Hi everybody,
I hope my problem/question isn't too stupid as this is my first rather
complicated ruleset compared to the trivial setups I have tried before.
The scenario:
a firewall machine with three network interfaces, one facing the Internet with
a public IP (RED interface, in this example 123.245.123.245 for the sake of
anonymity), the second (ORANGE interface, 192.168.0.1) pointing towards a DMZ
and the third (GREEN, 192.168.1.1) pointing to an internal network.
The RED interface is also addressed by two alias IP addresses:
123.245.123.246, 123.245.123.247.
In the DMZ there are two machines, ALPHA (192.168.0.10) and BETA
(192.168.0.11).
I want to do bidirectional NAT for the two alias IP addresses.
I wrote a ruleset like this (not doing anything with the GREEN network at this
point):
##############################################
#/etc/pf.conf
## Macros
SYN_ONLY="S/FSRA"
RED_NIC="xl0"
ORANGE_NIC="xl1"
GREEN_NIC="xl2"
# External IP address
RED_IP="123.245.123.245"
# DMZ network IP
ORANGE_IP="192.168.0.1"
# Internal network IP
GREEN_IP="192.168.1.1"
# Define which machines live behind the firewall and get their own outside
alias
# webserver
ALPHA_EXT_IP="123.245.123.246"
ALPHA_IP="192.168.0.10"
# mailserver
BETA_EXT_IP="123.245.123.247"
BETA_IP="192.168.0.11"
# Define some common ports for later use
emailports = "{ smtp, pop3, imap, imap3, imaps, pop3s }"
webports = "{ http, https }"
# Define which ports are allowed by each of the inside clients
alpha_out = "{ ftp-data, ftp, ssh, domain, nntp, http, https, cvspserver,
smtp }"
alpha_in = "{ http, https, ssh }"
beta_out = "{ ftp-data, ftp, ssh, domain, nntp, http, https, cvspserver, smtp,
pop3, imap, imap3, imaps, pop3s }"
beta_in = "{ smtp, pop3, imap, imap3, imaps, pop3s, ssh }"
## TABLES
table <block_hosts> persist
table <private> const { 10/8, 172.16/12, 192.168/16, 224/8 }
table <clients> persist { ALPHA_IP, BETA_IP }
## GLOBAL OPTIONS
set loginterface $RED_NIC
set block-policy return
antispoof for $RED_NIC
antispoof for $ORANGE_NIC
antispoof for $GREEN_NIC
## TRAFFIC NORMALIZATION
scrub in on $RED_NIC all fragment reassemble
scrub out on $RED_NIC all fragment reassemble random-id no-df
## TRANSLATION RULES (NAT)
# exclude from NAT what's not explicitly defined later
no nat on $RED_NIC from !<clients> to any
binat on $RED_NIC from $ALPHA_IP to any -> $ALPHA_EXT_IP
binat on $RED_NIC from $BETA_IP to any -> $BETA_EXT_IP
rdr on $RED_NIC proto TCP from any to $ALPHA_EXT_IP port $alpha_in ->
$ALPHA_IP
rdr on $RED_NIC proto TCP from any to $BETA_EXT_IP port $beta_in -> $BETA_IP
# Redirect all FTP traffic to local ftp-proxy
rdr on $ORANGE_NIC proto tcp from any to any port ftp -> 127.0.0.1 port 8021
## FILTER RULES
# Block everything (inbound AND outbound on ALL interfaces) by default
(catch-all)
block all
# Simply drop what's coming from MS Windows machines on the inside, after all
we're the UnixAG...
# block drop in log quick on $ORANGE_NIC from any os "Windows" to any
# Global filter stuff
block drop in log quick on $RED_NIC from <block_hosts> to any
block drop in log quick on $RED_NIC from <private> to any
block drop out log quick on $RED_NIC from any to <private>
# Default TCP policy
block return-rst in log on $RED_NIC proto TCP all
pass in log quick on $RED_NIC proto TCP from any to $RED_IP port 22 flags
$SYN_ONLY keep state
pass in log quick on $RED_NIC proto TCP from any to $RED_IP port 113 flags
$SYN_ONLY keep state
# Default UDP policy
block in log on $RED_NIC proto udp all
# Default ICMP policy
block in log on $RED_NIC proto icmp all
pass in log quick on $RED_NIC proto icmp from any to $RED_IP echoreq keep
state
block out log on $RED_NIC all
# firewall is allowed to make connections to the outside at will
pass out log quick on $RED_NIC from $RED_IP to any keep state
# Allow the local interface to talk unrestricted
pass in quick on lo0 all
pass out quick on lo0 all
# Allow connections from the firewall into the internal network
pass out log on $ORANGE_NIC from any to $ORANGE_NIC:network keep state
# Allow FTP traffic to pass local ftp-proxy
pass in log on $RED_NIC inet proto tcp from port ftp-data to $RED_NIC user
proxy flags S/SA keep state
# client filter rules inbound
pass in log on $RED_NIC proto tcp from any to $ALPHA_IP port $alpha_in flags
S/SA synproxy state
pass in log on $RED_NIC proto tcp from any to $BETA_IP port $beta_in flags
S/SA synproxy state
# client filter rules outbound
pass in log on $ORANGE_NIC proto tcp from $ALPHA_IP to any port $alpha_out
keep state
pass in log on $ORANGE_NIC proto tcp from $BETA_IP to any port $beta_out keep
state
##############################################
It doesn't load however as there seems to be a problem with the order of the
rules. pfctl complains that the order has to be like this: "options,
normalisation, queueing, translation, filtering" and points to the lines
starting where I defined the tables.
I'm not that good at these things, I can't see where I made the mistake as the
rules seem to be in that order.
Any hints, suggestions? If this ruleset is stupid anyway I'd be thankful for
working examples.
thanks in advance,
Tobias
