Hello everyone, INTERNET ^ | x - - - - - [SWITCH] - - - - - - - - - - - - - x [PF central firewall] [Several public IPs for different services]
I am running a network with several public IP addresses that are used for different services and I used PF with a dedicated box (see illustrated) to control incoming and outgoing packets onto and from these public IPs. I have not been able to notice until such time that they were exposed to a different types of probes such as ping, use of port scanner, etc from the Internet. Below are the rules I used to supposedly block incoming packets to my public IPs. Just for your info, I used the gateway address provided by my ISP not the IP on my PF box. ---------------------------- # M A C R O S ext_if="sis0" int_if="xl0" serversPUB="{ my.pub.lic.1, my.pub.lic.2, my.pub.lic.3, etc... }" www_virt="my.pub.lic.1" # O P T I O N S set optimization normal set block-policy drop set loginterface $ext_if set skip on lo0 # N O R M A L I Z A T I O N scrub in all # N A T / R D R #xlation gateway # F I L T E R #protect public and local address [ incoming, outgoing ] block all pass quick on lo0 all antispoof log quick for { $ext_if, $int_if } inet block drop in on $ext_if inet from any to $serversPUB pass in on $ext_if proto tcp from any to $www_virt port { www, https } flags S/SA \ synproxy state -------------------------------------- As you can see only a few rules are put here above just to give you an idea how I did the blocking. The other rules with my services so far are continuously going well. I just don't want to permit incoming packets directly to my publicIPs that is why I have the PF as my firewall to centrally manage incoming and outgoing. On the above BLOCK rule, i supposed it blocks all incoming packets on $ext_if through $serversPUB. Unfortunately it doesn't. I have bought openbsd books including the Building firewall with OpenBSD pf by Jacek and read lots of articles about rules in pf but haven't find one that is similar to my setup, everything uses NAT / RDR to access services (e.g. webserver, etc). Here, I didn't use rdr because it uses a public IP as stated in MACROS. I appreciate your help so much. Thanks, -Sparc