Hello everyone. I wanted to send out my updated PF rules and get some feed back and critique on them to better them and lock everything down. I want to thank everyone who has helped me and I value their input. (A lot of whats in here is from the example from the pf.conf man page) Here goes:
Network info:
ISP = cable modem with dynamic IP, DHCP
OpenBSD 3.1 as the Router/Gateway---->running PF and NAT
4 Computers inside internal LAN--->1 Win2k box, 2 Linux and one BSD.
Not running any mail server, email or DNS server on my LAN.
LAN IP range is: 192.168.1.0/24
So here are my rules:
-----Nat.conf-----
#NAT info
nat on $ext_int from 192.168.1.0/24 to any -> $ext_int
#Hostname Files
/etc/hostname.dc0
dhcp NONE NONE NONE
Internal Lan
/etc/hostname.dc1
inet 192.168.1.1 255.255.255.0 NONE media autoselect
----------------------Pf.conf-------------------------------
#Declare interfaces
ext_if = "dc0"
in_int = "dc1"
#Scrub on incoming packets
scrub in on $ext_if all
# block and log everything by default
block out log on $ext_if all
block in log on $ext_if all
block return-rst out log on $ext_if proto tcp all
block return-rst in log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in log on $ext_if proto udp all
# block anything coming form source we have no back routes for
block in from no-route to any
# silently drop broadcasts (cable modem noise)
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, 255.255.255.255/32 } to any (any other suggestions for
additions here?)
# ICMP
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
# UDP
pass out log on $ext_if proto udp all keep state
pass in on $ext_if proto udp from any to $ext_if keep state
pass in on $ext_if proto udp from any to any keep state
# TCP
pass out on $ext_if proto tcp all modulate state
pass in log on $ext_if proto tcp from any to any port { www, ftp, smtp, }
keep state
pass out log on $ext_if proto tcp from any to any port { www, ftp, ssh,
smtp, pop3, 110, 143, 147 } keep state
pass in log on $ext_if proto tcp from any to $ext_if
pass in log on $ext_if proto tcp from any to $ext_if keep state
Basically, I just want to allow my internal LAN desktops access to the
internet and the basic services: ftp, http, https, nntp, pop, smtp. Also,
i'd like to allow actions like nslookup, dig, whois etc.
Thanks for everyones help. I want to thank David for helping me out and
answering my numerous questions regarding PF and sorts.
I wanted to get started here as quickly as possible so I can get my LAN and
continue to learn as much as I can.
Thanks everyone. Your comments and suggestions are greatly appreciated.
Jason
<<attachment: winmail.dat>>
