Here is what I have: I have a OpenBSD Mail gateway on my DMZ. I want to only allow SMTP connections coming from my firewall, but allow SSH connections coming from my intranet.
My subnets:
DMZ = 10.0.1.1/24 Private = 192.168.1.0/24
RULES:
# Define useful variables
ext_if="fxp0" # External Interface
int_if="fxp1"
tcp_services = "{ 25 }"
tcp_int_services = "{ 22 }"table <NoRouteIPs> { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }
# Clean up fragmented and abnormal packets scrub in all
#default Deny all block log all
#loopback rules pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses block in log quick on $ext_if from <NoRouteIPs> to any block out log quick on $ext_if from any to <NoRouteIPs>
# block NMAP stuff block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA block in log quick on $ext_if inet proto tcp from any to any flags /SFRA block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU block in log on $ext_if all
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state
#Passing in SSH from intranet
pass in on $int_if inet proto tcp from $int_if:network port $tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state
# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep stateIm reading over the PF FAQ right now, trying to see where i've gone wrong.
I'm wondering if I need to add something like this:
pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state
Like I said, I want to be able to SSH to the box on the DMZ.
Any recommendations?
Thanks.
jason
