Hi all,
Just wanted some comments on this pf.conf design. Mostly,
I am hoping a second pair of eyes to spot any major over-sight
on my part. I've not tested this set-up, yet! Just some
scratch-pad design/brain-storming.
Thanks :-)
--patrick
# Pseudo PF design:
#
# I'm preparing to replace a current firewall with a PF firewall.
# I've been reading through PF User's Guide again to refresh
# my memory of what can and cannot be done with PF. The PF
# firewall will have 4 interfaces in bridge mode. One connects
# to the DSL router. One to the DMZ. One to the LAN and the
# last to the Wireless router (not yet in place -- planned for
# near future). The last interface will probably need an
# IP since I plan to use IPsec over the wireless (I don't yet
# know much about this process and skipping it in this discussion).
# Potentailly using PF firewall as the access-point (have to
# research this further as well).
#
# I just wanted to present what I'm thinking of doing in semi-
# pseudo PF code, and get your feedback on whether I'm thinking
# through this straight or do I need to adjust my thinking.
#
# Static IP Subnet:
# x.x.x.0/28
# Divided into 4 "sections"
# a) DSL router
# b) Wifi router (planned for near future with IPsec)
# c) LAN section (workstations, laptops)
# d) "DMZ" section: servers (www, dns, mail)
#
# DSL Router:
# has a WAN side IP
# has a LAN side IP (x.x.x.1)
#
# PF server:
# has 4 interfaces: a, b, c and d
# 1 static IP on interface b: x.x.x.6 (for IPsec and possibly hostap)
#
# __DMZ__:
# 4 static IPs x.x.x.2-.5
#
# __WIFI__:
# 4 static IPs x.x.x.7-.10
#
# __LAN__:
# 4 static IPs x.x.x.11-.14
#
#
# /Internet/
# |
# [DSL Router]
# .1 |
# |
# __WIFI__ (a) ___DMZ___
# .7 +----+----+ .2 dns1 / mail1
# .8 -----(b)| PF |(d)----- .3 dns2 / mail2
# .9 .6 +----+----+ .4 www1
# .10 (c) .5 www2
# |
# |
# __LAN__
# .11 .12 .13 .14
dsl_if = "de0"
dmz_if = ...
lan_if = ...
wifi_if = "ath0" # maybe...
# but maybe "xl0" connecting to a port on a wifi router
# Local network
locnet = "x.x.x.0/28"
# DSL Router
dsl_router = "x.x.x.1"
# VPN interface for IPsec path for Wifi users (or even as the access-point
# interface)
vpn = "x.x.x.6"
# DMZ servers
dns1 = "x.x.x.2"
mail1 = "x.x.x.2"
dns2 = "x.x.x.3"
mail2 = "x.x.x.3"
www1 = "x.x.x.4"
www2 = "x.x.x.5"
dmz_grp = "{" $dns1 $dns2 $www1 $www2 "}"
# Wifi users
mobile1 = "x.x.x.7"
mobile2 = "x.x.x.8"
mobile3 = "x.x.x.9"
mobile4 = "x.x.x.10"
wifi_grp = "{" $mobile1 $mobile2 $mobile3 $mobile4 "}"
# LAN clients
desk1 = "x.x.x.11"
desk2 = "x.x.x.12"
desk3 = "x.x.x.13"
desk4 = "x.x.x.14"
lan_grp = "{" $desk1 $desk2 $desk3 $desk4 "}"
wifi2net_ports = "{ 80 443 5190 }"
wifi2dmz_ports = "{ 53 80 }"
ping = "echoreq"
# Shorthand
dns = "{" $dns1 $dns2 "} port 53"
mail = "{" $mail1 $mail2 "} port 25 flags S/SA"
www = "{" $www1 $www2 "} port {80 443} flags S/SA"
keep_sane = "keep state (max-src-conn 50, max-src-conn-rate 15/5, " \
"overload <abusers> flush global)"
table <abusers> persist
table <spamd> persist
table <spamd-white> persist
set skip on { lo }
set block-policy return
scrub in
rdr pass on $lan_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $dsl_if proto tcp from <spamd> to port smtp \
-> 127.0.0.1 port spamd
rdr pass on $dsl_if proto tcp from !<spamd-white> to port smtp \
-> 127.0.0.1 port spamd
block in quick from <abusers>
block all
antispoof quick for { lo }
#----------------------
# Interface a / $dsl_if
# - LAN workstations are trusted more than those on WIFI
pass out on $dsl_if proto {tcp udp} from $lan_grp to any keep state
pass out on $dsl_if proto tcp from $wifi_grp to \
any port $wifi2net_ports keep state
#
# Any traffic coming in on $dsl_if should be destined for "DMZ" only!
pass in on $dsl_if proto tcp from any to $mail $keep_sane
pass in on $dsl_if proto tcp from any to $www $keep_sane
pass in on $dsl_if proto udp from any to $dns $keep_sane
# Allow pings to "DMZ"
pass in on $dsl_if proto icmp from any to $dmz_grp icmp-type $ping $keep_sane
#-----------------------
# Interface b / $wifi_if
# - Nothing should be connecting to wifi clients
# (default block all)
# - WIFI group only gets to use "DMZ" DNS and Web servers (no mail!)
pass in on $wifi_if proto tcp from $wifi_grp to $www keep state
pass in on $wifi_if proto udp from $wifi_grp to $dns keep state
# This should cover any out-bound traffic (to the net)
pass in on $wifi_if from $wifi_grp to !$locnet
#-----------------------
# Interface c / $lan_if
# - Nothing should be connecting to lan workstations
# (default block all)
# LAN workstations should be able to connect to all "DMZ" servers
pass in on $lan_if from $lan_grp to $dmz_grp keep state
# Covers out-bound traffic (to the net)
pass in on $lan_if from $lan_grp to !$locnet
#-----------------------
# Interface d / $dmz_if
# We are filtering what is destined for DMZ on $dsl_if, $wifi_if and $lan_if
# and establish states for them. Therefore, the default "block all" rule,
# should be the desired behavior.
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
