Evening everyone.
Well, I wont beat around the bush. I'll get right to the point.
I'm pretty new to OpenBSD and PF but i'm having a blast learning it all. It's a lot of fun, but I have much to learn. I've read as much documentation as I can find on both PF and IPF. I've gone through the How-To as well as the archives and Man Pages.
I'm pretty new to OpenBSD and PF but i'm having a blast learning it all. It's a lot of fun, but I have much to learn. I've read as much documentation as I can find on both PF and IPF. I've gone through the How-To as well as the archives and Man Pages.
I feel like it's
slowly sinking in, but I still have some questions. I wanted to post my rules
here and have some people take a look at it, tell me what im missing, what I
need/dont need and some good all around advice. I just want to make sure i'm
understanding the concept. So if someone could give me some tips, i'd be very
greatful.
So here
goes:
My
network:
Cable Modem that
issues Dynamic IP
OpenBSD 3.1
Firewall/Gateway, running PF and NAT.
Internal LAN has 4
boxes, running private IP address of 192.168.1.0/16
No internal
webservers, email servers or DNS servers.
I want no
internet/outside world access to my firewall or my internal
LAN.
Want the internal
LAN to have access to the internet, FTP and ISP's mail
server.
The
rules:
#Declare interfaces
and the works
ExtIf = "dc0" #Untrusted (from cable modem) side
IntIf = "dc1" #Trusted (to switch) side
Loop = "lo0"
ExtIf = "dc0" #Untrusted (from cable modem) side
IntIf = "dc1" #Trusted (to switch) side
Loop = "lo0"
#Scrub/Normalize
packets
scrub out all
scrub in all
scrub out all
scrub in all
#BLOCK SPOOFED/PRIVATE IP ADDRESSES:
block in all
block in quick on $ExtIf from 192.168.0.0/16 to any
block in quick on $ExtIf from 172.16.0.0/12 to any
block in quick on $ExtIf from 10.0.0.0/8 to any
block in quick on $ExtIf from 0.0.0.0/8 to any
block in quick on $ExtIf from 169.254.0.0/16 to any
block in quick on $ExtIf from 192.0.2.0/24 to any
block in quick on $ExtIf from 224.0.0.0/3 to any
block in log quick on $ExtIf from 20.20.20.0/24 to any
block in log quick on $ExtIf from any to 20.20.20.0/32
block in log quick on $ExtIf from any to 20.20.20.255/32
pass out quick on $ExtIf proto tcp/udp from 192.168.1.0/16 to any keep state
pass out quick on $ExtIf proto icmp from 192.168.1.0/16 to any keep state
#silently drop
broadcasts (cable modem noise)
block in quick on $ExtIf from any to 255.255.255.255
block in quick on $ExtIf from any to 255.255.255.255
#TO BLOCK SPOOFED
TRAFFIC FROM LAN!!
block out log quick
on $ExtIf from any to 192.0.2.0/24
block out log quick on $ExtIf from any to 172.16.0.0/12
block out log quick on $ExtIf from any to 169.254.0.0/16
block out log quick on $ExtIf from any to 0.0.0.0/8
block out log quick on $ExtIf from any to 204.152.64.0/23
block out log quick on $ExtIf from any to 224.0.0.0/3
pass out quick on $ExtIf proto icmp from 192.168.1.0/16 to any icmp-type 8 keep state
block out log quick on $ExtIf from any to any
block out log quick on $ExtIf from any to 172.16.0.0/12
block out log quick on $ExtIf from any to 169.254.0.0/16
block out log quick on $ExtIf from any to 0.0.0.0/8
block out log quick on $ExtIf from any to 204.152.64.0/23
block out log quick on $ExtIf from any to 224.0.0.0/3
pass out quick on $ExtIf proto icmp from 192.168.1.0/16 to any icmp-type 8 keep state
block out log quick on $ExtIf from any to any
I'm pretty sure i
left out a lot. But that's why Im asking. Seeking help to fine tune my rules and
get a better grasp.
Also would like my
internal LAN to be able to PING, DIG, NSLOOKUP etc. etc on the outside
world.
I appreciate
everyones help. Looking forward to see how my work is so
far.
Thanks
everyone.
Jason
