Re: RES: Migration from IPTABLES to PF
TomC!E!, thanks for the tip Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - TomC!E! BodEC!r tomas.bod...@gmail.com 05/06/09 3:41 PM I think,that in case of pf is good start point this site http://home.nuug.no/~peter/pf/ and then FAQ parts 2009/5/5 William Chivers william.chiv...@newcastle.edu.au: Hello Ricardo, This is not a beginners' mailing list, people here expect questions to 1. be very specific, and 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. Start with http://www.openbsd.org/faq/pf/index.html If you still need help, there are several books on pf, for example The Book of PF (http://nostarch.com/pf.htm). Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08 AM Thanks for this 'polite' reply. As I Said i spent some years away from Unix/Linux world, I worked with business intelligence this years. Now i AM back to network administration and i got this Project to do. I used openbsd before version 3. I do like it. This is my current senario. - 2 firewalls with 2 carp+pfsync that Will handle 2 internet connections, 1 mpls connection, 1 lan to handle around 60 bus company that transport 2 million users per Day, each user has your own myfair card. Each bus has a system that store this data in a file. This files Will be imported to Oracle later. After this import, there are a lot of specific applications that uses this informations. - behind this 2 firewalls we have around 30 servers: ( most Windows) iis, file transfer servers,ws, and some other servers like some red hat enterprise running Oracle 10g. - at the beginning the firewalls Will do Nat + filter + gateway + mpd5+squid ( the fucking operators Who need Access to the Windows servers were surfing on web from there. ) - our applications has around 5,000 users per Day, but we have a lot of web services and some etl process ( i dont have statistics about volume yet) So that is it. -Mensagem original- De: William Chivers [mailto:william.chiv...@newcastle.edu.au] Enviada em: segunda-feira, 4 de maio de 2009 22:46 Para: Ricardo Augusto de Souza; misc@openbsd.org Assunto: Re: Migration from IPTABLES to PF This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICO email: william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] then . /etc/rc.d
Re: RES: Migration from IPTABLES to PF
On Wed, May 6, 2009 02:41, TomC!E! BodEC!r wrote: I think,that in case of pf is good start point this site http://home.nuug.no/~peter/pf/ and then FAQ parts it always helps me to read https://calomel.org/ when in doubt. :) (the new photo looks cool also =] ) matheus 2009/5/5 William Chivers william.chiv...@newcastle.edu.au: Hello Ricardo, This is not a beginners' mailing list, people here expect questions to 1. be very specific, and 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. Start with http://www.openbsd.org/faq/pf/index.html If you still need help, there are several books on pf, for example The Book of PF (http://nostarch.com/pf.htm). Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: B +61 2 4349 4473 fax: B B +61 2 4349 4565 email: B william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08 AM Thanks for this 'polite' reply. As I Said i spent some years away from Unix/Linux world, I worked with business intelligence this years. Now i AM back to network administration and B i got this Project to B do. I used openbsd before version 3. I do like B it. This is my current senario. - B 2 firewalls with 2 carp+pfsync that B Will handle 2 internet connections, B 1 mpls connection, 1 lan to handle around 60 bus company that transport 2 million users per Day, each user has your own myfair card. Each bus has a system that store this data in a file. This files Will be imported to Oracle later. After this import, there are a lot of specific applications that uses this informations. - behind this 2 firewalls B we have around 30 servers: ( most Windows) iis, file transfer servers,ws, and some other servers like some red hat enterprise running Oracle 10g. - at the beginning the firewalls Will do Nat B + filter B + gateway + mpd5+squid ( the fucking operators Who need Access to the Windows servers were surfing on web from there. ) - our applications has around 5,000 users per Day, but we have a lot of web services and some etl process ( i dont have statistics about volume yet) So that B is it. -Mensagem original- De: William Chivers [mailto:william.chiv...@newcastle.edu.au] Enviada em: segunda-feira, 4 de maio de 2009 22:46 Para: Ricardo Augusto de Souza; misc@openbsd.org Assunto: Re: Migration from IPTABLES to PF This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: B +61 2 4349 4473 fax: B B +61 2 4349 4565 email: B william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, B i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] B then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] B then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD
RES: Migration from IPTABLES to PF
Thanks for this 'polite' reply. As I Said i spent some years away from Unix/Linux world, I worked with business intelligence this years. Now i AM back to network administration and i got this Project to do. I used openbsd before version 3. I do like it. This is my current senario. - 2 firewalls with 2 carp+pfsync that Will handle 2 internet connections, 1 mpls connection, 1 lan to handle around 60 bus company that transport 2 million users per Day, each user has your own myfair card. Each bus has a system that store this data in a file. This files Will be imported to Oracle later. After this import, there are a lot of specific applications that uses this informations. - behind this 2 firewalls we have around 30 servers: ( most Windows) iis, file transfer servers,ws, and some other servers like some red hat enterprise running Oracle 10g. - at the beginning the firewalls Will do Nat + filter + gateway + mpd5+squid ( the fucking operators Who need Access to the Windows servers were surfing on web from there. ) - our applications has around 5,000 users per Day, but we have a lot of web services and some etl process ( i dont have statistics about volume yet) So that is it. -Mensagem original- De: William Chivers [mailto:william.chiv...@newcastle.edu.au] Enviada em: segunda-feira, 4 de maio de 2009 22:46 Para: Ricardo Augusto de Souza; misc@openbsd.org Assunto: Re: Migration from IPTABLES to PF This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD ip_conntrack_ftp #$LOAD ip_conntrack_pptp ## #$LOAD ip_conntrack_netlink ## #$LOAD ip_conntrack_tftp ## #$LOAD ip_nat $LOAD ip_nat_ftp $LOAD ip_gre #$LOAD ip_nat_pptp ## #$LOAD ip_nat_tftp ## $LOAD ip_queue ## $LOAD ip_tables $LOAD iptable_filter $LOAD iptable_nat $LOAD iptable_mangle $LOAD ipt_helper $LOAD ipt_LOG $LOAD ipt_limit $LOAD ipt_state #$LOAD ipt_layer7 ## $LOAD ipt_MASQUERADE $LOAD ipt_multiport #$LOAD ipt_string $LOAD ipt_tcpmss $LOAD ipt_TCPMSS # EOF /etc/rc.d/init.d/prodata/fw_kernel #___ # Protecao do KERNEL #___ #Enable forwarding in kernel echo 1 /proc/sys/net/ipv4/ip_forward #Disabling IP Spoofing attacks. if [ $IPSEC = sim ] then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 $f done else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 $f done fi #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 1 /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies #echo 1 /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 1 /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets
Re: RES: Migration from IPTABLES to PF
Hello Ricardo, This is not a beginners' mailing list, people here expect questions to 1. be very specific, and 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. Start with http://www.openbsd.org/faq/pf/index.html If you still need help, there are several books on pf, for example The Book of PF (http://nostarch.com/pf.htm). Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08 AM Thanks for this 'polite' reply. As I Said i spent some years away from Unix/Linux world, I worked with business intelligence this years. Now i AM back to network administration and i got this Project to do. I used openbsd before version 3. I do like it. This is my current senario. - 2 firewalls with 2 carp+pfsync that Will handle 2 internet connections, 1 mpls connection, 1 lan to handle around 60 bus company that transport 2 million users per Day, each user has your own myfair card. Each bus has a system that store this data in a file. This files Will be imported to Oracle later. After this import, there are a lot of specific applications that uses this informations. - behind this 2 firewalls we have around 30 servers: ( most Windows) iis, file transfer servers,ws, and some other servers like some red hat enterprise running Oracle 10g. - at the beginning the firewalls Will do Nat + filter + gateway + mpd5+squid ( the fucking operators Who need Access to the Windows servers were surfing on web from there. ) - our applications has around 5,000 users per Day, but we have a lot of web services and some etl process ( i dont have statistics about volume yet) So that is it. -Mensagem original- De: William Chivers [mailto:william.chiv...@newcastle.edu.au] Enviada em: segunda-feira, 4 de maio de 2009 22:46 Para: Ricardo Augusto de Souza; misc@openbsd.org Assunto: Re: Migration from IPTABLES to PF This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD ip_conntrack_ftp #$LOAD ip_conntrack_pptp ## #$LOAD ip_conntrack_netlink ## #$LOAD ip_conntrack_tftp ## #$LOAD ip_nat $LOAD ip_nat_ftp $LOAD ip_gre #$LOAD ip_nat_pptp ## #$LOAD ip_nat_tftp ## $LOAD ip_queue ## $LOAD ip_tables $LOAD iptable_filter $LOAD iptable_nat $LOAD iptable_mangle $LOAD ipt_helper $LOAD ipt_LOG $LOAD ipt_limit $LOAD ipt_state #$LOAD ipt_layer7 ## $LOAD ipt_MASQUERADE $LOAD ipt_multiport #$LOAD ipt_string $LOAD ipt_tcpmss $LOAD ipt_TCPMSS
Re: RES: Migration from IPTABLES to PF
I think,that in case of pf is good start point this site http://home.nuug.no/~peter/pf/ and then FAQ parts 2009/5/5 William Chivers william.chiv...@newcastle.edu.au: Hello Ricardo, This is not a beginners' mailing list, people here expect questions to 1. be very specific, and 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. Start with http://www.openbsd.org/faq/pf/index.html If you still need help, there are several books on pf, for example The Book of PF (http://nostarch.com/pf.htm). Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: B +61 2 4349 4473 fax: B B +61 2 4349 4565 email: B william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08 AM Thanks for this 'polite' reply. As I Said i spent some years away from Unix/Linux world, I worked with business intelligence this years. Now i AM back to network administration and B i got this Project to B do. I used openbsd before version 3. I do like B it. This is my current senario. - B 2 firewalls with 2 carp+pfsync that B Will handle 2 internet connections, B 1 mpls connection, 1 lan to handle around 60 bus company that transport 2 million users per Day, each user has your own myfair card. Each bus has a system that store this data in a file. This files Will be imported to Oracle later. After this import, there are a lot of specific applications that uses this informations. - behind this 2 firewalls B we have around 30 servers: ( most Windows) iis, file transfer servers,ws, and some other servers like some red hat enterprise running Oracle 10g. - at the beginning the firewalls Will do Nat B + filter B + gateway + mpd5+squid ( the fucking operators Who need Access to the Windows servers were surfing on web from there. ) - our applications has around 5,000 users per Day, but we have a lot of web services and some etl process ( i dont have statistics about volume yet) So that B is it. -Mensagem original- De: William Chivers [mailto:william.chiv...@newcastle.edu.au] Enviada em: segunda-feira, 4 de maio de 2009 22:46 Para: Ricardo Augusto de Souza; misc@openbsd.org Assunto: Re: Migration from IPTABLES to PF This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: B +61 2 4349 4473 fax: B B +61 2 4349 4565 email: B william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, B i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] B then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] B then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD ip_conntrack_ftp #$LOAD ip_conntrack_pptp ## #$LOAD ip_conntrack_netlink ## #$LOAD ip_conntrack_tftp ## #$LOAD ip_nat $LOAD ip_nat_ftp $LOAD ip_gre #$LOAD ip_nat_pptp ## #$LOAD ip_nat_tftp
Migration from IPTABLES to PF
Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD ip_conntrack_ftp #$LOAD ip_conntrack_pptp ## #$LOAD ip_conntrack_netlink ## #$LOAD ip_conntrack_tftp ## #$LOAD ip_nat $LOAD ip_nat_ftp $LOAD ip_gre #$LOAD ip_nat_pptp ## #$LOAD ip_nat_tftp ## $LOAD ip_queue ## $LOAD ip_tables $LOAD iptable_filter $LOAD iptable_nat $LOAD iptable_mangle $LOAD ipt_helper $LOAD ipt_LOG $LOAD ipt_limit $LOAD ipt_state #$LOAD ipt_layer7 ## $LOAD ipt_MASQUERADE $LOAD ipt_multiport #$LOAD ipt_string $LOAD ipt_tcpmss $LOAD ipt_TCPMSS # EOF /etc/rc.d/init.d/prodata/fw_kernel #___ # Protecao do KERNEL #___ #Enable forwarding in kernel echo 1 /proc/sys/net/ipv4/ip_forward #Disabling IP Spoofing attacks. if [ $IPSEC = sim ] then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 $f done else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 $f done fi #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 1 /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies #echo 1 /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 1 /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets with impossible addresses) echo 1 /proc/sys/net/ipv4/conf/all/log_martians #Set out local port range echo 32768 61000 /proc/sys/net/ipv4/ip_local_port_range #Reduce DoS'ing ability by reducing timeouts echo 30 /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 /proc/sys/net/ipv4/tcp_keepalive_time echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/tcp_sack ### EOF /etc/rc.d/init.d/prodata/fw_politicas #___ # LOG - Politica de Negacao de frames #___ LOGLIMIT=2/s LOGLIMITBURST=10 # Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT=5/s # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST=10 # Overall Limit for Ping-Flood-Detection PINGLIMIT=5/s # Burst Limit for Ping-Flood-Detection PINGLIMITBURST=1 $FW -N LOG_DROP $FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=TCP:1 a=DROP $FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=UDP:2 a=DROP $FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=ICMP:3 a=DROP $FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=VPN:4 a=DROP $FW -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=FRAGMENT:5 a=DROP $FW -A LOG_DROP -p tcp ! --syn -m state --state NEW -j LOG --log-prefix fp=NEW nao SYN: $FW -A LOG_DROP -j DROP #___ # LOG - Politica de Liberacao de frames #___ $FW -N LOG_OK $FW -A LOG_OK -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 3 --log-prefix fp=LOG_OK:3 a=ACCEPT $FW -A LOG_OK -j ACCEPT #___ # LOG - Politica de Negacao TCP-SYN-Flood #___ $FW -N LSYNFLOOD $FW -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG
Re: Migration from IPTABLES to PF
On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote: Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). The documentation is available online: http://www.openbsd.org/faq/pf/index.html http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf I made a quick review of your ruleset. I gave up after a few PgDn's. I belive it's in your best interests to contact someone that provides commercial support. http://www.openbsd.org/support.html On a good day, someone might step up and help you with this. But I wouldn't expect it. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Migration from IPTABLES to PF
Ricardo, Why don't you try Firewall Builder. http://www.fwbuilder.org/ It handles iptables, pf, and others. Should be able to import your iptables ruleset ( created by doing something like /sbin/iptables-save turdwall.txt ) and then convert it to a pf.conf. You will still want to manually parse it to make sure its good. This is a good tool, but I think you will find that both pf and iptables differ so depending on your special additions, your mileage may vary. I do not like GUI tools, and personally I would print it out and then hand write the pf.conf from scratch. -chron john chronister john dot chronister at gmail dot com fingerprint: 1F16 9016 945A AFEE 0E33 E475 3BAE E5BE E8DE 8851 On Mon, May 4, 2009 at 7:58 PM, Jason Dixon ja...@dixongroup.net wrote: On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote: Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, B i need some documentation or help about implementing this features at new firewall ( PF ). The documentation is available online: http://www.openbsd.org/faq/pf/index.html http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf I made a quick review of your ruleset. B I gave up after a few PgDn's. B I belive it's in your best interests to contact someone that provides commercial support. http://www.openbsd.org/support.html On a good day, someone might step up and help you with this. B But I wouldn't expect it. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
ENC: Migration from IPTABLES to PF
Thanks. I already know those documentation. I wish i could find a documentation about this on PF: #___ # Protecao do KERNEL #___ #Enable forwarding in kernel echo 1 /proc/sys/net/ipv4/ip_forward #Disabling IP Spoofing attacks. if [ $IPSEC = sim ] then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 $f done else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 $f done fi #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 1 /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies #echo 1 /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 1 /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets with impossible addresses) echo 1 /proc/sys/net/ipv4/conf/all/log_martians #Set out local port range echo 32768 61000 /proc/sys/net/ipv4/ip_local_port_range #Reduce DoS'ing ability by reducing timeouts echo 30 /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 /proc/sys/net/ipv4/tcp_keepalive_time echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/tcp_sack I Will ask Eduardo Alvarenga. Thanks anyway. -Mensagem original- De: Jason Dixon [mailto:ja...@dixongroup.net] Enviada em: segunda-feira, 4 de maio de 2009 14:59 Para: Ricardo Augusto de Souza Cc: misc@openBSD.org Assunto: Re: Migration from IPTABLES to PF On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote: Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). The documentation is available online: http://www.openbsd.org/faq/pf/index.html http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf I made a quick review of your ruleset. I gave up after a few PgDn's. I belive it's in your best interests to contact someone that provides commercial support. http://www.openbsd.org/support.html On a good day, someone might step up and help you with this. But I wouldn't expect it. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Migration from IPTABLES to PF
MY EYES!!! make it stop bleeding!!! On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote: Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD ip_conntrack_ftp #$LOAD ip_conntrack_pptp ## #$LOAD ip_conntrack_netlink ## #$LOAD ip_conntrack_tftp ## #$LOAD ip_nat $LOAD ip_nat_ftp $LOAD ip_gre #$LOAD ip_nat_pptp ## #$LOAD ip_nat_tftp ## $LOAD ip_queue ## $LOAD ip_tables $LOAD iptable_filter $LOAD iptable_nat $LOAD iptable_mangle $LOAD ipt_helper $LOAD ipt_LOG $LOAD ipt_limit $LOAD ipt_state #$LOAD ipt_layer7 ## $LOAD ipt_MASQUERADE $LOAD ipt_multiport #$LOAD ipt_string $LOAD ipt_tcpmss $LOAD ipt_TCPMSS # EOF /etc/rc.d/init.d/prodata/fw_kernel #___ # Protecao do KERNEL #___ #Enable forwarding in kernel echo 1 /proc/sys/net/ipv4/ip_forward #Disabling IP Spoofing attacks. if [ $IPSEC = sim ] then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 $f done else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 $f done fi #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 1 /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies #echo 1 /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 1 /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets with impossible addresses) echo 1 /proc/sys/net/ipv4/conf/all/log_martians #Set out local port range echo 32768 61000 /proc/sys/net/ipv4/ip_local_port_range #Reduce DoS'ing ability by reducing timeouts echo 30 /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 /proc/sys/net/ipv4/tcp_keepalive_time echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/tcp_sack ### EOF /etc/rc.d/init.d/prodata/fw_politicas #___ # LOG - Politica de Negacao de frames #___ LOGLIMIT=2/s LOGLIMITBURST=10 # Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT=5/s # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST=10 # Overall Limit for Ping-Flood-Detection PINGLIMIT=5/s # Burst Limit for Ping-Flood-Detection PINGLIMITBURST=1 $FW -N LOG_DROP $FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=TCP:1 a=DROP $FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=UDP:2 a=DROP $FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=ICMP:3 a=DROP $FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=VPN:4 a=DROP $FW -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=FRAGMENT:5 a=DROP $FW -A LOG_DROP -p tcp ! --syn -m state --state NEW -j LOG --log-prefix fp=NEW nao SYN: $FW -A LOG_DROP -j DROP #___ # LOG - Politica de Liberacao de frames #___ $FW -N LOG_OK $FW -A LOG_OK -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 3 --log-prefix fp=LOG_OK:3 a=ACCEPT $FW -A LOG_OK -j ACCEPT
Re: Migration from IPTABLES to PF
On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote: Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: [...] Is that actually all there is to the firewall setup? This script creates a bunch of chains for performing various actions on packets, but it doesn't actually add any rules to the filter table's special INPUT, OUTPUT, or FORWARD chains that would jump processing logic through these auxiliary chains. So unless there are some other iptables commands hidden somewhere else, the logic defined in this script will never be applied and your firewall will simply let everything through. What is the output of `iptables -L -n` on this machine? -- Mark Shroyer http://markshroyer.com/contact/
Re: Migration from IPTABLES to PF
2009/5/4 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br: #___ # Protecao do KERNEL #___ #Enable forwarding in kernel echo 1 /proc/sys/net/ipv4/ip_forward man sysctl #Block source routing echo 1 /proc/sys/net/ipv4/conf/all/accept_source_route man sysctl #Enable SYN Cookies #echo 1 /proc/sys/net/ipv4/tcp_syncookies man sysctl #Kill redirects echo 1 /proc/sys/net/ipv4/conf/all/accept_redirects man sysctl #Reduce DoS'ing ability by reducing timeouts echo 30 /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 /proc/sys/net/ipv4/tcp_keepalive_time echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/tcp_sack man sysctl Your problem isn't necessarily your understanding of pf, it's of *nix in general. Don't feel bad, a lot of Linux admins grow too reliant on using /proc directly instead of using the more appropriate method of setting values, sysctl. kmw -- To take from one, because it is thought that his own industry and that of his fathers has acquired too much, in order to spare to others, who, or whose fathers have not exercised equal industry and skill, is to violate arbitrarily the first principle of association, bthe guarantee to every one of a free exercise of his industry, the fruits acquired by it.'
Re: ENC: Migration from IPTABLES to PF
On Mon, May 04, 2009 at 03:12:20PM -0300, Ricardo Augusto de Souza wrote: Thanks. I already know those documentation. I wish i could find a documentation about this on PF: #___ # Protecao do KERNEL #___ #Enable forwarding in kernel echo 1 /proc/sys/net/ipv4/ip_forward On OpenBSD: sysctl -w net.inet.ip.forwarding=1 (or put net.inet.ip.forwarding=1 in /etc/sysctl.conf and reboot) #Disabling IP Spoofing attacks. if [ $IPSEC = sim ] then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 $f done else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 $f done fi Equivalent would be a block drop in quick from urpf-failed rule in pf.conf. #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts OpenBSD ignores these by default. #Block source routing echo 1 /proc/sys/net/ipv4/conf/all/accept_source_route This rule claims to block source routing, but it actually enables it. But assuming you actually want to disable source routing, there's nothing to do, because OpenBSD ignores these by default too (as they say, secure by default...) #Kill timestamps echo 0 /proc/sys/net/ipv4/tcp_timestamps Are you sure you want to do this? You could use a scrub reassemble tcp rule in pf.conf, but I've had problems with even that. See the man page for details. #Enable SYN Cookies #echo 1 /proc/sys/net/ipv4/tcp_syncookies That one's commented out for a reason. On the other hand, look up synproxy in the pf.conf man page for an OpenBSD alternative that's compatible with TCP window scaling. #Kill redirects echo 1 /proc/sys/net/ipv4/conf/all/accept_redirects Another rule that claims to do one thing in the comment, but actually does exactly the opposite. Assuming you *do* want to block redirects: sysctl -w net.inet.ip.redirect=0 #Enable bad error message protection echo 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses I don't know what this does. #Log martians (packets with impossible addresses) echo 1 /proc/sys/net/ipv4/conf/all/log_martians There's no sysctl for this that I'm aware of, but you could add something like the following to your pf.conf (however, the urpf-failed rule should cover this already): # TABLE SECTION # table martians const { 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 \ 10.0.0.0/8 169.254.0.0/16 192.0.2.0/24 0.0.0.0/8 } # FILTER SECTION # block drop in on $if_wan inet from martians to any block return out on $if_wan inet from any to martians #Set out local port range echo 32768 61000 /proc/sys/net/ipv4/ip_local_port_range See the following sysctls: net.inet.ip.portfirst net.inet.ip.portlast net.inet.ip.porthifirst net.inet.ip.porthilast #Reduce DoS'ing ability by reducing timeouts echo 30 /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 /proc/sys/net/ipv4/tcp_keepalive_time echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/tcp_sack See these sysctls: net.inet.tcp.sack net.inet.tcp.* But as I said earlier, I wouldn't focus on precisely duplicating this firewall's logic; it looks problematic. It would be better to just come up with a fresh notion of what you want this firewall to achieve, and with that in mind, start over from scratch in PF. -- Mark Shroyer http://markshroyer.com/contact/
RES: Migration from IPTABLES to PF
(TUDO) # ___ #for NAT in `cat /etc/rc.d/init.d/fw_nat| awk 'BEGIN { FS = # } ; { print $1 }'` # do $FW -t nat -A POSTROUTING -o $INT_INTERNET -p tcp -s $REDE_INTRANET -j MASQUERADE $FW -t nat -A POSTROUTING -o $INT_INTERNET -p 47 -s $REDE_INTRANET -j MASQUERADE $FW -t nat -A POSTROUTING -o $INT_INTERNET -p udp -s $REDE_INTRANET -j MASQUERADE # done # ___ # NAT - ACESSO FULL # ___ for NAT_FULL in `cat /etc/rc.d/init.d/prodata/fw_nat_full| awk 'BEGIN { FS = # } ; { print $1 }'` do $FW -t nat -A PREROUTING -i $INT_INTERNET -p all -s $NAT_FULL -j ACCEPT $FW -A FORWARD -i $INT_INTERNET -p all -s $NAT_FULL -j ACCEPT $FW -t nat -A PREROUTING -i $INT_INTERNET -p all -d $NAT_FULL -j ACCEPT $FW -A FORWARD -i $INT_INTERNET -p all -d $NAT_FULL -j ACCEPT $FW -t nat -A PREROUTING -i $INT_INTRANET -p all -s $NAT_FULL -j ACCEPT $FW -A FORWARD -i $INT_INTRANET -p all -s $NAT_FULL -j ACCEPT $FW -t nat -A PREROUTING -i $INT_INTRANET -p all -d $NAT_FULL -j ACCEPT $FW -A FORWARD -i $INT_INTRANET -p all -d $NAT_FULL -j ACCEPT done #-APLIC. CLIENTES PERMITIDAS para REDE_INTRANET (NAT)--- #-Regras para INT_INTERNET-- # TUDO_ ___ #$FW -t nat -A PREROUTING -i $INT_INTERNET -p all -j ACCEPT #$FW -A FORWARD -i $INT_INTERNET -p all -j ACCEPT for PORTS in `cat /etc/rc.d/init.d/prodata/fw_ports| awk 'BEGIN { FS = # } ; { print $1 }'` do $FW -t nat -A PREROUTING -i $INT_INTERNET -p tcp --sport $PORTS -j ACCEPT $FW -A FORWARD -i $INT_INTERNET -p tcp --sport $PORTS -j ACCEPT $FW -t nat -A PREROUTING -i $INT_INTERNET -p udp --sport $PORTS -j ACCEPT $FW -A FORWARD -i $INT_INTERNET -p udp --sport $PORTS -j ACCEPT done # TUDO_ _ #$FW -t nat -A PREROUTING -i $INT_INTRANET -p all -j ACCEPT #$FW -A FORWARD -i $INT_INTRANET -p all -j ACCEPT for PORTS in `cat /etc/rc.d/init.d/prodata/fw_ports| awk 'BEGIN { FS = # } ; { print $1 }'` do $FW -t nat -A PREROUTING -i $INT_INTRANET -p tcp --dport $PORTS -j ACCEPT $FW -A FORWARD -i $INT_INTRANET -p tcp --dport $PORTS -j ACCEPT $FW -t nat -A PREROUTING -i $INT_INTRANET -p udp --dport $PORTS -j ACCEPT $FW -A FORWARD -i $INT_INTRANET -p udp --dport $PORTS -j ACCEPT done # ___ # POLITICA FINAL - NEGA TUDO # ___ #$FW -A OUTPUT -m state -p icmp --state INVALID -j DROP #$FW -A INPUT -i $INT_INTERNET -j DROP #$FW -A OUTPUT -o $INT_INTERNET -j DROP #$FW -A FORWARD -i $INT_INTERNET -j DROP #$FW -A FORWARD -o $INT_INTERNET -j DROP #$FW -A INPUT -i $INT_INTRANET -j DROP #$FW -A OUTPUT -o $INT_INTRANET -j DROP #$FW -A FORWARD -i $INT_INTRANET -j DROP #$FW -A FORWARD -o $INT_INTRANET -j DROP # ___ # LOG de TODAS as Regras # ___ #$FW -A FORWARD -j LOG --log-level 3 --log-prefix PRODATA_FORWARD #$FW -A FORWARD -j DROP #$FW -A INPUT -j LOG --log-level 3 --log-prefix PRODATA_INPUT #$FW -A INPUT -j DROP #$FW -A OUTPUT -j LOG --log-level 3 --log-prefix PRODATA_OUTPUT #$FW -A OUTPUT -j DROP #$FW -t nat -A POSTROUTING -j LOG --log-level 3 --log-prefix PRODATA_POSTROUTING #$FW -t nat -A POSTROUTING -j DROP #$FW -t nat -A PREROUTING -j LOG --log-level 3 --log-prefix PRODATA_PREROUTING #$FW -t nat -A PREROUTING -j DROP #$FW -t nat -A OUTPUT -j LOG --log-level 3 --log-prefix PRODATA_OUTPUT_ROUTING #$FW -t nat -A OUTPUT -j DROP echo echo FIREWALLSTARTED ;; *) echo Uso: ./fw_prodata.com.br (start|stop|restart|status) exit 1 ;; Esac -Mensagem original- De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de Mark Shroyer Enviada em: segunda-feira, 4 de maio de 2009 15:34 Para: misc@openBSD.org Assunto: Re: Migration from IPTABLES to PF On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote: Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: [...] Is that actually all there is to the firewall setup? This script
Re: Migration from IPTABLES to PF
jajajaja i think the same. grrr 2009/5/4 Marco Peereboom sl...@peereboom.us: MY EYES!!! make it stop bleeding!!! On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote: Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD ip_conntrack_ftp #$LOAD ip_conntrack_pptp ## #$LOAD ip_conntrack_netlink ## #$LOAD ip_conntrack_tftp ## #$LOAD ip_nat $LOAD ip_nat_ftp $LOAD ip_gre #$LOAD ip_nat_pptp ## #$LOAD ip_nat_tftp ## $LOAD ip_queue ## $LOAD ip_tables $LOAD iptable_filter $LOAD iptable_nat $LOAD iptable_mangle $LOAD ipt_helper $LOAD ipt_LOG $LOAD ipt_limit $LOAD ipt_state #$LOAD ipt_layer7 ## $LOAD ipt_MASQUERADE $LOAD ipt_multiport #$LOAD ipt_string $LOAD ipt_tcpmss $LOAD ipt_TCPMSS # EOF /etc/rc.d/init.d/prodata/fw_kernel #___ # Protecao do KERNEL #___ #Enable forwarding in kernel echo 1 /proc/sys/net/ipv4/ip_forward #Disabling IP Spoofing attacks. if [ $IPSEC = sim ] then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 $f done else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 $f done fi #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 1 /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies #echo 1 /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 1 /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets with impossible addresses) echo 1 /proc/sys/net/ipv4/conf/all/log_martians #Set out local port range echo 32768 61000 /proc/sys/net/ipv4/ip_local_port_range #Reduce DoS'ing ability by reducing timeouts echo 30 /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 /proc/sys/net/ipv4/tcp_keepalive_time echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/tcp_sack ### EOF /etc/rc.d/init.d/prodata/fw_politicas #___ # LOG - Politica de Negacao de frames #___ LOGLIMIT=2/s LOGLIMITBURST=10 # Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT=5/s # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST=10 # Overall Limit for Ping-Flood-Detection PINGLIMIT=5/s # Burst Limit for Ping-Flood-Detection PINGLIMITBURST=1 $FW -N LOG_DROP $FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=TCP:1 a=DROP $FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=UDP:2 a=DROP $FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=ICMP:3 a=DROP $FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=VPN:4 a=DROP $FW -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=FRAGMENT:5 a=DROP $FW -A LOG_DROP -p tcp ! --syn -m state --state NEW -j LOG --log-prefix fp=NEW nao SYN: $FW -A LOG_DROP -j DROP #___ # LOG - Politica de Liberacao de frames #___ $FW -N LOG_OK $FW -A LOG_OK -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 3 --log-prefix fp=LOG_OK:3 a=ACCEPT $FW -A
Re: Migration from IPTABLES to PF
On Mon, May 04, 2009 at 04:34:55PM -0300, Gonzalo Lionel Rodriguez wrote: 2009/5/4 Marco Peereboom sl...@peereboom.us: MY EYES!!! make it stop bleeding!!! jajajaja i think the same. grrr LOL, you ain't seen nothing yet. Look at the extended version he just sent out. :) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Migration from IPTABLES to PF
jaja OMG... i love PF and OpenBSD. 2009/5/4 Jason Dixon ja...@dixongroup.net: On Mon, May 04, 2009 at 04:34:55PM -0300, Gonzalo Lionel Rodriguez wrote: 2009/5/4 Marco Peereboom sl...@peereboom.us: MY EYES!!! make it stop bleeding!!! jajajaja i think the same. grrr LOL, you ain't seen nothing yet. Look at the extended version he just sent out. :) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Migration from IPTABLES to PF
On Mon, May 04, 2009 at 04:46:16PM -0300, Gonzalo Lionel Rodriguez wrote: jaja OMG... i love PF and OpenBSD. 2009/5/4 Jason Dixon ja...@dixongroup.net: LOL, you ain't seen nothing yet. Look at the extended version he just sent out. :) To be fair, I've seen some pretty horrid pf.conf files, too. (Although I certainly prefer it over iptables in most cases.) -- Mark Shroyer http://markshroyer.com/contact/
Re: RES: Migration from IPTABLES to PF
On Mon, May 04, 2009 at 03:49:58PM -0300, Ricardo Augusto de Souza wrote: $FW -I INPUT -i $INT_INTRANET -p all -j ACCEPT $FW -I OUTPUT -o $INT_INTRANET -p all -j ACCEPT $FW -I FORWARD -o $INT_INTRANET -i $INT_INTRANET -p all -j ACCEPT $FW -t nat -I PREROUTING -i $INT_INTRANET -p all -j ACCEPT $FW -t nat -I POSTROUTING -o $INT_INTRANET -p all -j ACCEPT $FW -t nat -I OUTPUT -o $INT_INTRANET -p all -j ACCEPT Ah, good... that's what I was hoping to see :) -Mensagem original- De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de Mark Shroyer Enviada em: segunda-feira, 4 de maio de 2009 15:34 Para: misc@openBSD.org Assunto: Re: Migration from IPTABLES to PF [...] Is that actually all there is to the firewall setup? This script creates a bunch of chains for performing various actions on packets, but it doesn't actually add any rules to the filter table's special INPUT, OUTPUT, or FORWARD chains that would jump processing logic through these auxiliary chains. So unless there are some other iptables commands hidden somewhere else, the logic defined in this script will never be applied and your firewall will simply let everything through. What is the output of `iptables -L -n` on this machine? -- Mark Shroyer http://markshroyer.com/contact/
Re: Migration from IPTABLES to PF
Dont be fair ;) 2009/5/4 Mark Shroyer subscriber+open...@markshroyer.com: On Mon, May 04, 2009 at 04:46:16PM -0300, Gonzalo Lionel Rodriguez wrote: jaja OMG... i love PF and OpenBSD. 2009/5/4 Jason Dixon ja...@dixongroup.net: LOL, you ain't seen nothing yet. Look at the extended version he just sent out. :) To be fair, I've seen some pretty horrid pf.conf files, too. (Although I certainly prefer it over iptables in most cases.) -- Mark Shroyer http://markshroyer.com/contact/
Re: Migration from IPTABLES to PF
On Mon, May 04, 2009 at 04:14:45PM -0400, Mark Shroyer wrote: On Mon, May 04, 2009 at 04:46:16PM -0300, Gonzalo Lionel Rodriguez wrote: jaja OMG... i love PF and OpenBSD. 2009/5/4 Jason Dixon ja...@dixongroup.net: LOL, you ain't seen nothing yet. Look at the extended version he just sent out. :) To be fair, I've seen some pretty horrid pf.conf files, too. (Although I certainly prefer it over iptables in most cases.) Indeed. I clawed my eyes out this weekend on a friend's pf.conf (hi Kevin :) while trying to diagnose some relayd problems. At least pf syntax lends itself to logical separation and organization. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Migration from IPTABLES to PF
Mark Shroyer escreveu: On Mon, May 04, 2009 at 04:46:16PM -0300, Gonzalo Lionel Rodriguez wrote: jaja OMG... i love PF and OpenBSD. 2009/5/4 Jason Dixon ja...@dixongroup.net: LOL, you ain't seen nothing yet. Look at the extended version he just sent out. :) To be fair, I've seen some pretty horrid pf.conf files, too. (Although I certainly prefer it over iptables in most cases.) That's exactly why we have the ruleset optimizer. I still can recall when i migrated one iptables firewall with more than 300 lines, and all of then absolutely necessary, into one single pf.conf with no more than 60 lines (including spacing, identation, and commentary). That's why i choose pf and got sticky with it. Now, on topic, I definitely recommend for beginners, reading the pf faq. I never had worked with pf, and migrated my ruleset in 2 days. But i was working with iptables on a daily basis. If you are a little rusty with iptables, using fwbuilder to convert your ruleset is a good start. It won't convert it as is, you will have to remove somethings, mainly the /proc stuff, and others. After you have your first fwbuilder made ruleset, try reading it and referring to the faq when you are in doubt. It will be quite helpful. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD Stable Ubuntu 8.04 Hardy Heron 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: Migration from IPTABLES to PF
This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD ip_conntrack_ftp #$LOAD ip_conntrack_pptp ## #$LOAD ip_conntrack_netlink ## #$LOAD ip_conntrack_tftp ## #$LOAD ip_nat $LOAD ip_nat_ftp $LOAD ip_gre #$LOAD ip_nat_pptp ## #$LOAD ip_nat_tftp ## $LOAD ip_queue ## $LOAD ip_tables $LOAD iptable_filter $LOAD iptable_nat $LOAD iptable_mangle $LOAD ipt_helper $LOAD ipt_LOG $LOAD ipt_limit $LOAD ipt_state #$LOAD ipt_layer7 ## $LOAD ipt_MASQUERADE $LOAD ipt_multiport #$LOAD ipt_string $LOAD ipt_tcpmss $LOAD ipt_TCPMSS # EOF /etc/rc.d/init.d/prodata/fw_kernel #___ # Protecao do KERNEL #___ #Enable forwarding in kernel echo 1 /proc/sys/net/ipv4/ip_forward #Disabling IP Spoofing attacks. if [ $IPSEC = sim ] then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 $f done else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 $f done fi #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 1 /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies #echo 1 /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 1 /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets with impossible addresses) echo 1 /proc/sys/net/ipv4/conf/all/log_martians #Set out local port range echo 32768 61000 /proc/sys/net/ipv4/ip_local_port_range #Reduce DoS'ing ability by reducing timeouts echo 30 /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 /proc/sys/net/ipv4/tcp_keepalive_time echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/tcp_sack ### EOF /etc/rc.d/init.d/prodata/fw_politicas #___ # LOG - Politica de Negacao de frames #___ LOGLIMIT=2/s LOGLIMITBURST=10 # Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT=5/s # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST=10 # Overall Limit for Ping-Flood-Detection PINGLIMIT=5/s # Burst Limit for Ping-Flood-Detection PINGLIMITBURST=1 $FW -N LOG_DROP $FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=TCP:1 a=DROP $FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=UDP:2 a=DROP $FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=ICMP:3 a=DROP $FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix fp=VPN:4 a=DROP