Hi all, Just wanted some comments on this pf.conf design. Mostly, I am hoping a second pair of eyes to spot any major over-sight on my part. I've not tested this set-up, yet! Just some scratch-pad design/brain-storming.
Thanks :-) --patrick # Pseudo PF design: # # I'm preparing to replace a current firewall with a PF firewall. # I've been reading through PF User's Guide again to refresh # my memory of what can and cannot be done with PF. The PF # firewall will have 4 interfaces in bridge mode. One connects # to the DSL router. One to the DMZ. One to the LAN and the # last to the Wireless router (not yet in place -- planned for # near future). The last interface will probably need an # IP since I plan to use IPsec over the wireless (I don't yet # know much about this process and skipping it in this discussion). # Potentailly using PF firewall as the access-point (have to # research this further as well). # # I just wanted to present what I'm thinking of doing in semi- # pseudo PF code, and get your feedback on whether I'm thinking # through this straight or do I need to adjust my thinking. # # Static IP Subnet: # x.x.x.0/28 # Divided into 4 "sections" # a) DSL router # b) Wifi router (planned for near future with IPsec) # c) LAN section (workstations, laptops) # d) "DMZ" section: servers (www, dns, mail) # # DSL Router: # has a WAN side IP # has a LAN side IP (x.x.x.1) # # PF server: # has 4 interfaces: a, b, c and d # 1 static IP on interface b: x.x.x.6 (for IPsec and possibly hostap) # # __DMZ__: # 4 static IPs x.x.x.2-.5 # # __WIFI__: # 4 static IPs x.x.x.7-.10 # # __LAN__: # 4 static IPs x.x.x.11-.14 # # # /Internet/ # | # [DSL Router] # .1 | # | # __WIFI__ (a) ___DMZ___ # .7 +----+----+ .2 dns1 / mail1 # .8 -----(b)| PF |(d)----- .3 dns2 / mail2 # .9 .6 +----+----+ .4 www1 # .10 (c) .5 www2 # | # | # __LAN__ # .11 .12 .13 .14 dsl_if = "de0" dmz_if = ... lan_if = ... wifi_if = "ath0" # maybe... # but maybe "xl0" connecting to a port on a wifi router # Local network locnet = "x.x.x.0/28" # DSL Router dsl_router = "x.x.x.1" # VPN interface for IPsec path for Wifi users (or even as the access-point # interface) vpn = "x.x.x.6" # DMZ servers dns1 = "x.x.x.2" mail1 = "x.x.x.2" dns2 = "x.x.x.3" mail2 = "x.x.x.3" www1 = "x.x.x.4" www2 = "x.x.x.5" dmz_grp = "{" $dns1 $dns2 $www1 $www2 "}" # Wifi users mobile1 = "x.x.x.7" mobile2 = "x.x.x.8" mobile3 = "x.x.x.9" mobile4 = "x.x.x.10" wifi_grp = "{" $mobile1 $mobile2 $mobile3 $mobile4 "}" # LAN clients desk1 = "x.x.x.11" desk2 = "x.x.x.12" desk3 = "x.x.x.13" desk4 = "x.x.x.14" lan_grp = "{" $desk1 $desk2 $desk3 $desk4 "}" wifi2net_ports = "{ 80 443 5190 }" wifi2dmz_ports = "{ 53 80 }" ping = "echoreq" # Shorthand dns = "{" $dns1 $dns2 "} port 53" mail = "{" $mail1 $mail2 "} port 25 flags S/SA" www = "{" $www1 $www2 "} port {80 443} flags S/SA" keep_sane = "keep state (max-src-conn 50, max-src-conn-rate 15/5, " \ "overload <abusers> flush global)" table <abusers> persist table <spamd> persist table <spamd-white> persist set skip on { lo } set block-policy return scrub in rdr pass on $lan_if proto tcp to port ftp -> 127.0.0.1 port 8021 rdr pass on $dsl_if proto tcp from <spamd> to port smtp \ -> 127.0.0.1 port spamd rdr pass on $dsl_if proto tcp from !<spamd-white> to port smtp \ -> 127.0.0.1 port spamd block in quick from <abusers> block all antispoof quick for { lo } #---------------------- # Interface a / $dsl_if # - LAN workstations are trusted more than those on WIFI pass out on $dsl_if proto {tcp udp} from $lan_grp to any keep state pass out on $dsl_if proto tcp from $wifi_grp to \ any port $wifi2net_ports keep state # # Any traffic coming in on $dsl_if should be destined for "DMZ" only! pass in on $dsl_if proto tcp from any to $mail $keep_sane pass in on $dsl_if proto tcp from any to $www $keep_sane pass in on $dsl_if proto udp from any to $dns $keep_sane # Allow pings to "DMZ" pass in on $dsl_if proto icmp from any to $dmz_grp icmp-type $ping $keep_sane #----------------------- # Interface b / $wifi_if # - Nothing should be connecting to wifi clients # (default block all) # - WIFI group only gets to use "DMZ" DNS and Web servers (no mail!) pass in on $wifi_if proto tcp from $wifi_grp to $www keep state pass in on $wifi_if proto udp from $wifi_grp to $dns keep state # This should cover any out-bound traffic (to the net) pass in on $wifi_if from $wifi_grp to !$locnet #----------------------- # Interface c / $lan_if # - Nothing should be connecting to lan workstations # (default block all) # LAN workstations should be able to connect to all "DMZ" servers pass in on $lan_if from $lan_grp to $dmz_grp keep state # Covers out-bound traffic (to the net) pass in on $lan_if from $lan_grp to !$locnet #----------------------- # Interface d / $dmz_if # We are filtering what is destined for DMZ on $dsl_if, $wifi_if and $lan_if # and establish states for them. Therefore, the default "block all" rule, # should be the desired behavior. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com