Hi peoples..
I was hoping that some people would take a look over this ruleset I've
written and offer any advise on optimisation. This is a pre-template for
more stuff which will be added later. Usually I'm quite comfortable at doing
this myself, but this the first transparent bridge with 4 interfaces that I
have built using pf.
This makes the design just *slightly* trickier...
Just as a quick overview, there are 4 interfaces with 4 subsequent networks
they are protecting.
ext_if= internet interface
corp_if=trusted network interface
dmz_if=dmz network interface
dev_if=dmz #2 network interface
Before having a look, these are a couple of things I've learnt thus far.
Firstly, because the bridge has > 2 interfaces, it is not possible just to
pass traffic on one interface and filter on the other. Secondly, due to this
there are two keep state rules required per connection.
### Define Interface aliases
ext_if = "fxp0"
dmz_if = "dc0"
dev_if = "dc1"
corp_if = "fxp1"
### Define address aliases
corp_net = "{ 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24,
192.168.5.0/24, 192.168.6.0/24, 192.168.7.0/24, 192.168.8.0/26 }"
dev_net = "{ 192.168.77.128/25 }"
dmz_net = "{ 192.168.78.208/29, 192.168.191.64/26 }"
### default block stance
block in all
block out all
### corp_if rules ###
# allow corporate network anywhere
pass in on $corp_if proto tcp from $corp_net to any flags S keep state
pass in on $corp_if proto { udp, icmp } from $corp_net to any keep state
### dmz_if rules ###
# allow dmz network to internet
pass in on $dmz_if proto tcp from $dmz_net to any flags S keep state
pass in on $dmz_if proto { udp, icmp } from $dmz_net to any keep state
# block traffic from dmz network to corp and dev unless specificed
block in on $dmz_if from $dmz_net to $corp_net
block in on $dmz_if from $dmz_net to $dev_net
# allow traffic from corporate network to DMZ
pass out on $dmz_if proto tcp from $corp_net to any flags S keep state
pass out on $dmz_if proto { udp, icmp } from $corp_net to any keep state
### dev_if rules ###
# allow dev network to internet
pass in on $dev_if proto tcp from $dev_net to any flags S keep state
pass in on $dev_if proto { udp, icmp } from $dev_net to any keep state
# block traffic from dmz network to corp and dev unless specificed
block in on $dev_if from $dev_net to $corp_net
block in on $dev_if from $dev_net to $dmz_net
# allow traffic from corporate network to DEV
pass out on $dev_if proto tcp from $corp_net to any flags S keep state
pass out on $dev_if proto { udp, icmp } from $corp_net to any keep state
### ext_if rules ###
# allow traffic from corporate network to internet
pass out on $ext_if proto tcp from $corp_net to any flags S keep state
pass out on $ext_if proto { udp, icmp } from $corp_net to any keep state
# allow traffic from dmz network to internet
pass out on $ext_if proto tcp from $dmz_net to any flags S keep state
pass out on $ext_if proto { udp, icmp } from $dmz_net to any keep state
# allow traffic from dev network to internet
pass out on $ext_if proto tcp from $dev_net to any flags S keep state
pass out on $ext_if proto { udp, icmp } from $dev_net to any keep state
--ends--
Feel free to offer suggestions and comments! Daniel, any thoughts? Would
using 'quick' rules in certain places me rule parsing faster?
Cheers,
Adrian.
