIP to any


##### PASS #####
# ICMP #
pass log inet proto icmp all icmp-type echoreq $udpState
pass log inet proto icmp all icmp-type unreach $udpState

# Allow P2 #
pass in log on $extIF inet proto tcp from any to any port $p2ports $synState
pass out log on $extIF inet proto tcp from any to any port $p2ports $synState

# Allow pc #
pass in log quick on $extIF inet proto tcp from any to $pc port $pcports
pass out log quick on $extIF inet proto tcp from $pc to port $pcports

# Allow outgoing #
pass out log on $extIF inet proto tcp all $tcpState
pass out log on $extIF inet proto { udp, icmp } all $udpState

# Allow LAN #
pass in log on $intIF from $intIF:network to any keep state
pass out log on $intIF from any to $intIF:network keep state
I'm pretty sure I'm missing some bits now, as i've removed the old rdr rules etc.

Just need some advise on what rules I need to add to my pf.conf.

Regards

Scott
Reply With Quote
  #2   (View Single Post)  
Old 17th October 2011
nocturnal nocturnal is offline
New User
 
Join Date: Oct 2011
Posts: 6
Default

I can't help you but I remembered ttp://serverfault.com/questions/175405/help-me-upgrade-my-pf-conf-for-openbsd-4-7 this thread and decided you'd be a valid recipient for it. Good luck.

However, I'm not allowed to post URLs so I've broken it. Please just copy and paste it.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:13 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick