Hi,
On Tue Nov 6 2012 10:49, Wesley wrote:
> I just built a small firewall using OpenBSD 5.2
> Advices are welcome... ;-)
>
> Thank you very much.
>
> So, 2 interfaces, with the following rules :
>
> -Traffic only Ipv4
> -Allow pings in/out
> -Allow our lan to only have ftp/http and https
> -Allow an access from anywhere to our RDP server
> -Prioritizing Acks
>
> *************************************************
> lan=rl0
> allow="{www,ftp,https}"
^^^^^^^^^^^^^^^^^^^^^^^
I'd change the last line to:
allowed_tcp = "{ ftp, www, https, domain }"
allowed_udp = "{ domain }"
> rdphost="10.0.0.10"
>
> set skip on lo
> set block-policy return
>
> match in all scrub (no-df max-mss 1440)
> match out on egress inet from $lan:network to any nat-to egress
>
> block log all
>
> anchor "ftp-proxy/*"
> pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
Really? You want this rule apply on egress, too?
> pass out on egress inet proto tcp set prio (1,7)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I'd convert this to a "match" rule, which affects traffic in both
directions, and is decision-agnostic:
match on egress inet proto tcp set prio(1, 7)
> pass out on egress inet proto udp
> pass out on $lan inet
This could be crammed into one line:
pass out inet all
> pass in on $lan proto udp from $lan:network to port domain
> pass in on $lan proto tcp from $lan:network to port $allow
Is it on purpose you don't want tcp dns to pass?
If not, you'd change these lines to:
pass in on $lan inet proto udp from $lan:network to port $allowed_udp
pass in on $lan inet proto tcp from $lan:network to port $allowed_tcp
> pass inet proto icmp all icmp-type echoreq
Are you missing unreach?
> pass in on egress inet proto tcp from any to any port 3389 \
> rdr-to $rdphost tag rdp set prio (1,7)
No need to set priority here anymore.
> pass out on $lan tagged rdp
Superfluous.
