Re: Revised rules question
I was thinking about my rules here and wanted to ask the following, in regards to this section: # block NMAP stuff block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA block in log quick on $ext_if inet proto tcp from any to any flags /SFRA block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU block in log on $ext_if all Ok...im beginning to wonder if I even need this part in my rules. Why? Because this particular box is sitting behind our company firewall, on the DMZ. Are these rules redundant and not needed? Or is it good practice to have these in. Secondly, I am making this setup go live this week and want to verify a few things... Specifically, I want to verify that the only thing that will be allowed, incoming wise is port 25, correct? everything else will be let through. Lastly, as far as SSH is concerned, I want to make sure that only my intranet IP address can SSH to the box, possibly to the second interface. Does it look like that has been setup correctly? Am I missing anything? I appreciate any comments and suggestions. Cheers, Jason At 04:44 PM 9/29/2003 -0700, you wrote: Any thoughts at all on these rules? I think they look pretty good, but would like some feed back on them for any changes and recommendations? Thanks. jason At 11:30 AM 9/26/2003 -0700, you wrote: Hello everyone. I have been tweaking some PF rules for a mail gateway server that is going to be on my company's DMZ. What I was hoping to accomplish was the following: 1.) Only allow port 25 traffic to the mail gateway 2.) Allow SSH connections from my intranet 3.) Secure box as much as I can. With that in mind, here are a few things: IP Range for DMZ, is 10.0.0.0/8 IP Range for intranet, 192.168.0.0/24 With that in mind, I have the following rules: ext_if = fxp0 int_if = fxp1 tcp_services = { 25 } tcp_int_services = { 22 } table noroute const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } #options set optimization aggressive set loginterface $ext_if scrub in all fragment reassemble #default Deny all block log all #allow loopback traffic pass quick on lo0 all block in quick on $ext_if from noroute to any block out quick on $ext_if from any to noroute pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state pass in on $int_if inet proto tcp from $int_if:network port $tcp_int_services flags S/SAFR keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SAFR pass out on $ext_if proto { udp, icmp } all keep state Just a few questions: First, how do my rules look? Any possible problems or loopholes I missed. Second, anyone have recommendations to modify and fine tune my rules? I am open to all suggestions. Thankyou. Jason
Re: Syslogging problems
Vladimir Potapov wrote: bash-2.05b# ls -l /var/log/pflog -rw--- 1 root wheel 3988 Sep 29 20:18 /var/log/pflog bash-2.05b# /etc/pflogrotate bash-2.05b# ls -l /home/pflogger total 12 -rw-r--r-- 1 pflogger users 768 Mar 29 2003 .cshrc -rw-r--r-- 1 pflogger users 317 Mar 29 2003 .login -rw-r--r-- 1 pflogger users 105 Mar 29 2003 .mailrc -rw-r--r-- 1 pflogger users 199 Mar 29 2003 .profile -rw--- 1 pflogger users 126 Mar 29 2003 .rhosts drwx-- 5 pflogger users 512 Sep 20 10:44 Maildir -rwxr-xr-x 1 root users 134 Sep 29 15:12 pfl2sysl -rw--- 1 root users 133 Sep 29 15:12 pfl2sysl.b -rw--- 1 pflogger wheel 3988 Sep 29 20:18 pflog5min.20030937 There's clearly a pflog5min file there now. What happens when you run pfl2sysl now? If it still doesn't work, verify that your scripts match the ones in the users guide. I have spaces but not TABs between info and /var/log/pflog.txt . And it does not work. Exactly, you need tabs. .joel
Cant seem to get my rules correct...
I keep locking myself out the box. heheheh Here is what I have: I have a OpenBSD Mail gateway on my DMZ. I want to only allow SMTP connections coming from my firewall, but allow SSH connections coming from my intranet. My subnets: DMZ = 10.0.1.1/24 Private = 192.168.1.0/24 RULES: # Define useful variables ext_if=fxp0 # External Interface int_if=fxp1 tcp_services = { 25 } tcp_int_services = { 22 } table NoRouteIPs { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 } # Clean up fragmented and abnormal packets scrub in all #default Deny all block log all #loopback rules pass in quick on lo0 all # don't allow anyone to spoof non-routeable addresses block in log quick on $ext_if from NoRouteIPs to any block out log quick on $ext_if from any to NoRouteIPs # block NMAP stuff block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA block in log quick on $ext_if inet proto tcp from any to any flags /SFRA block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU block in log on $ext_if all #Passing in email pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state #Passing in SSH from intranet pass in on $int_if inet proto tcp from $int_if:network port $tcp_int_services flags S/SAFR keep state pass in on $int_if from $int_if:network to any keep state # and let out-going traffic out and maintain state on established connections pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SAFR pass out on $ext_if proto { udp, icmp } all keep state Im reading over the PF FAQ right now, trying to see where i've gone wrong. I'm wondering if I need to add something like this: pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state Like I said, I want to be able to SSH to the box on the DMZ. Any recommendations? Thanks. jason
Re: Cant seem to get my rules correct...RESOLVED
Figured it out! Woot! Feels good when you put your nose to the grind and hammer it out. Did some mixing around, but this is the end result: # Define useful variables ext_if=fxp0 # External Interface int_if=fxp1 int_net=192.168.1.0/24 tcp_services = { 25 } tcp_int_services = { 22 } #Tables table NoRouteIPs { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16, !192.168.0.0/24 } table trusted persist file /etc/tables/trusted # Clean up fragmented and abnormal packets scrub in all #default Deny all block in log on $ext_if all #loopback rules pass in quick on lo0 all # don't allow anyone to spoof non-routeable addresses block in log quick on $ext_if from NoRouteIPs to any block out log quick on $ext_if from any to NoRouteIPs #Passing in email pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state # pass trusted for SSH pass in log quick on $int_if inet proto tcp from trusted to $int_if port 22 keep state # and let out-going traffic out and maintain state on established connections pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SAFR pass out on $ext_if proto { udp, icmp } all keep state pfctl -s rules output: scrub in all fragment reassemble block drop in log on fxp0 all pass in quick on lo0 all block drop in log quick on fxp0 from NoRouteIPs to any block drop out log quick on fxp0 from any to NoRouteIPs pass in on fxp0 inet proto tcp from any to (fxp0) port = smtp flags S/FSRA keep state pass in log quick on fxp1 inet proto tcp from trusted to 10.0.1.100 port = ssh keep state pass out on fxp1 inet from any to 10.0.1.0/24 keep state pass out on fxp0 proto tcp all flags S/FSRA modulate state pass out on fxp0 proto udp all keep state pass out on fxp0 proto icmp all keep state I can telnet to port 25 on it and it works. denied on all other ports so far. I can SSH from my intranet... Im happy. :) Anyone care to make any comments or suggestions? Thanks. Jason At 03:22 PM 9/30/2003 -0700, you wrote: I keep locking myself out the box. heheheh Here is what I have: I have a OpenBSD Mail gateway on my DMZ. I want to only allow SMTP connections coming from my firewall, but allow SSH connections coming from my intranet. My subnets: DMZ = 10.0.1.1/24 Private = 192.168.1.0/24 RULES: # Define useful variables ext_if=fxp0 # External Interface int_if=fxp1 tcp_services = { 25 } tcp_int_services = { 22 } table NoRouteIPs { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 } # Clean up fragmented and abnormal packets scrub in all #default Deny all block log all #loopback rules pass in quick on lo0 all # don't allow anyone to spoof non-routeable addresses block in log quick on $ext_if from NoRouteIPs to any block out log quick on $ext_if from any to NoRouteIPs # block NMAP stuff block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA block in log quick on $ext_if inet proto tcp from any to any flags /SFRA block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU block in log on $ext_if all #Passing in email pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state #Passing in SSH from intranet pass in on $int_if inet proto tcp from $int_if:network port $tcp_int_services flags S/SAFR keep state pass in on $int_if from $int_if:network to any keep state # and let out-going traffic out and maintain state on established connections pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SAFR pass out on $ext_if proto { udp, icmp } all keep state Im reading over the PF FAQ right now, trying to see where i've gone wrong. I'm wondering if I need to add something like this: pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state Like I said, I want to be able to SSH to the box on the DMZ. Any recommendations? Thanks. jason