Figured it out! Woot! Feels good when you put your nose to the grind and hammer it out.
Did some mixing around, but this is the end result:
# Define useful variables
ext_if="fxp0" # External Interface
int_if="fxp1"
int_net="192.168.1.0/24"
tcp_services = "{ 25 }"
tcp_int_services = "{ 22 }"#Tables
table <NoRouteIPs> { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16, !192.168.0.0/24 }
table <trusted> persist file "/etc/tables/trusted"
# Clean up fragmented and abnormal packets scrub in all
#default Deny all block in log on $ext_if all
#loopback rules pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses block in log quick on $ext_if from <NoRouteIPs> to any block out log quick on $ext_if from any to <NoRouteIPs>
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state
# pass trusted for SSH
pass in log quick on $int_if inet proto tcp from <trusted> to $int_if port 22 keep state
# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep statepfctl -s rules output:
scrub in all fragment reassemble
block drop in log on fxp0 all
pass in quick on lo0 all
block drop in log quick on fxp0 from <NoRouteIPs> to any
block drop out log quick on fxp0 from any to <NoRouteIPs>
pass in on fxp0 inet proto tcp from any to (fxp0) port = smtp flags S/FSRA keep state
pass in log quick on fxp1 inet proto tcp from <trusted> to 10.0.1.100 port = ssh keep state
pass out on fxp1 inet from any to 10.0.1.0/24 keep state
pass out on fxp0 proto tcp all flags S/FSRA modulate state
pass out on fxp0 proto udp all keep state
pass out on fxp0 proto icmp all keep state
I can telnet to port 25 on it and it works. denied on all other ports so far. I can SSH from my intranet...
Im happy. :)
Anyone care to make any comments or suggestions?
Thanks.
Jason
At 03:22 PM 9/30/2003 -0700, you wrote:
I keep locking myself out the box. heheheh
Here is what I have: I have a OpenBSD Mail gateway on my DMZ. I want to only allow SMTP connections coming from my firewall, but allow SSH connections coming from my intranet.
My subnets:
DMZ = 10.0.1.1/24 Private = 192.168.1.0/24
RULES:
# Define useful variables ext_if="fxp0" # External Interface int_if="fxp1" tcp_services = "{ 25 }" tcp_int_services = "{ 22 }"
table <NoRouteIPs> { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }
# Clean up fragmented and abnormal packets scrub in all
#default Deny all block log all
#loopback rules pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses block in log quick on $ext_if from <NoRouteIPs> to any block out log quick on $ext_if from any to <NoRouteIPs>
# block NMAP stuff block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA block in log quick on $ext_if inet proto tcp from any to any flags /SFRA block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU block in log on $ext_if all
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state
#Passing in SSH from intranet
pass in on $int_if inet proto tcp from $int_if:network port $tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state
# and let out-going traffic out and maintain state on established connections pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SAFR pass out on $ext_if proto { udp, icmp } all keep state
Im reading over the PF FAQ right now, trying to see where i've gone wrong.
I'm wondering if I need to add something like this:
pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state
Like I said, I want to be able to SSH to the box on the DMZ.
Any recommendations?
Thanks.
jason
