-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joco Salvatti wrote:
> Hi all,
>
> I have a OpenBSD 3.9 machine acting as a firewall. It has two network
> interface cards, one connected to my local network and the other one
> connected to Internet. My default policy is blocking all traffic using
>
> block all
>
> I don't want anyone from my local network to connect to MSN and P2P
> programs, so I haven't created any rule to permit those kind of
> packet traffic. But I'm facing a lot of problems due to this, because
> I have to specify packets that should pass through my internal and external
> interfaces. I'd like any ideas or tips from PF gurus about how to
> improve my firewall policies. I have an idea: allow everything at my
> internal NIC and block all at my external NIC, so all I had to do was
> specifying allowed incoming and outcomming traffics only at my external
> NIC. But I'll be waiting for (better) proposals.
>
> By now thanks for the time spent reading with this e-mail.
>
You can approach this several different ways.
If going the route where you plan to pass all traffic in the internal
interface, use the 'skip' option:
set skip on $if_int
If you want to allow access out for certain ports, create a macro to
store the list of ports you want to allow, then use that macro in your
filters. This makes maintenance easy because you can add/remove tcp/udp
ports as needed. If you need to restrict access on a per host/port
basis, you will need separate rules for each designated host.
# MACROS
lan_tcp_out = "{ 22, 25, 80, 443 }"
lan_udp_out = "{ 53, 123 }"
# TABLES
table <bogon> const { 2/8, 5/8, 7/8, ... }
# FILTERS
pass out on $if_ext inet proto tcp from $net_int to !<bogon> \
port $lan_tcp_out modulate state flags S/SA
pass out on $if_ext inet proto udp from $net_int to !<bogon> \
port $lan_udp_out keep state
In the snippets above, I use the <reserved> table to store certain bogon
nets. See http://www.completewhois.com/bogons/ for a list of current
bogon nets. Instructions on automating the load of this data is
available on http://www.completewhois.com/bogons/bogons_usage.htm.
If you want to not allow all traffic from the internal network, you can
extend the above snippet to handle the traffic from your lan to your router:
# MACROS
lan_tcp_out = "{ 22, 25, 80, 443 }"
lan_udp_out = "{ 53, 123 }"
# TABLES
table <bogon> { 0/8, 10/8, 20.20.20.0/24, 127/8, \
169.254/16, 172.16/12, 192.0.2/24, 192.168/16, 224/3, \
255.255.255.255/32 }
table <reserved> const { 0/8, 10/8, 20.20.20.0/24, 127/8, \
169.254/16, 172.16/12, 192.0.2/24, 192.168/16, 224/3, \
255.255.255.255/32 }
table <net_ext> const { !<reserved>, !<bogon> }
# FILTERS
pass in on $if_int inet proto tcp from $net_int to <net_ext> \
port $lan_tcp_out keep state
pass out on $if_ext inet proto tcp from $net_int to <net_ext> \
port $lan_tcp_out modulate state flags S/SA
pass in on $if_int inet proto udp from $net_int to <net_ext> \
port $lan_udp_out keep state
pass out on $if_ext inet proto udp from $net_int to <net_ext> \
port $lan_udp_out keep state
I just typed those up, so there may be inaccuracies. Hopefully you get
the idea behind the structure.
Axton Grams
iD8DBQFEjHZG2VxhVxhm8jIRAgT/AJ9DeGvQ56qK4H2coasV4X3zMzJ/2gCgqUni
5PowDKgZC+VscKI4R5RHFmE=
=hwvS
-----END PGP SIGNATURE-----
