RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall

Tihomir Koychev Sun, 12 Mar 2006 22:12:47 -0800

Hi
 I have some suggestion below.

--- Chris Willis <[EMAIL PROTECTED]> wrote:


>  
> 
> -----Original Message-----
> From: Chris Willis 
> Sent: Sunday, March 12, 2006 10:23 AM
> To: 'Melameth, Daniel D.'
> Subject: RE: Solution Request: I need to initiate outbound PPTP
> requests
> thru FreeBSD firewall
> 
> This is what fwbuilder is creating.
> 
> 
> set limit { frags 5000, states 10000 }
> set timeout adaptive.start 8000
> set timeout adaptive.end 10000
> set optimization Normal
> 
> #
> # Scrub rules
> #
> scrub in all fragment reassemble
> scrub out all random-id 
> 
> #
> # Rule  0 (NAT)
> # force mail server to NAT using same IP as incoming mail # nat on
> fxp0
> proto {tcp udp icmp} from 192.168.254.253 to any -> 64.62.37.227 # #

Rule 0
 nat on fxp0 from 192.168.254.253 to any -> 64.62.37.22

> Rule  1 (NAT) # force outbound vpn traffic to source port 500 # nat
> on
> fxp0 proto {tcp,udp} from 192.168.0.0/16 to any port 500 ->
> 64.62.37.226
> port 500 # # Rule  2 (NAT) # NAT all 1928 LAN clients to an IP
> address
> on the external NIC # nat on fxp0 proto {tcp udp icmp} from
> 192.168.0.0/16 to any -> 64.62.37.226 # 
 nat on fxp0 from 192.168.0.0/16 to any -> 64.62.37.22

 that enough for pptp & nat

pass in quick on $int_if proto gre from any to any keep state
pass in quick on $int_if inet proto tcp from any to any port = 1723
flags S/SA keep state

pass out quick on $ext_if proto gre from any to any keep state

I'm using OpenBSD 3.8 and above 3 rules are enough.By the way 3.8 do
not need to pass in/out gre proto.
Also check >sysctl net.inet.gre.allow

Rules are very hard to read.Try pf.conf with minimal ruleset.FWbuilder
seem to me have bug.

Best regards
Tihomir

># Rule  3 (NAT) # Port
> Forward
> services to DC1 # rdr on fxp0 proto tcp from any to 64.62.37.226 port
> 3389 -> 192.168.254.254 port 3389 

>rdr on fxp0 proto tcp from any to
> 64.62.37.226 port 1723 -> 192.168.254.254 port 1723 

>rdr on fxp0 proto
> udp from any to 64.62.37.226 port 500 -> 192.168.254.254 port 500 rdr
> on
> fxp0 proto 47 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0
> proto 51 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0
> proto
> 50 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0 proto tcp
> from any to 64.62.37.226 port 22 -> 192.168.254.254 port 22 # # Rule 
> 4
> (NAT) # Port Forward Services to MAIL1 # rdr on fxp0 proto tcp from
> any
> to 64.62.37.227 port 110 -> 192.168.254.253 port 110 rdr on fxp0
> proto
> tcp from any to 64.62.37.227 port 443 -> 192.168.254.253 port 443 rdr
> on
> fxp0 proto tcp from any to 64.62.37.227 port 3389 -> 192.168.254.253
> port 3389 rdr on fxp0 proto tcp from any to 64.62.37.227 port 80 ->
> 192.168.254.253 port 80 # # Rule  5 (NAT) # port forward to the store
> camera # rdr on fxp0 proto tcp from any to 64.62.37.228 port 80 ->
> 192.168.202.96 port 80 # # Rule  6 (NAT) # # rdr on fxp0 proto tcp
> from
> any to 64.62.37.226 port 23 -> 192.168.200.11 port 23 # # Rule  7
> (NAT)
> # # rdr on fxp0 proto tcp from any to 64.62.37.229 port 11001 ->
> 192.168.200.38 port 11001 rdr on fxp0 proto udp from any to
> 64.62.37.229
> port 11001 -> 192.168.200.38 port 11001 # # Rule  8 (NAT) # # rdr on
> fxp0 proto tcp from any to 64.62.37.229 port 11002 -> 192.168.202.19
> port 21 # # Rule  9 (NAT) # # rdr on fxp0 proto tcp from any to
> 64.62.37.230 port 3389 -> 192.168.254.255 port 3389 
> 
> 
> # Tables: (3)
> table <id4411F6F4.1> { 224.0.0.0/4 , 169.254.0.0/16 , 127.0.0.0/8 ,
> 10.0.0.0/8 , 192.168.0.0/12 , 192.0.2.0/24 , 0.0.0.0/8 } table
> <id4411F73B.2> { 64.62.37.226 , 64.62.37.227 , 64.62.37.228 ,
> 64.62.37.229 , 64.62.37.230 , 192.168.200.89 , 192.168.200.40 } table
> <id4411FCBC.1> { 192.168.0.0/16 , 66.134.48.170 } 
> 
> #
> # Rule  0 (fxp0)
> # anti-spoof rule for external interfaces # 
> block in   log  quick on fxp0 inet  from <id4411F6F4.1>  to any 
> label
> "RULE 0 -- DROP "  
> #
> # Rule  0 (lo0)
> # allow loopback to all - required to log onto box # 
> pass in   log  quick on lo0 inet  from any  to any keep state  label
> "RULE 0 -- ACCEPT "  
> pass out  log  quick on lo0 inet  from any  to any keep state  label
> "RULE 0 -- ACCEPT "  
> #
> # Rule  0 (global)
> # deny bad combinations of TCP flags
> # 
> block in   log  quick inet proto tcp  from any  to any flags U/UA 
> label
> "RULE 0 -- DROP "  
> block in   log  quick inet proto tcp  from any  to any flags RF/RF
> label "RULE 0 -- DROP "  
> block in   log  quick inet proto tcp  from any  to any flags RS/RS
> label "RULE 0 -- DROP "  
> block in   log  quick inet proto tcp  from any  to any flags SF/SF
> label "RULE 0 -- DROP "  
> block in   log  quick inet proto tcp  from any  to any flags
> UAPRSF/UAPRSF  label "RULE 0 -- DROP "  
> block in   log  quick inet proto tcp  from any  to any flags /UAPRSF
> label "RULE 0 -- DROP "  
> block in   log  quick inet proto tcp  from any  to any flags
> UPF/UAPRSF
> label "RULE 0 -- DROP "  
> block in   log  quick inet proto tcp  from any  to any flags
> UPSF/UAPRSF
> label "RULE 0 -- DROP "  
> block in   log  quick inet proto tcp  from any  to any flags
> UARSF/UAPRSF  label "RULE 0 -- DROP "  
> block out  log  quick inet proto tcp  from any  to any flags U/UA 
> label
> "RULE 0 -- DROP "  
> block out  log  quick inet proto tcp  from any  to any flags RF/RF
> label "RULE 0 -- DROP "  
> block out  log  quick inet proto tcp  from any  to any flags RS/RS
> label "RULE 0 -- DROP "  
> block out  log  quick inet proto tcp  from any  to any flags SF/SF
> label "RULE 0 -- DROP "  
> block out  log  quick inet proto tcp  from any  to any flags
> UAPRSF/UAPRSF  label "RULE 0 -- DROP "  
> block out  log  quick inet proto tcp  from any  to any flags /UAPRSF
> label "RULE 0 -- DROP "  
> block out  log  quick inet proto tcp  from any  to any flags
> UPF/UAPRSF
> label "RULE 0 -- DROP "  
> block out  log  quick inet proto tcp  from any  to any flags
> UPSF/UAPRSF
> label "RULE 0 -- DROP "  
> block out  log  quick inet proto tcp  from any  to any flags
> UARSF/UAPRSF  label "RULE 0 -- DROP "  
> #
> # Rule  1 (global)
> # email goes to postfix on firewall first # 
> pass in   quick inet proto tcp  from any port >= 1024  to
> <id4411F73B.2>
> port 25 flags S/S modulate state  label "RULE 1 -- ACCEPT "  
> #
> # Rule  2 (global)
> # doug added ssh to dc1
> # 
> pass in   quick inet proto tcp  from 64.241.74.206  to
> 192.168.254.254
> port 22 modulate state  label "RULE 2 -- ACCEPT "  
> pass out  quick inet proto tcp  from 64.241.74.206  to
> 192.168.254.254
> port 22 modulate state  label "RULE 2 -- ACCEPT "  
> #
> # Rule  3 (global)
> # allow remote admin & VPN traffic to DC1 # 
> pass in   quick inet proto tcp  from any port >= 1024  to
> 192.168.254.254 port 3389 flags S/S modulate state  label "RULE 3 --
> ACCEPT "  
> pass in   quick inet proto tcp  from any port >= 1024  to
> 192.168.254.254 port 1723 modulate state  label "RULE 3 -- ACCEPT "  
> pass in   quick inet proto udp  from any  to 192.168.254.254 port 500
> keep state  label "RULE 3 -- ACCEPT "  
> pass in   quick inet proto 47  from any  to 192.168.254.254 keep
> state
> label "RULE 3 -- ACCEPT "  
> pass in   quick inet proto 50  from any  to 192.168.254.254 keep
> state
> label "RULE 3 -- ACCEPT "  
> pass in   quick inet proto 51  from any  to 192.168.254.254 keep
> state
> label "RULE 3 -- ACCEPT "  
> pass out  quick inet proto tcp  from any port >= 1024  to
> 192.168.254.254 port 3389 flags S/S modulate state  label "RULE 3 --
> ACCEPT "  
> pass out  quick inet proto tcp  from any port >= 1024  to
> 192.168.254.254 port 1723 modulate state  label "RULE 3 -- ACCEPT "  
> pass out  quick inet proto udp  from any  to 192.168.254.254 port 500
> keep state  label "RULE 3 -- ACCEPT "  
> pass out  quick inet proto 47  from any  to 192.168.254.254 keep
> state
> label "RULE 3 -- ACCEPT "  
> pass out  quick inet proto 50  from any  to 192.168.254.254 keep
> state
> label "RULE 3 -- ACCEPT "  
> pass out  quick inet proto 51  from any  to 192.168.254.254 keep
> state
> label "RULE 3 -- ACCEPT "  
> #
> # Rule  4 (global)
> # allow mail, OWA and POP3 to MAIL1
> # 
> pass in   quick inet proto tcp  from any port >= 1024  to
> 192.168.254.253 port 3389 flags S/S modulate state  label "RULE 4 --
> ACCEPT "  
> pass in   quick inet proto tcp  from any  to 192.168.254.253 port {
> 443,
> 110, 80, 25 } modulate state  label "RULE 4 -- ACCEPT "  
> pass out  quick inet proto tcp  from any port >= 1024  to
> 192.168.254.253 port 3389 flags S/S modulate state  label "RULE 4 --
> 
=== message truncated ===

www.BetStrikes.com - futbolni prognozi Ôóòáîëíè ïðîãíîçè

RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall

Reply via email to