On Thu, 2003-02-13 at 11:44, LaPane, Michael (NIH/NINDS) wrote:
> Without completely checking the rules - I would not do { tcp, udp } for
> ports that do not require it (i.e. don't do mail on udp/25) same for SSH.
> Also, didn't see a nat rule? did you do that separately?
>
> You might want to define a macro that shows your lan (it'll be easier to
> translate and to pass out only traffic that originates from your lan).
macro for the lan? I thought the last rule passed all that out...hmmm
> Remember the antispoof ('antispoof on $ex_if inet')and to pass traffic
> in/out of the loopback.
>
Ok here is the updated config complete with nat rules and removal of
udp/tcp where not needed.
What is antispoof? Is that the thing that rejects internal
addresses? We do use some internal addresses including 192.168, and the
172.19 ranges. Would antispoof only reject them if they hit the ext_if
interface?
######################
# INTERFACE SETTINGS #
######################
ext_if = "xl0"
int_if = "xl1"
dmz = "xl2"
#############
# NAT Rules #
#############
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
rdr on $ext_if proto tcp from any to $ext_if port 5900 -> 192.168.0.50
port 5900
##################################
# Block everything IN by default #
##################################
block in log on $ext_if all
############################
# Unwanted list. #
# Keep these people away! #
############################
blocklist = "{ 66.220.25.151, 216.127.82.63, 216.228.123.2,
216.127.82.63, 138.9.200.8, 198.186.220.95, 65.243.141.125,
207.46.125.16, biz360.netmar.com, server37.aitcom.net, rhea.hmdns.net,
paris.webpipe.net, evrtwa1-ar3-4-65-130-024.evrtwa1.dsl-verizon.net,
dsl-52.psni.net, sea-host134.inter-tel.com, blv-proxy-07.boeing.com,
ip-216-73-190-204.hqglobal.net }"
block in log quick on $ext_if inet from $blocklist to any
##############
# ROUTE RULE #
##############
pass in on { $ext_if, $int_if, $dmz } proto udp from any to any port
route keep state
########################
# MAIL SERVER SETTINGS #
########################
emailport = "{ smtp pop3 imap imaps pop3s 5309 }"
mailserver = "207.109.73.101"
pass in on $ext_if proto tcp from any to $mailserver port $emailport
keep state
pass in log on $ext_if proto tcp from any to $mailserver port ssh keep
state
#######################
# WEB SERVER SETTINGS #
#######################
webport = "{ www https }"
webudpport = "{ntp domain }"
webservers = "207.108.73.64/26"
pass in on $ext_if proto tcp from any to $webservers port $webport keep
state
pass in on $ext_if proto tcp from any to $webservers port webudpport
keep state
pass in log on $ext_if proto tcp from any to $webservers port ssh keep
state
###############################
# FTP PROXY SETTINGS (CHARON) #
###############################
charonport = "{ ftp-data ftp 1024 }"
charon = "207.109.73.104"
pass in on { $ext_if, $dmz } proto tcp from any to $charon port
$charonport keep state
pass in log on $ext_if proto tcp from any to $charon port ssh keep state
##################################
# MISCELLANEOUS SSH CONNECTIONS #
##################################
ghost = "207.109.73.74"
veda = "207.109.73.73"
lanfear = "207.109.73.93"
pass in on $ext_if proto tcp from any to { $ghost, $veda, $lanfear }
port ssh keep state
##########################
# MISCELLANEOUS SETTINGS #
##########################
pass in on $ext_if proto tcp from any to { $ghost, $veda } port 8879 <>
9001 keep state
################################
# Pass everying out by default #
################################
pass out on $ext_if all
