Re: RES: Migration from IPTABLES to PF

[William Chivers]

TomC!E!,

thanks for the tip
Bill

-
William J. Chivers
Lecturer in Information Technology
School of DCIT
Faculty of Science and Information Technology
University of Newcastle---Ourimbah Campus
PO Box 127, Ourimbah, NSW 2259
Australia
CRICOS Provider Number: 00109J 

phone:   +61 2 4349 4473
fax: +61 2 4349 4565
email:  william.chiv...@newcastle.edu.au
-
 TomC!E! BodEC!r tomas.bod...@gmail.com 05/06/09 3:41 PM 
I think,that in case of pf is good start point this site
http://home.nuug.no/~peter/pf/ and then FAQ parts

2009/5/5 William Chivers william.chiv...@newcastle.edu.au:
 Hello Ricardo,

 This is not a beginners' mailing list, people here expect questions to
 1. be very specific, and
 2. demonstrate that you have spent a lot of time trying to solve the
problem yourself, reading the documentation etc.

 Start with http://www.openbsd.org/faq/pf/index.html
 If you still need help, there are several books on pf, for example
The Book of PF (http://nostarch.com/pf.htm).

 Look back through the misc mailing list to see how specific questions
about pf are. When you have a specific question, the best help available
is right here.

 Bill

 -
 William J. Chivers
 Lecturer in Information Technology
 School of DCIT
 Faculty of Science and Information Technology
 University of Newcastle---Ourimbah Campus
 PO Box 127, Ourimbah, NSW 2259
 Australia
 CRICOS Provider Number: 00109J

 phone:   +61 2 4349 4473
 fax: +61 2 4349 4565
 email:  william.chiv...@newcastle.edu.au
 -
 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08
AM 
 Thanks for this 'polite' reply.
 As I Said i spent some years away from Unix/Linux world,
 I worked with business intelligence this years.
 Now i AM back to network administration and  i got this Project to 
do.
 I used openbsd before version 3. I do like  it.

 This is my current senario.
 -  2 firewalls with 2 carp+pfsync that  Will handle 2 internet
connections,  1
 mpls connection, 1 lan to handle around 60 bus company that transport
2
 million users per Day, each user has your own myfair card. Each bus
has a
 system that store this data in a file. This files Will be imported to
Oracle
 later. After this import, there are a lot of specific applications
that uses
 this informations.
 - behind this 2 firewalls   we have around 30 servers: ( most Windows)
iis,
 file transfer servers,ws, and some other servers like some red hat
enterprise
 running Oracle 10g.
 - at the beginning the firewalls Will do Nat  + filter  + gateway +
mpd5+squid
 ( the fucking operators Who need Access to the Windows servers were
surfing on
 web from there. )
 - our applications has around 5,000 users per Day, but we have a lot
of web
 services and some etl process ( i dont have statistics about volume
yet)

 So that  is it.


 -Mensagem original-
 De: William Chivers [mailto:william.chiv...@newcastle.edu.au]
 Enviada em: segunda-feira, 4 de maio de 2009 22:46
 Para: Ricardo Augusto de Souza; misc@openbsd.org
 Assunto: Re: Migration from IPTABLES to PF

 This is a great advertisement for OpenBSD, PF, and keeping things
simple in
 general, mind if I use it Ricardo?

 As for your original question, I wouldn't even try to convert your
iptables,
 especially using some magic tool to do it. Decide what you want your
firewall
 to do and start from scratch with PF. That way you will know it is
working and
 you will be able to maintain it reliably.

 Cheers, Bill


 -
 William J. Chivers
 Lecturer in Information Technology
 School of DCIT
 Faculty of Science and Information Technology
 University of Newcastle---Ourimbah Campus
 PO Box 127, Ourimbah, NSW 2259
 Australia
 CRICO email:  william.chiv...@newcastle.edu.au
 -
 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17
AM

 Hi,

 I have a firewall running on a Fedora Core 4 (STentz) with iptables.
The Guy
 Who installed it left our company some months ago.
 I spent some years far from iptables, now i have to migrate this
firewall to
 PF.
 THere are some 'special' features on this firewall,  i need some
 documentation
 or help about implementing this features at new firewall ( PF ).

 This is the iptables scripts:

 #!/bin/bash
 FW=/sbin/iptables
 LOAD=/sbin/modprobe

#__

 # Carregando Modulo do IPTABLES
 . /etc/rc.d/init.d/prodata/fw_modulos

 # Carregando Variaveis
 . /etc/rc.d/init.d/prodata/fw_variaveis

 if [ $KERNEL = sim ]
   then . /etc/rc.d/init.d/prodata/fw_kernel
 fi


#___
 # Cria politicas de LOGs

#___

 if [ $LOGS = sim ]
   then . /etc/rc.d

Re: RES: Migration from IPTABLES to PF

[Nenhum_de_Nos]

On Wed, May 6, 2009 02:41, TomC!E! BodEC!r wrote:
 I think,that in case of pf is good start point this site
 http://home.nuug.no/~peter/pf/ and then FAQ parts

it always helps me to read https://calomel.org/ when in doubt. :)

(the new photo looks cool also =] )

matheus

 2009/5/5 William Chivers william.chiv...@newcastle.edu.au:
 Hello Ricardo,

 This is not a beginners' mailing list, people here expect questions to
 1. be very specific, and
 2. demonstrate that you have spent a lot of time trying to solve the
 problem
 yourself, reading the documentation etc.

 Start with http://www.openbsd.org/faq/pf/index.html
 If you still need help, there are several books on pf, for example The
 Book
 of PF (http://nostarch.com/pf.htm).

 Look back through the misc mailing list to see how specific questions
 about
 pf are. When you have a specific question, the best help available is
 right
 here.

 Bill

 -
 William J. Chivers
 Lecturer in Information Technology
 School of DCIT
 Faculty of Science and Information Technology
 University of Newcastle---Ourimbah Campus
 PO Box 127, Ourimbah, NSW 2259
 Australia
 CRICOS Provider Number: 00109J

 phone: B  +61 2 4349 4473
 fax: B  B  +61 2 4349 4565
 email: B william.chiv...@newcastle.edu.au
 -
 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08
 AM

 Thanks for this 'polite' reply.
 As I Said i spent some years away from Unix/Linux world,
 I worked with business intelligence this years.
 Now i AM back to network administration and B i got this Project to B
 do.
 I used openbsd before version 3. I do like B it.

 This is my current senario.
 - B 2 firewalls with 2 carp+pfsync that B Will handle 2 internet
 connections, B 1
 mpls connection, 1 lan to handle around 60 bus company that transport 2
 million users per Day, each user has your own myfair card. Each bus has
 a
 system that store this data in a file. This files Will be imported to
 Oracle
 later. After this import, there are a lot of specific applications that
 uses
 this informations.
 - behind this 2 firewalls B  we have around 30 servers: ( most Windows)
 iis,
 file transfer servers,ws, and some other servers like some red hat
 enterprise
 running Oracle 10g.
 - at the beginning the firewalls Will do Nat B + filter B + gateway +
 mpd5+squid
 ( the fucking operators Who need Access to the Windows servers were
 surfing
 on
 web from there. )
 - our applications has around 5,000 users per Day, but we have a lot of
 web
 services and some etl process ( i dont have statistics about volume yet)

 So that B is it.


 -Mensagem original-
 De: William Chivers [mailto:william.chiv...@newcastle.edu.au]
 Enviada em: segunda-feira, 4 de maio de 2009 22:46
 Para: Ricardo Augusto de Souza; misc@openbsd.org
 Assunto: Re: Migration from IPTABLES to PF

 This is a great advertisement for OpenBSD, PF, and keeping things simple
 in
 general, mind if I use it Ricardo?

 As for your original question, I wouldn't even try to convert your
 iptables,
 especially using some magic tool to do it. Decide what you want your
 firewall
 to do and start from scratch with PF. That way you will know it is
 working
 and
 you will be able to maintain it reliably.

 Cheers, Bill


 -
 William J. Chivers
 Lecturer in Information Technology
 School of DCIT
 Faculty of Science and Information Technology
 University of Newcastle---Ourimbah Campus
 PO Box 127, Ourimbah, NSW 2259
 Australia
 CRICOS Provider Number: 00109J

 phone: B  +61 2 4349 4473
 fax: B  B  +61 2 4349 4565
 email: B william.chiv...@newcastle.edu.au
 -
 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17
 AM

 Hi,

 I have a firewall running on a Fedora Core 4 (STentz) with iptables. The
 Guy
 Who installed it left our company some months ago.
 I spent some years far from iptables, now i have to migrate this
 firewall
 to
 PF.
 THere are some 'special' features on this firewall, B i need some
 documentation
 or help about implementing this features at new firewall ( PF ).

 This is the iptables scripts:

 #!/bin/bash
 FW=/sbin/iptables
 LOAD=/sbin/modprobe
 #__

 # Carregando Modulo do IPTABLES
 . /etc/rc.d/init.d/prodata/fw_modulos

 # Carregando Variaveis
 . /etc/rc.d/init.d/prodata/fw_variaveis

 if [ $KERNEL = sim ]
 B  then . /etc/rc.d/init.d/prodata/fw_kernel
 fi


 #___
 # Cria politicas de LOGs

 #___

 if [ $LOGS = sim ]
 B  then . /etc/rc.d/init.d/prodata/fw_politicas
 fi

 Normal rules here
  EOF



 /etc/rc.d/init.d/prodata/fw_modulos
 #$LOAD nfnetlink

 $LOAD ip_conntrack
 $LOAD

RES: Migration from IPTABLES to PF

[Ricardo Augusto de Souza]

Thanks for this 'polite' reply.
As I Said i spent some years away from Unix/Linux world,
I worked with business intelligence this years.
Now i AM back to network administration and  i got this Project to  do.
I used openbsd before version 3. I do like  it.

This is my current senario.
-  2 firewalls with 2 carp+pfsync that  Will handle 2 internet connections,  1
mpls connection, 1 lan to handle around 60 bus company that transport 2
million users per Day, each user has your own myfair card. Each bus has a
system that store this data in a file. This files Will be imported to Oracle
later. After this import, there are a lot of specific applications that uses
this informations.
- behind this 2 firewalls   we have around 30 servers: ( most Windows) iis,
file transfer servers,ws, and some other servers like some red hat enterprise
running Oracle 10g.
- at the beginning the firewalls Will do Nat  + filter  + gateway + mpd5+squid
( the fucking operators Who need Access to the Windows servers were surfing on
web from there. )
- our applications has around 5,000 users per Day, but we have a lot of web
services and some etl process ( i dont have statistics about volume yet)

So that  is it.


-Mensagem original-
De: William Chivers [mailto:william.chiv...@newcastle.edu.au]
Enviada em: segunda-feira, 4 de maio de 2009 22:46
Para: Ricardo Augusto de Souza; misc@openbsd.org
Assunto: Re: Migration from IPTABLES to PF

This is a great advertisement for OpenBSD, PF, and keeping things simple in
general, mind if I use it Ricardo?

As for your original question, I wouldn't even try to convert your iptables,
especially using some magic tool to do it. Decide what you want your firewall
to do and start from scratch with PF. That way you will know it is working and
you will be able to maintain it reliably.

Cheers, Bill


-
William J. Chivers
Lecturer in Information Technology
School of DCIT
Faculty of Science and Information Technology
University of Newcastle---Ourimbah Campus
PO Box 127, Ourimbah, NSW 2259
Australia
CRICOS Provider Number: 00109J

phone:   +61 2 4349 4473
fax: +61 2 4349 4565
email:  william.chiv...@newcastle.edu.au
-
 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM

Hi,

I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy
Who installed it left our company some months ago.
I spent some years far from iptables, now i have to migrate this firewall to
PF.
THere are some 'special' features on this firewall,  i need some
documentation
or help about implementing this features at new firewall ( PF ).

This is the iptables scripts:

#!/bin/bash
FW=/sbin/iptables
LOAD=/sbin/modprobe
#__

# Carregando Modulo do IPTABLES
. /etc/rc.d/init.d/prodata/fw_modulos

# Carregando Variaveis
. /etc/rc.d/init.d/prodata/fw_variaveis

if [ $KERNEL = sim ]
   then . /etc/rc.d/init.d/prodata/fw_kernel
fi

#___
# Cria politicas de LOGs
#___

if [ $LOGS = sim ]
   then . /etc/rc.d/init.d/prodata/fw_politicas
fi

Normal rules here
 EOF



/etc/rc.d/init.d/prodata/fw_modulos
#$LOAD nfnetlink

$LOAD ip_conntrack
$LOAD ip_conntrack_ftp
#$LOAD ip_conntrack_pptp ##
#$LOAD ip_conntrack_netlink ##
#$LOAD ip_conntrack_tftp ##

#$LOAD ip_nat
$LOAD ip_nat_ftp
$LOAD ip_gre
#$LOAD ip_nat_pptp ##
#$LOAD ip_nat_tftp ##
$LOAD ip_queue ##
$LOAD ip_tables

$LOAD iptable_filter
$LOAD iptable_nat
$LOAD iptable_mangle

$LOAD ipt_helper
$LOAD ipt_LOG
$LOAD ipt_limit
$LOAD ipt_state
#$LOAD ipt_layer7 ##
$LOAD ipt_MASQUERADE
$LOAD ipt_multiport
#$LOAD ipt_string
$LOAD ipt_tcpmss
$LOAD ipt_TCPMSS
# EOF


/etc/rc.d/init.d/prodata/fw_kernel
#___
# Protecao do KERNEL
#___
#Enable forwarding in kernel
echo 1  /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
if [ $IPSEC = sim ]
   then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0  $f
   done
else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2  $f
   done
fi

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo 1  /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 1  /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0  /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
#echo 1  /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 1  /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1  /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets

Re: RES: Migration from IPTABLES to PF

[William Chivers]

Hello Ricardo,

This is not a beginners' mailing list, people here expect questions to
1. be very specific, and
2. demonstrate that you have spent a lot of time trying to solve the problem 
yourself, reading the documentation etc.

Start with http://www.openbsd.org/faq/pf/index.html
If you still need help, there are several books on pf, for example The Book of 
PF (http://nostarch.com/pf.htm).

Look back through the misc mailing list to see how specific questions about pf 
are. When you have a specific question, the best help available is right here.

Bill

-
William J. Chivers
Lecturer in Information Technology
School of DCIT
Faculty of Science and Information Technology
University of Newcastle---Ourimbah Campus
PO Box 127, Ourimbah, NSW 2259
Australia
CRICOS Provider Number: 00109J 

phone:   +61 2 4349 4473
fax: +61 2 4349 4565
email:  william.chiv...@newcastle.edu.au
-
 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08 AM 
Thanks for this 'polite' reply.
As I Said i spent some years away from Unix/Linux world,
I worked with business intelligence this years.
Now i AM back to network administration and  i got this Project to  do.
I used openbsd before version 3. I do like  it.

This is my current senario.
-  2 firewalls with 2 carp+pfsync that  Will handle 2 internet connections,  1
mpls connection, 1 lan to handle around 60 bus company that transport 2
million users per Day, each user has your own myfair card. Each bus has a
system that store this data in a file. This files Will be imported to Oracle
later. After this import, there are a lot of specific applications that uses
this informations.
- behind this 2 firewalls   we have around 30 servers: ( most Windows) iis,
file transfer servers,ws, and some other servers like some red hat enterprise
running Oracle 10g.
- at the beginning the firewalls Will do Nat  + filter  + gateway + mpd5+squid
( the fucking operators Who need Access to the Windows servers were surfing on
web from there. )
- our applications has around 5,000 users per Day, but we have a lot of web
services and some etl process ( i dont have statistics about volume yet)

So that  is it.


-Mensagem original-
De: William Chivers [mailto:william.chiv...@newcastle.edu.au]
Enviada em: segunda-feira, 4 de maio de 2009 22:46
Para: Ricardo Augusto de Souza; misc@openbsd.org
Assunto: Re: Migration from IPTABLES to PF

This is a great advertisement for OpenBSD, PF, and keeping things simple in
general, mind if I use it Ricardo?

As for your original question, I wouldn't even try to convert your iptables,
especially using some magic tool to do it. Decide what you want your firewall
to do and start from scratch with PF. That way you will know it is working and
you will be able to maintain it reliably.

Cheers, Bill


-
William J. Chivers
Lecturer in Information Technology
School of DCIT
Faculty of Science and Information Technology
University of Newcastle---Ourimbah Campus
PO Box 127, Ourimbah, NSW 2259
Australia
CRICOS Provider Number: 00109J

phone:   +61 2 4349 4473
fax: +61 2 4349 4565
email:  william.chiv...@newcastle.edu.au
-
 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM

Hi,

I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy
Who installed it left our company some months ago.
I spent some years far from iptables, now i have to migrate this firewall to
PF.
THere are some 'special' features on this firewall,  i need some
documentation
or help about implementing this features at new firewall ( PF ).

This is the iptables scripts:

#!/bin/bash
FW=/sbin/iptables
LOAD=/sbin/modprobe
#__

# Carregando Modulo do IPTABLES
. /etc/rc.d/init.d/prodata/fw_modulos

# Carregando Variaveis
. /etc/rc.d/init.d/prodata/fw_variaveis

if [ $KERNEL = sim ]
   then . /etc/rc.d/init.d/prodata/fw_kernel
fi

#___
# Cria politicas de LOGs
#___

if [ $LOGS = sim ]
   then . /etc/rc.d/init.d/prodata/fw_politicas
fi

Normal rules here
 EOF



/etc/rc.d/init.d/prodata/fw_modulos
#$LOAD nfnetlink

$LOAD ip_conntrack
$LOAD ip_conntrack_ftp
#$LOAD ip_conntrack_pptp ##
#$LOAD ip_conntrack_netlink ##
#$LOAD ip_conntrack_tftp ##

#$LOAD ip_nat
$LOAD ip_nat_ftp
$LOAD ip_gre
#$LOAD ip_nat_pptp ##
#$LOAD ip_nat_tftp ##
$LOAD ip_queue ##
$LOAD ip_tables

$LOAD iptable_filter
$LOAD iptable_nat
$LOAD iptable_mangle

$LOAD ipt_helper
$LOAD ipt_LOG
$LOAD ipt_limit
$LOAD ipt_state
#$LOAD ipt_layer7 ##
$LOAD ipt_MASQUERADE
$LOAD ipt_multiport
#$LOAD ipt_string
$LOAD ipt_tcpmss
$LOAD ipt_TCPMSS

Re: RES: Migration from IPTABLES to PF

[Tomáš Bodžár]

I think,that in case of pf is good start point this site
http://home.nuug.no/~peter/pf/ and then FAQ parts

2009/5/5 William Chivers william.chiv...@newcastle.edu.au:
 Hello Ricardo,

 This is not a beginners' mailing list, people here expect questions to
 1. be very specific, and
 2. demonstrate that you have spent a lot of time trying to solve the problem
yourself, reading the documentation etc.

 Start with http://www.openbsd.org/faq/pf/index.html
 If you still need help, there are several books on pf, for example The Book
of PF (http://nostarch.com/pf.htm).

 Look back through the misc mailing list to see how specific questions about
pf are. When you have a specific question, the best help available is right
here.

 Bill

 -
 William J. Chivers
 Lecturer in Information Technology
 School of DCIT
 Faculty of Science and Information Technology
 University of Newcastle---Ourimbah Campus
 PO Box 127, Ourimbah, NSW 2259
 Australia
 CRICOS Provider Number: 00109J

 phone: B  +61 2 4349 4473
 fax: B  B  +61 2 4349 4565
 email: B william.chiv...@newcastle.edu.au
 -
 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08 AM

 Thanks for this 'polite' reply.
 As I Said i spent some years away from Unix/Linux world,
 I worked with business intelligence this years.
 Now i AM back to network administration and B i got this Project to B do.
 I used openbsd before version 3. I do like B it.

 This is my current senario.
 - B 2 firewalls with 2 carp+pfsync that B Will handle 2 internet
connections, B 1
 mpls connection, 1 lan to handle around 60 bus company that transport 2
 million users per Day, each user has your own myfair card. Each bus has a
 system that store this data in a file. This files Will be imported to
Oracle
 later. After this import, there are a lot of specific applications that
uses
 this informations.
 - behind this 2 firewalls B  we have around 30 servers: ( most Windows)
iis,
 file transfer servers,ws, and some other servers like some red hat
enterprise
 running Oracle 10g.
 - at the beginning the firewalls Will do Nat B + filter B + gateway +
mpd5+squid
 ( the fucking operators Who need Access to the Windows servers were surfing
on
 web from there. )
 - our applications has around 5,000 users per Day, but we have a lot of web
 services and some etl process ( i dont have statistics about volume yet)

 So that B is it.


 -Mensagem original-
 De: William Chivers [mailto:william.chiv...@newcastle.edu.au]
 Enviada em: segunda-feira, 4 de maio de 2009 22:46
 Para: Ricardo Augusto de Souza; misc@openbsd.org
 Assunto: Re: Migration from IPTABLES to PF

 This is a great advertisement for OpenBSD, PF, and keeping things simple in
 general, mind if I use it Ricardo?

 As for your original question, I wouldn't even try to convert your
iptables,
 especially using some magic tool to do it. Decide what you want your
firewall
 to do and start from scratch with PF. That way you will know it is working
and
 you will be able to maintain it reliably.

 Cheers, Bill


 -
 William J. Chivers
 Lecturer in Information Technology
 School of DCIT
 Faculty of Science and Information Technology
 University of Newcastle---Ourimbah Campus
 PO Box 127, Ourimbah, NSW 2259
 Australia
 CRICOS Provider Number: 00109J

 phone: B  +61 2 4349 4473
 fax: B  B  +61 2 4349 4565
 email: B william.chiv...@newcastle.edu.au
 -
 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM

 Hi,

 I have a firewall running on a Fedora Core 4 (STentz) with iptables. The
Guy
 Who installed it left our company some months ago.
 I spent some years far from iptables, now i have to migrate this firewall
to
 PF.
 THere are some 'special' features on this firewall, B i need some
 documentation
 or help about implementing this features at new firewall ( PF ).

 This is the iptables scripts:

 #!/bin/bash
 FW=/sbin/iptables
 LOAD=/sbin/modprobe
 #__

 # Carregando Modulo do IPTABLES
 . /etc/rc.d/init.d/prodata/fw_modulos

 # Carregando Variaveis
 . /etc/rc.d/init.d/prodata/fw_variaveis

 if [ $KERNEL = sim ]
 B  then . /etc/rc.d/init.d/prodata/fw_kernel
 fi


#___
 # Cria politicas de LOGs

#___

 if [ $LOGS = sim ]
 B  then . /etc/rc.d/init.d/prodata/fw_politicas
 fi

 Normal rules here
  EOF



 /etc/rc.d/init.d/prodata/fw_modulos
 #$LOAD nfnetlink

 $LOAD ip_conntrack
 $LOAD ip_conntrack_ftp
 #$LOAD ip_conntrack_pptp ##
 #$LOAD ip_conntrack_netlink ##
 #$LOAD ip_conntrack_tftp ##

 #$LOAD ip_nat
 $LOAD ip_nat_ftp
 $LOAD ip_gre
 #$LOAD ip_nat_pptp ##
 #$LOAD ip_nat_tftp

Migration from IPTABLES to PF

[Ricardo Augusto de Souza]

Hi,

I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy
Who installed it left our company some months ago.
I spent some years far from iptables, now i have to migrate this firewall to
PF.
THere are some 'special' features on this firewall,  i need some documentation
or help about implementing this features at new firewall ( PF ).

This is the iptables scripts:

#!/bin/bash
FW=/sbin/iptables
LOAD=/sbin/modprobe
#__

# Carregando Modulo do IPTABLES
. /etc/rc.d/init.d/prodata/fw_modulos

# Carregando Variaveis
. /etc/rc.d/init.d/prodata/fw_variaveis

if [ $KERNEL = sim ]
   then . /etc/rc.d/init.d/prodata/fw_kernel
fi

#___
# Cria politicas de LOGs
#___

if [ $LOGS = sim ]
   then . /etc/rc.d/init.d/prodata/fw_politicas
fi

Normal rules here
 EOF



/etc/rc.d/init.d/prodata/fw_modulos
#$LOAD nfnetlink

$LOAD ip_conntrack
$LOAD ip_conntrack_ftp
#$LOAD ip_conntrack_pptp ##
#$LOAD ip_conntrack_netlink ##
#$LOAD ip_conntrack_tftp ##

#$LOAD ip_nat
$LOAD ip_nat_ftp
$LOAD ip_gre
#$LOAD ip_nat_pptp ##
#$LOAD ip_nat_tftp ##
$LOAD ip_queue ##
$LOAD ip_tables

$LOAD iptable_filter
$LOAD iptable_nat
$LOAD iptable_mangle

$LOAD ipt_helper
$LOAD ipt_LOG
$LOAD ipt_limit
$LOAD ipt_state
#$LOAD ipt_layer7 ##
$LOAD ipt_MASQUERADE
$LOAD ipt_multiport
#$LOAD ipt_string
$LOAD ipt_tcpmss
$LOAD ipt_TCPMSS
# EOF


/etc/rc.d/init.d/prodata/fw_kernel
#___
# Protecao do KERNEL
#___
#Enable forwarding in kernel
echo 1  /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
if [ $IPSEC = sim ]
   then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0  $f
   done
else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2  $f
   done
fi

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo 1  /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 1  /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0  /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
#echo 1  /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 1  /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1  /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1  /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo 32768 61000  /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30  /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400  /proc/sys/net/ipv4/tcp_keepalive_time
echo 0  /proc/sys/net/ipv4/tcp_window_scaling
echo 0  /proc/sys/net/ipv4/tcp_sack
### EOF



/etc/rc.d/init.d/prodata/fw_politicas
#___
# LOG - Politica de Negacao de frames
#___

LOGLIMIT=2/s
LOGLIMITBURST=10
# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT=5/s
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST=10
# Overall Limit for Ping-Flood-Detection
PINGLIMIT=5/s
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST=1

$FW -N LOG_DROP
$FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix fp=TCP:1 a=DROP 
$FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix fp=UDP:2 a=DROP 
$FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix fp=ICMP:3 a=DROP 
$FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix fp=VPN:4 a=DROP 
$FW -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j
LOG --log-prefix fp=FRAGMENT:5 a=DROP 
$FW -A LOG_DROP -p tcp ! --syn -m state --state NEW -j LOG --log-prefix
fp=NEW nao SYN: 
$FW -A LOG_DROP -j DROP

#___
# LOG - Politica de Liberacao de frames
#___

$FW -N LOG_OK
$FW -A LOG_OK  -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG
--log-level 3 --log-prefix fp=LOG_OK:3 a=ACCEPT 
$FW -A LOG_OK -j ACCEPT

#___
# LOG - Politica de Negacao TCP-SYN-Flood
#___

$FW -N LSYNFLOOD
$FW -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j
LOG 

Re: Migration from IPTABLES to PF

[Jason Dixon]

On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote:
 Hi,
 
 I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy
 Who installed it left our company some months ago.
 I spent some years far from iptables, now i have to migrate this firewall to
 PF.
 THere are some 'special' features on this firewall,  i need some documentation
 or help about implementing this features at new firewall ( PF ).

The documentation is available online:

http://www.openbsd.org/faq/pf/index.html
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf

I made a quick review of your ruleset.  I gave up after a few PgDn's.  I
belive it's in your best interests to contact someone that provides
commercial support.

http://www.openbsd.org/support.html

On a good day, someone might step up and help you with this.  But I
wouldn't expect it.

Thanks,

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Migration from IPTABLES to PF

[John Chronister]

Ricardo,

Why don't you try Firewall Builder.

http://www.fwbuilder.org/

It handles iptables, pf, and others.  Should be able to import your
iptables ruleset ( created by doing something like
/sbin/iptables-save  turdwall.txt ) and then convert it to a
pf.conf.

You will still want to manually parse it to make sure its good.  This
is a good tool, but I think you will find that both pf and iptables
differ so depending on your special additions, your mileage may vary.

I do not like GUI tools, and personally I would print it out and then
hand write the pf.conf from scratch.

-chron

john chronister   john dot chronister at
gmail dot com
fingerprint:  1F16 9016 945A AFEE 0E33  E475 3BAE E5BE E8DE 8851



On Mon, May 4, 2009 at 7:58 PM, Jason Dixon ja...@dixongroup.net wrote:
 On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote:
 Hi,

 I have a firewall running on a Fedora Core 4 (STentz) with iptables. The
Guy
 Who installed it left our company some months ago.
 I spent some years far from iptables, now i have to migrate this firewall
to
 PF.
 THere are some 'special' features on this firewall, B i need some
documentation
 or help about implementing this features at new firewall ( PF ).

 The documentation is available online:

 http://www.openbsd.org/faq/pf/index.html
 http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf

 I made a quick review of your ruleset. B I gave up after a few PgDn's. B I
 belive it's in your best interests to contact someone that provides
 commercial support.

 http://www.openbsd.org/support.html

 On a good day, someone might step up and help you with this. B But I
 wouldn't expect it.

 Thanks,

 --
 Jason Dixon
 DixonGroup Consulting
 http://www.dixongroup.net/

ENC: Migration from IPTABLES to PF

[Ricardo Augusto de Souza]

Thanks.
I already know those documentation.
I wish i could find a documentation about this on PF:


#___
# Protecao do KERNEL
#___
#Enable forwarding in kernel
echo 1  /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
if [ $IPSEC = sim ]
   then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0  $f
   done
else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2  $f
   done
fi

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo 1  /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 1  /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0  /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
#echo 1  /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 1  /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1  /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1  /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo 32768 61000  /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30  /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400  /proc/sys/net/ipv4/tcp_keepalive_time
echo 0  /proc/sys/net/ipv4/tcp_window_scaling
echo 0  /proc/sys/net/ipv4/tcp_sack




I Will ask Eduardo Alvarenga.

Thanks anyway.


-Mensagem original-
De: Jason Dixon [mailto:ja...@dixongroup.net]
Enviada em: segunda-feira, 4 de maio de 2009 14:59
Para: Ricardo Augusto de Souza
Cc: misc@openBSD.org
Assunto: Re: Migration from IPTABLES to PF

On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote:
 Hi,

 I have a firewall running on a Fedora Core 4 (STentz) with iptables. The
Guy
 Who installed it left our company some months ago.
 I spent some years far from iptables, now i have to migrate this firewall
to
 PF.
 THere are some 'special' features on this firewall,  i need some
documentation
 or help about implementing this features at new firewall ( PF ).

The documentation is available online:

http://www.openbsd.org/faq/pf/index.html
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf

I made a quick review of your ruleset.  I gave up after a few PgDn's.  I
belive it's in your best interests to contact someone that provides
commercial support.

http://www.openbsd.org/support.html

On a good day, someone might step up and help you with this.  But I
wouldn't expect it.

Thanks,

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Migration from IPTABLES to PF

[Marco Peereboom]

MY EYES!!! make it stop bleeding!!!

On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote:
 Hi,
 
 I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy
 Who installed it left our company some months ago.
 I spent some years far from iptables, now i have to migrate this firewall to
 PF.
 THere are some 'special' features on this firewall,  i need some documentation
 or help about implementing this features at new firewall ( PF ).
 
 This is the iptables scripts:
 
 #!/bin/bash
 FW=/sbin/iptables
 LOAD=/sbin/modprobe
 #__
 
 # Carregando Modulo do IPTABLES
 . /etc/rc.d/init.d/prodata/fw_modulos
 
 # Carregando Variaveis
 . /etc/rc.d/init.d/prodata/fw_variaveis
 
 if [ $KERNEL = sim ]
then . /etc/rc.d/init.d/prodata/fw_kernel
 fi
 
 #___
 # Cria politicas de LOGs
 #___
 
 if [ $LOGS = sim ]
then . /etc/rc.d/init.d/prodata/fw_politicas
 fi
 
 Normal rules here
  EOF
 
 
 
 /etc/rc.d/init.d/prodata/fw_modulos
 #$LOAD nfnetlink
 
 $LOAD ip_conntrack
 $LOAD ip_conntrack_ftp
 #$LOAD ip_conntrack_pptp ##
 #$LOAD ip_conntrack_netlink ##
 #$LOAD ip_conntrack_tftp ##
 
 #$LOAD ip_nat
 $LOAD ip_nat_ftp
 $LOAD ip_gre
 #$LOAD ip_nat_pptp ##
 #$LOAD ip_nat_tftp ##
 $LOAD ip_queue ##
 $LOAD ip_tables
 
 $LOAD iptable_filter
 $LOAD iptable_nat
 $LOAD iptable_mangle
 
 $LOAD ipt_helper
 $LOAD ipt_LOG
 $LOAD ipt_limit
 $LOAD ipt_state
 #$LOAD ipt_layer7 ##
 $LOAD ipt_MASQUERADE
 $LOAD ipt_multiport
 #$LOAD ipt_string
 $LOAD ipt_tcpmss
 $LOAD ipt_TCPMSS
 # EOF
 
 
 /etc/rc.d/init.d/prodata/fw_kernel
 #___
 # Protecao do KERNEL
 #___
 #Enable forwarding in kernel
 echo 1  /proc/sys/net/ipv4/ip_forward
 
 #Disabling IP Spoofing attacks.
 if [ $IPSEC = sim ]
then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0  $f
done
 else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2  $f
done
 fi
 
 #Don't respond to broadcast pings (Smurf-Amplifier-Protection)
 echo 1  /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 
 #Block source routing
 echo 1  /proc/sys/net/ipv4/conf/all/accept_source_route
 
 #Kill timestamps
 echo 0  /proc/sys/net/ipv4/tcp_timestamps
 
 #Enable SYN Cookies
 #echo 1  /proc/sys/net/ipv4/tcp_syncookies
 
 #Kill redirects
 echo 1  /proc/sys/net/ipv4/conf/all/accept_redirects
 
 #Enable bad error message protection
 echo 1  /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
 
 #Log martians (packets with impossible addresses)
 echo 1  /proc/sys/net/ipv4/conf/all/log_martians
 
 #Set out local port range
 echo 32768 61000  /proc/sys/net/ipv4/ip_local_port_range
 
 #Reduce DoS'ing ability by reducing timeouts
 echo 30  /proc/sys/net/ipv4/tcp_fin_timeout
 echo 2400  /proc/sys/net/ipv4/tcp_keepalive_time
 echo 0  /proc/sys/net/ipv4/tcp_window_scaling
 echo 0  /proc/sys/net/ipv4/tcp_sack
 ### EOF
 
 
 
 /etc/rc.d/init.d/prodata/fw_politicas
 #___
 # LOG - Politica de Negacao de frames
 #___
 
 LOGLIMIT=2/s
 LOGLIMITBURST=10
 # Overall Limit for TCP-SYN-Flood detection
 TCPSYNLIMIT=5/s
 # Burst Limit for TCP-SYN-Flood detection
 TCPSYNLIMITBURST=10
 # Overall Limit for Ping-Flood-Detection
 PINGLIMIT=5/s
 # Burst Limit for Ping-Flood-Detection
 PINGLIMITBURST=1
 
 $FW -N LOG_DROP
 $FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
 -j LOG --log-prefix fp=TCP:1 a=DROP 
 $FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
 -j LOG --log-prefix fp=UDP:2 a=DROP 
 $FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst
 $LOGLIMITBURST -j LOG --log-prefix fp=ICMP:3 a=DROP 
 $FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
 -j LOG --log-prefix fp=VPN:4 a=DROP 
 $FW -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j
 LOG --log-prefix fp=FRAGMENT:5 a=DROP 
 $FW -A LOG_DROP -p tcp ! --syn -m state --state NEW -j LOG --log-prefix
 fp=NEW nao SYN: 
 $FW -A LOG_DROP -j DROP
 
 #___
 # LOG - Politica de Liberacao de frames
 #___
 
 $FW -N LOG_OK
 $FW -A LOG_OK  -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG
 --log-level 3 --log-prefix fp=LOG_OK:3 a=ACCEPT 
 $FW -A LOG_OK -j ACCEPT
 
 

Re: Migration from IPTABLES to PF

[Mark Shroyer]

On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote:
 Hi,
 
 I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy
 Who installed it left our company some months ago.
 I spent some years far from iptables, now i have to migrate this firewall to
 PF.
 THere are some 'special' features on this firewall,  i need some documentation
 or help about implementing this features at new firewall ( PF ).
 
 This is the iptables scripts:
 
 [...]

Is that actually all there is to the firewall setup?

This script creates a bunch of chains for performing various actions on
packets, but it doesn't actually add any rules to the filter table's
special INPUT, OUTPUT, or FORWARD chains that would jump processing
logic through these auxiliary chains.  So unless there are some other
iptables commands hidden somewhere else, the logic defined in this
script will never be applied and your firewall will simply let
everything through.

What is the output of `iptables -L -n` on this machine?

-- 
Mark Shroyer
http://markshroyer.com/contact/

Re: Migration from IPTABLES to PF

[Kevin Wilcox]

2009/5/4 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br:


#___
 # Protecao do KERNEL

#___
 #Enable forwarding in kernel
 echo 1  /proc/sys/net/ipv4/ip_forward

man sysctl

 #Block source routing
 echo 1  /proc/sys/net/ipv4/conf/all/accept_source_route

man sysctl

 #Enable SYN Cookies
 #echo 1  /proc/sys/net/ipv4/tcp_syncookies

man sysctl

 #Kill redirects
 echo 1  /proc/sys/net/ipv4/conf/all/accept_redirects

man sysctl

 #Reduce DoS'ing ability by reducing timeouts
 echo 30  /proc/sys/net/ipv4/tcp_fin_timeout
 echo 2400  /proc/sys/net/ipv4/tcp_keepalive_time
 echo 0  /proc/sys/net/ipv4/tcp_window_scaling
 echo 0  /proc/sys/net/ipv4/tcp_sack

man sysctl

Your problem isn't necessarily your understanding of pf, it's of *nix
in general.

Don't feel bad, a lot of Linux admins grow too reliant on using /proc
directly instead of using the more appropriate method of setting
values, sysctl.

kmw

--
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, bthe
guarantee to every one of a free exercise of his industry,  the
fruits acquired by it.'

Re: ENC: Migration from IPTABLES to PF

[Mark Shroyer]

On Mon, May 04, 2009 at 03:12:20PM -0300, Ricardo Augusto de Souza wrote:
 Thanks.
 I already know those documentation.
 I wish i could find a documentation about this on PF:
 
 
 #___
 # Protecao do KERNEL
 #___
 #Enable forwarding in kernel
 echo 1  /proc/sys/net/ipv4/ip_forward

On OpenBSD:

sysctl -w net.inet.ip.forwarding=1

(or put net.inet.ip.forwarding=1 in /etc/sysctl.conf and reboot)

 #Disabling IP Spoofing attacks.
 if [ $IPSEC = sim ]
then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0  $f
done
 else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2  $f
done
 fi

Equivalent would be a block drop in quick from urpf-failed rule in
pf.conf.

 #Don't respond to broadcast pings (Smurf-Amplifier-Protection)
 echo 1  /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

OpenBSD ignores these by default.

 #Block source routing
 echo 1  /proc/sys/net/ipv4/conf/all/accept_source_route

This rule claims to block source routing, but it actually enables it.
But assuming you actually want to disable source routing, there's
nothing to do, because OpenBSD ignores these by default too (as they
say, secure by default...)

 #Kill timestamps
 echo 0  /proc/sys/net/ipv4/tcp_timestamps

Are you sure you want to do this?  You could use a scrub reassemble
tcp rule in pf.conf, but I've had problems with even that.  See the man
page for details.

 #Enable SYN Cookies
 #echo 1  /proc/sys/net/ipv4/tcp_syncookies

That one's commented out for a reason.  On the other hand, look up
synproxy in the pf.conf man page for an OpenBSD alternative that's
compatible with TCP window scaling.

 #Kill redirects
 echo 1  /proc/sys/net/ipv4/conf/all/accept_redirects

Another rule that claims to do one thing in the comment, but actually
does exactly the opposite.  Assuming you *do* want to block redirects:

sysctl -w net.inet.ip.redirect=0

 #Enable bad error message protection
 echo 1  /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

I don't know what this does.

 #Log martians (packets with impossible addresses)
 echo 1  /proc/sys/net/ipv4/conf/all/log_martians

There's no sysctl for this that I'm aware of, but you could add
something like the following to your pf.conf (however, the urpf-failed
rule should cover this already):

# TABLE SECTION #
table martians const { 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 \
10.0.0.0/8 169.254.0.0/16 192.0.2.0/24 0.0.0.0/8 }

# FILTER SECTION #
block drop in on $if_wan inet from martians to any
block return out on $if_wan inet from any to martians

 #Set out local port range
 echo 32768 61000  /proc/sys/net/ipv4/ip_local_port_range

See the following sysctls:
net.inet.ip.portfirst
net.inet.ip.portlast
net.inet.ip.porthifirst
net.inet.ip.porthilast

 #Reduce DoS'ing ability by reducing timeouts
 echo 30  /proc/sys/net/ipv4/tcp_fin_timeout
 echo 2400  /proc/sys/net/ipv4/tcp_keepalive_time
 echo 0  /proc/sys/net/ipv4/tcp_window_scaling
 echo 0  /proc/sys/net/ipv4/tcp_sack

See these sysctls:
net.inet.tcp.sack
net.inet.tcp.*

But as I said earlier, I wouldn't focus on precisely duplicating this
firewall's logic; it looks problematic.  It would be better to just come
up with a fresh notion of what you want this firewall to achieve, and
with that in mind, start over from scratch in PF.

-- 
Mark Shroyer
http://markshroyer.com/contact/

RES: Migration from IPTABLES to PF

[Ricardo Augusto de Souza]

 (TUDO)
#
___

#for NAT in `cat /etc/rc.d/init.d/fw_nat| awk 'BEGIN { FS = # } ; { print $1
}'`
#  do
$FW -t nat -A POSTROUTING -o $INT_INTERNET -p tcp -s $REDE_INTRANET -j
MASQUERADE
$FW -t nat -A POSTROUTING -o $INT_INTERNET -p 47 -s $REDE_INTRANET -j
MASQUERADE
$FW -t nat -A POSTROUTING -o $INT_INTERNET -p udp -s $REDE_INTRANET -j
MASQUERADE
#  done

#
___
# NAT - ACESSO FULL
#
___

for NAT_FULL in `cat /etc/rc.d/init.d/prodata/fw_nat_full| awk 'BEGIN { FS =
# } ; { print $1 }'`
  do
$FW -t nat -A PREROUTING -i $INT_INTERNET -p all -s $NAT_FULL -j
ACCEPT
$FW -A FORWARD -i $INT_INTERNET -p all -s $NAT_FULL -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTERNET -p all -d $NAT_FULL -j
ACCEPT
$FW -A FORWARD -i $INT_INTERNET -p all -d $NAT_FULL -j ACCEPT

$FW -t nat -A PREROUTING -i $INT_INTRANET -p all -s $NAT_FULL -j
ACCEPT
$FW -A FORWARD -i $INT_INTRANET  -p all -s $NAT_FULL -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTRANET -p all -d $NAT_FULL -j
ACCEPT
$FW -A FORWARD -i $INT_INTRANET  -p all -d $NAT_FULL -j ACCEPT
  done

#-APLIC. CLIENTES PERMITIDAS para REDE_INTRANET
(NAT)---

#-Regras para
INT_INTERNET--

#
TUDO_
___
#$FW -t nat -A PREROUTING -i $INT_INTERNET -p all  -j ACCEPT
#$FW -A FORWARD -i $INT_INTERNET -p all -j ACCEPT

for PORTS in `cat /etc/rc.d/init.d/prodata/fw_ports| awk 'BEGIN { FS = # } ;
{ print $1 }'`
  do
  $FW -t nat -A PREROUTING -i $INT_INTERNET -p tcp --sport $PORTS -j ACCEPT
  $FW -A FORWARD -i $INT_INTERNET -p tcp --sport $PORTS -j ACCEPT
  $FW -t nat -A PREROUTING -i $INT_INTERNET -p udp --sport $PORTS -j ACCEPT
  $FW -A FORWARD -i $INT_INTERNET -p udp --sport $PORTS -j ACCEPT
  done
#
TUDO_
_
#$FW -t nat -A PREROUTING -i $INT_INTRANET -p all -j ACCEPT
#$FW -A FORWARD -i $INT_INTRANET  -p all -j ACCEPT

for PORTS in `cat /etc/rc.d/init.d/prodata/fw_ports| awk 'BEGIN { FS = # } ;
{ print $1 }'`
  do
 $FW -t nat -A PREROUTING -i $INT_INTRANET -p tcp --dport $PORTS -j
ACCEPT
 $FW -A FORWARD -i $INT_INTRANET -p tcp --dport $PORTS -j ACCEPT
 $FW -t nat -A PREROUTING -i $INT_INTRANET -p udp --dport $PORTS -j
ACCEPT
 $FW -A FORWARD -i $INT_INTRANET -p udp --dport $PORTS -j ACCEPT
  done

#
___
# POLITICA FINAL - NEGA TUDO
#
___

#$FW -A OUTPUT -m state -p icmp --state INVALID -j DROP
#$FW -A INPUT -i $INT_INTERNET -j DROP
#$FW -A OUTPUT -o $INT_INTERNET -j DROP
#$FW -A FORWARD -i $INT_INTERNET -j DROP
#$FW -A FORWARD -o $INT_INTERNET -j DROP

#$FW -A INPUT -i $INT_INTRANET -j DROP
#$FW -A OUTPUT -o $INT_INTRANET -j DROP
#$FW -A FORWARD -i $INT_INTRANET -j DROP
#$FW -A FORWARD -o $INT_INTRANET -j DROP

#
___
# LOG de TODAS as Regras
#
___

#$FW -A FORWARD -j LOG --log-level 3 --log-prefix PRODATA_FORWARD 
#$FW -A FORWARD -j DROP
#$FW -A INPUT -j LOG --log-level 3 --log-prefix PRODATA_INPUT 
#$FW -A INPUT -j DROP
#$FW -A OUTPUT -j LOG --log-level 3 --log-prefix PRODATA_OUTPUT 
#$FW -A OUTPUT -j DROP
#$FW -t nat -A POSTROUTING -j LOG --log-level 3 --log-prefix
PRODATA_POSTROUTING 
#$FW -t nat -A POSTROUTING -j DROP
#$FW -t nat -A PREROUTING -j LOG --log-level 3 --log-prefix
PRODATA_PREROUTING 
#$FW -t nat -A PREROUTING -j DROP
#$FW -t nat -A OUTPUT -j LOG --log-level 3 --log-prefix
PRODATA_OUTPUT_ROUTING 
#$FW -t nat -A OUTPUT -j DROP

echo 
echo FIREWALLSTARTED
;;
   *)
  echo Uso: ./fw_prodata.com.br (start|stop|restart|status)
  exit 1
  ;;
Esac


-Mensagem original-
De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de Mark
Shroyer
Enviada em: segunda-feira, 4 de maio de 2009 15:34
Para: misc@openBSD.org
Assunto: Re: Migration from IPTABLES to PF

On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote:
 Hi,

 I have a firewall running on a Fedora Core 4 (STentz) with iptables. The
Guy
 Who installed it left our company some months ago.
 I spent some years far from iptables, now i have to migrate this firewall
to
 PF.
 THere are some 'special' features on this firewall,  i need some
documentation
 or help about implementing this features at new firewall ( PF ).

 This is the iptables scripts:

 [...]

Is that actually all there is to the firewall setup?

This script

Re: Migration from IPTABLES to PF

[Gonzalo Lionel Rodriguez]

jajajaja i think the same. grrr

2009/5/4 Marco Peereboom sl...@peereboom.us:
 MY EYES!!! make it stop bleeding!!!

 On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote:
 Hi,

 I have a firewall running on a Fedora Core 4 (STentz) with iptables. The
Guy
 Who installed it left our company some months ago.
 I spent some years far from iptables, now i have to migrate this firewall
to
 PF.
 THere are some 'special' features on this firewall,  i need some
documentation
 or help about implementing this features at new firewall ( PF ).

 This is the iptables scripts:

 #!/bin/bash
 FW=/sbin/iptables
 LOAD=/sbin/modprobe

#__

 # Carregando Modulo do IPTABLES
 . /etc/rc.d/init.d/prodata/fw_modulos

 # Carregando Variaveis
 . /etc/rc.d/init.d/prodata/fw_variaveis

 if [ $KERNEL = sim ]
then . /etc/rc.d/init.d/prodata/fw_kernel
 fi


#___
 # Cria politicas de LOGs

#___

 if [ $LOGS = sim ]
then . /etc/rc.d/init.d/prodata/fw_politicas
 fi

 Normal rules here
  EOF



 /etc/rc.d/init.d/prodata/fw_modulos
 #$LOAD nfnetlink

 $LOAD ip_conntrack
 $LOAD ip_conntrack_ftp
 #$LOAD ip_conntrack_pptp ##
 #$LOAD ip_conntrack_netlink ##
 #$LOAD ip_conntrack_tftp ##

 #$LOAD ip_nat
 $LOAD ip_nat_ftp
 $LOAD ip_gre
 #$LOAD ip_nat_pptp ##
 #$LOAD ip_nat_tftp ##
 $LOAD ip_queue ##
 $LOAD ip_tables

 $LOAD iptable_filter
 $LOAD iptable_nat
 $LOAD iptable_mangle

 $LOAD ipt_helper
 $LOAD ipt_LOG
 $LOAD ipt_limit
 $LOAD ipt_state
 #$LOAD ipt_layer7 ##
 $LOAD ipt_MASQUERADE
 $LOAD ipt_multiport
 #$LOAD ipt_string
 $LOAD ipt_tcpmss
 $LOAD ipt_TCPMSS
 # EOF


 /etc/rc.d/init.d/prodata/fw_kernel

#___
 # Protecao do KERNEL

#___
 #Enable forwarding in kernel
 echo 1  /proc/sys/net/ipv4/ip_forward

 #Disabling IP Spoofing attacks.
 if [ $IPSEC = sim ]
then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0  $f
done
 else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2  $f
done
 fi

 #Don't respond to broadcast pings (Smurf-Amplifier-Protection)
 echo 1  /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

 #Block source routing
 echo 1  /proc/sys/net/ipv4/conf/all/accept_source_route

 #Kill timestamps
 echo 0  /proc/sys/net/ipv4/tcp_timestamps

 #Enable SYN Cookies
 #echo 1  /proc/sys/net/ipv4/tcp_syncookies

 #Kill redirects
 echo 1  /proc/sys/net/ipv4/conf/all/accept_redirects

 #Enable bad error message protection
 echo 1  /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

 #Log martians (packets with impossible addresses)
 echo 1  /proc/sys/net/ipv4/conf/all/log_martians

 #Set out local port range
 echo 32768 61000  /proc/sys/net/ipv4/ip_local_port_range

 #Reduce DoS'ing ability by reducing timeouts
 echo 30  /proc/sys/net/ipv4/tcp_fin_timeout
 echo 2400  /proc/sys/net/ipv4/tcp_keepalive_time
 echo 0  /proc/sys/net/ipv4/tcp_window_scaling
 echo 0  /proc/sys/net/ipv4/tcp_sack
 ### EOF



 /etc/rc.d/init.d/prodata/fw_politicas

#___
 # LOG - Politica de Negacao de frames

#___

 LOGLIMIT=2/s
 LOGLIMITBURST=10
 # Overall Limit for TCP-SYN-Flood detection
 TCPSYNLIMIT=5/s
 # Burst Limit for TCP-SYN-Flood detection
 TCPSYNLIMITBURST=10
 # Overall Limit for Ping-Flood-Detection
 PINGLIMIT=5/s
 # Burst Limit for Ping-Flood-Detection
 PINGLIMITBURST=1

 $FW -N LOG_DROP
 $FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST
 -j LOG --log-prefix fp=TCP:1 a=DROP 
 $FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST
 -j LOG --log-prefix fp=UDP:2 a=DROP 
 $FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst
 $LOGLIMITBURST -j LOG --log-prefix fp=ICMP:3 a=DROP 
 $FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST
 -j LOG --log-prefix fp=VPN:4 a=DROP 
 $FW -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j
 LOG --log-prefix fp=FRAGMENT:5 a=DROP 
 $FW -A LOG_DROP -p tcp ! --syn -m state --state NEW -j LOG --log-prefix
 fp=NEW nao SYN: 
 $FW -A LOG_DROP -j DROP


#___
 # LOG - Politica de Liberacao de frames

#___

 $FW -N LOG_OK
 $FW -A LOG_OK  -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j
LOG
 --log-level 3 --log-prefix fp=LOG_OK:3 a=ACCEPT 
 $FW -A 

Re: Migration from IPTABLES to PF

[Jason Dixon]

On Mon, May 04, 2009 at 04:34:55PM -0300, Gonzalo Lionel Rodriguez wrote:
 2009/5/4 Marco Peereboom sl...@peereboom.us:
  MY EYES!!! make it stop bleeding!!!
 
 jajajaja i think the same. grrr

LOL, you ain't seen nothing yet.  Look at the extended version he just
sent out.  :)

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Migration from IPTABLES to PF

[Gonzalo Lionel Rodriguez]

jaja OMG... i love PF and OpenBSD.

2009/5/4 Jason Dixon ja...@dixongroup.net:
 On Mon, May 04, 2009 at 04:34:55PM -0300, Gonzalo Lionel Rodriguez wrote:
 2009/5/4 Marco Peereboom sl...@peereboom.us:
  MY EYES!!! make it stop bleeding!!!

 jajajaja i think the same. grrr

 LOL, you ain't seen nothing yet.  Look at the extended version he just
 sent out.  :)

 --
 Jason Dixon
 DixonGroup Consulting
 http://www.dixongroup.net/

Re: Migration from IPTABLES to PF

[Mark Shroyer]

On Mon, May 04, 2009 at 04:46:16PM -0300, Gonzalo Lionel Rodriguez wrote:
 jaja OMG... i love PF and OpenBSD.
 
 2009/5/4 Jason Dixon ja...@dixongroup.net:
  LOL, you ain't seen nothing yet.  Look at the extended version he just
  sent out.  :)

To be fair, I've seen some pretty horrid pf.conf files, too.  (Although
I certainly prefer it over iptables in most cases.)

-- 
Mark Shroyer
http://markshroyer.com/contact/

Re: RES: Migration from IPTABLES to PF

[Mark Shroyer]

On Mon, May 04, 2009 at 03:49:58PM -0300, Ricardo Augusto de Souza wrote:
 $FW -I INPUT -i $INT_INTRANET -p all -j ACCEPT
 $FW -I OUTPUT -o $INT_INTRANET -p all -j ACCEPT
 $FW -I FORWARD -o $INT_INTRANET -i $INT_INTRANET -p all -j ACCEPT
 $FW -t nat -I PREROUTING -i $INT_INTRANET -p all -j ACCEPT
 $FW -t nat -I POSTROUTING -o $INT_INTRANET -p all -j ACCEPT
 $FW -t nat -I OUTPUT -o $INT_INTRANET -p all -j ACCEPT

Ah, good...  that's what I was hoping to see :)

 -Mensagem original-
 De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de Mark
 Shroyer
 Enviada em: segunda-feira, 4 de maio de 2009 15:34
 Para: misc@openBSD.org
 Assunto: Re: Migration from IPTABLES to PF
 
 [...]

 Is that actually all there is to the firewall setup?
 
 This script creates a bunch of chains for performing various actions on
 packets, but it doesn't actually add any rules to the filter table's
 special INPUT, OUTPUT, or FORWARD chains that would jump processing
 logic through these auxiliary chains.  So unless there are some other
 iptables commands hidden somewhere else, the logic defined in this
 script will never be applied and your firewall will simply let
 everything through.
 
 What is the output of `iptables -L -n` on this machine?

-- 
Mark Shroyer
http://markshroyer.com/contact/

Re: Migration from IPTABLES to PF

[Gonzalo Lionel Rodriguez]

Dont be fair  ;)

2009/5/4 Mark Shroyer subscriber+open...@markshroyer.com:
 On Mon, May 04, 2009 at 04:46:16PM -0300, Gonzalo Lionel Rodriguez wrote:
 jaja OMG... i love PF and OpenBSD.

 2009/5/4 Jason Dixon ja...@dixongroup.net:
  LOL, you ain't seen nothing yet.  Look at the extended version he just
  sent out.  :)

 To be fair, I've seen some pretty horrid pf.conf files, too.  (Although
 I certainly prefer it over iptables in most cases.)

 --
 Mark Shroyer
 http://markshroyer.com/contact/

Re: Migration from IPTABLES to PF

[Jason Dixon]

On Mon, May 04, 2009 at 04:14:45PM -0400, Mark Shroyer wrote:
 On Mon, May 04, 2009 at 04:46:16PM -0300, Gonzalo Lionel Rodriguez wrote:
  jaja OMG... i love PF and OpenBSD.
  
  2009/5/4 Jason Dixon ja...@dixongroup.net:
   LOL, you ain't seen nothing yet.  Look at the extended version he just
   sent out.  :)
 
 To be fair, I've seen some pretty horrid pf.conf files, too.  (Although
 I certainly prefer it over iptables in most cases.)

Indeed.  I clawed my eyes out this weekend on a friend's pf.conf (hi
Kevin :) while trying to diagnose some relayd problems.  At least pf
syntax lends itself to logical separation and organization.

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Migration from IPTABLES to PF

[Giancarlo Razzolini]

Mark Shroyer escreveu:

On Mon, May 04, 2009 at 04:46:16PM -0300, Gonzalo Lionel Rodriguez wrote:
  

jaja OMG... i love PF and OpenBSD.

2009/5/4 Jason Dixon ja...@dixongroup.net:


LOL, you ain't seen nothing yet.  Look at the extended version he just
sent out.  :)
  


To be fair, I've seen some pretty horrid pf.conf files, too.  (Although
I certainly prefer it over iptables in most cases.)

  
That's exactly why we have the ruleset optimizer. I still can recall 
when i migrated one iptables firewall with more than 300 lines, and all 
of then absolutely necessary, into one single pf.conf with no more than 
60 lines (including spacing, identation, and commentary). That's why i 
choose pf and got sticky with it. Now, on topic, I definitely recommend 
for beginners, reading the pf faq. I never had worked with pf, and 
migrated my ruleset in 2 days. But i was working with iptables on a 
daily basis. If you are a little rusty with iptables, using fwbuilder 
to convert your ruleset is a good start. It won't convert it as is, 
you will have to remove somethings, mainly the /proc stuff, and others. 
After you have your first fwbuilder made ruleset, try reading it and 
referring to the faq when you are in doubt. It will be quite helpful.


My regards,

--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Heron
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

Re: Migration from IPTABLES to PF

[William Chivers]

This is a great advertisement for OpenBSD, PF, and keeping things simple in 
general, mind if I use it Ricardo?

As for your original question, I wouldn't even try to convert your iptables, 
especially using some magic tool to do it. Decide what you want your firewall 
to do and start from scratch with PF. That way you will know it is working and 
you will be able to maintain it reliably.

Cheers, Bill


-
William J. Chivers
Lecturer in Information Technology
School of DCIT
Faculty of Science and Information Technology
University of Newcastle---Ourimbah Campus
PO Box 127, Ourimbah, NSW 2259
Australia
CRICOS Provider Number: 00109J 

phone:   +61 2 4349 4473
fax: +61 2 4349 4565
email:  william.chiv...@newcastle.edu.au
-
 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM 
Hi,

I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy
Who installed it left our company some months ago.
I spent some years far from iptables, now i have to migrate this firewall to
PF.
THere are some 'special' features on this firewall,  i need some documentation
or help about implementing this features at new firewall ( PF ).

This is the iptables scripts:

#!/bin/bash
FW=/sbin/iptables
LOAD=/sbin/modprobe
#__

# Carregando Modulo do IPTABLES
. /etc/rc.d/init.d/prodata/fw_modulos

# Carregando Variaveis
. /etc/rc.d/init.d/prodata/fw_variaveis

if [ $KERNEL = sim ]
   then . /etc/rc.d/init.d/prodata/fw_kernel
fi

#___
# Cria politicas de LOGs
#___

if [ $LOGS = sim ]
   then . /etc/rc.d/init.d/prodata/fw_politicas
fi

Normal rules here
 EOF



/etc/rc.d/init.d/prodata/fw_modulos
#$LOAD nfnetlink

$LOAD ip_conntrack
$LOAD ip_conntrack_ftp
#$LOAD ip_conntrack_pptp ##
#$LOAD ip_conntrack_netlink ##
#$LOAD ip_conntrack_tftp ##

#$LOAD ip_nat
$LOAD ip_nat_ftp
$LOAD ip_gre
#$LOAD ip_nat_pptp ##
#$LOAD ip_nat_tftp ##
$LOAD ip_queue ##
$LOAD ip_tables

$LOAD iptable_filter
$LOAD iptable_nat
$LOAD iptable_mangle

$LOAD ipt_helper
$LOAD ipt_LOG
$LOAD ipt_limit
$LOAD ipt_state
#$LOAD ipt_layer7 ##
$LOAD ipt_MASQUERADE
$LOAD ipt_multiport
#$LOAD ipt_string
$LOAD ipt_tcpmss
$LOAD ipt_TCPMSS
# EOF


/etc/rc.d/init.d/prodata/fw_kernel
#___
# Protecao do KERNEL
#___
#Enable forwarding in kernel
echo 1  /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
if [ $IPSEC = sim ]
   then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0  $f
   done
else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2  $f
   done
fi

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo 1  /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 1  /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0  /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
#echo 1  /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 1  /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1  /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1  /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo 32768 61000  /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30  /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400  /proc/sys/net/ipv4/tcp_keepalive_time
echo 0  /proc/sys/net/ipv4/tcp_window_scaling
echo 0  /proc/sys/net/ipv4/tcp_sack
### EOF



/etc/rc.d/init.d/prodata/fw_politicas
#___
# LOG - Politica de Negacao de frames
#___

LOGLIMIT=2/s
LOGLIMITBURST=10
# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT=5/s
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST=10
# Overall Limit for Ping-Flood-Detection
PINGLIMIT=5/s
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST=1

$FW -N LOG_DROP
$FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix fp=TCP:1 a=DROP 
$FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix fp=UDP:2 a=DROP 
$FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix fp=ICMP:3 a=DROP 
$FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix fp=VPN:4 a=DROP