Re: Revised rules question
I was thinking about my rules here and wanted to ask the following, in
regards to this section:
# block NMAP stuff
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log on $ext_if all
Ok...im beginning to wonder if I even need this part in my rules. Why?
Because this particular box is sitting behind our company firewall, on the DMZ.
Are these rules redundant and not needed? Or is it good practice to have
these in.
Secondly, I am making this setup go live this week and want to verify a few
things...
Specifically, I want to verify that the only thing that will be allowed,
incoming wise is port 25, correct? everything else will be let through.
Lastly, as far as SSH is concerned, I want to make sure that only my
intranet IP address can SSH to the box, possibly to the second interface.
Does it look like that has been setup correctly?
Am I missing anything?
I appreciate any comments and suggestions.
Cheers,
Jason
At 04:44 PM 9/29/2003 -0700, you wrote:
Any thoughts at all on these rules?
I think they look pretty good, but would like some feed back on them for
any changes and recommendations?
Thanks.
jason
At 11:30 AM 9/26/2003 -0700, you wrote:
Hello everyone.
I have been tweaking some PF rules for a mail gateway server that is
going to be on my company's DMZ.
What I was hoping to accomplish was the following:
1.) Only allow port 25 traffic to the mail gateway
2.) Allow SSH connections from my intranet
3.) Secure box as much as I can.
With that in mind, here are a few things:
IP Range for DMZ, is 10.0.0.0/8
IP Range for intranet, 192.168.0.0/24
With that in mind, I have the following rules:
ext_if = fxp0
int_if = fxp1
tcp_services = { 25 }
tcp_int_services = { 22 }
table noroute const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8 }
#options
set optimization aggressive
set loginterface $ext_if
scrub in all fragment reassemble
#default Deny all
block log all
#allow loopback traffic
pass quick on lo0 all
block in quick on $ext_if from noroute to any
block out quick on $ext_if from any to noroute
pass in on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SAFR keep state
pass in on $int_if inet proto tcp from $int_if:network port
$tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
Just a few questions:
First, how do my rules look? Any possible problems or loopholes I missed.
Second, anyone have recommendations to modify and fine tune my rules?
I am open to all suggestions.
Thankyou.
Jason
Re: Syslogging problems
Vladimir Potapov wrote: bash-2.05b# ls -l /var/log/pflog -rw--- 1 root wheel 3988 Sep 29 20:18 /var/log/pflog bash-2.05b# /etc/pflogrotate bash-2.05b# ls -l /home/pflogger total 12 -rw-r--r-- 1 pflogger users 768 Mar 29 2003 .cshrc -rw-r--r-- 1 pflogger users 317 Mar 29 2003 .login -rw-r--r-- 1 pflogger users 105 Mar 29 2003 .mailrc -rw-r--r-- 1 pflogger users 199 Mar 29 2003 .profile -rw--- 1 pflogger users 126 Mar 29 2003 .rhosts drwx-- 5 pflogger users 512 Sep 20 10:44 Maildir -rwxr-xr-x 1 root users 134 Sep 29 15:12 pfl2sysl -rw--- 1 root users 133 Sep 29 15:12 pfl2sysl.b -rw--- 1 pflogger wheel 3988 Sep 29 20:18 pflog5min.20030937 There's clearly a pflog5min file there now. What happens when you run pfl2sysl now? If it still doesn't work, verify that your scripts match the ones in the users guide. I have spaces but not TABs between info and /var/log/pflog.txt . And it does not work. Exactly, you need tabs. .joel
Cant seem to get my rules correct...
I keep locking myself out the box. heheheh
Here is what I have: I have a OpenBSD Mail gateway on my DMZ. I want to
only allow SMTP connections coming from my firewall, but allow SSH
connections coming from my intranet.
My subnets:
DMZ = 10.0.1.1/24
Private = 192.168.1.0/24
RULES:
# Define useful variables
ext_if=fxp0 # External Interface
int_if=fxp1
tcp_services = { 25 }
tcp_int_services = { 22 }
table NoRouteIPs { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }
# Clean up fragmented and abnormal packets
scrub in all
#default Deny all
block log all
#loopback rules
pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from NoRouteIPs to any
block out log quick on $ext_if from any to NoRouteIPs
# block NMAP stuff
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log on $ext_if all
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
flags S/SAFR keep state
#Passing in SSH from intranet
pass in on $int_if inet proto tcp from $int_if:network port
$tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state
# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
Im reading over the PF FAQ right now, trying to see where i've gone wrong.
I'm wondering if I need to add something like this:
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
Like I said, I want to be able to SSH to the box on the DMZ.
Any recommendations?
Thanks.
jason
Re: Cant seem to get my rules correct...RESOLVED
Figured it out! Woot!
Feels good when you put your nose to the grind and hammer it out.
Did some mixing around, but this is the end result:
# Define useful variables
ext_if=fxp0 # External Interface
int_if=fxp1
int_net=192.168.1.0/24
tcp_services = { 25 }
tcp_int_services = { 22 }
#Tables
table NoRouteIPs { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8,
192.168.0.0/16, !192.168.0.0/24 }
table trusted persist file /etc/tables/trusted
# Clean up fragmented and abnormal packets
scrub in all
#default Deny all
block in log on $ext_if all
#loopback rules
pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from NoRouteIPs to any
block out log quick on $ext_if from any to NoRouteIPs
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
flags S/SAFR keep state
# pass trusted for SSH
pass in log quick on $int_if inet proto tcp from trusted to $int_if port
22 keep state
# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
pfctl -s rules output:
scrub in all fragment reassemble
block drop in log on fxp0 all
pass in quick on lo0 all
block drop in log quick on fxp0 from NoRouteIPs to any
block drop out log quick on fxp0 from any to NoRouteIPs
pass in on fxp0 inet proto tcp from any to (fxp0) port = smtp flags S/FSRA
keep state
pass in log quick on fxp1 inet proto tcp from trusted to 10.0.1.100 port
= ssh keep state
pass out on fxp1 inet from any to 10.0.1.0/24 keep state
pass out on fxp0 proto tcp all flags S/FSRA modulate state
pass out on fxp0 proto udp all keep state
pass out on fxp0 proto icmp all keep state
I can telnet to port 25 on it and it works. denied on all other ports so far.
I can SSH from my intranet...
Im happy. :)
Anyone care to make any comments or suggestions?
Thanks.
Jason
At 03:22 PM 9/30/2003 -0700, you wrote:
I keep locking myself out the box. heheheh
Here is what I have: I have a OpenBSD Mail gateway on my DMZ. I want to
only allow SMTP connections coming from my firewall, but allow SSH
connections coming from my intranet.
My subnets:
DMZ = 10.0.1.1/24
Private = 192.168.1.0/24
RULES:
# Define useful variables
ext_if=fxp0 # External Interface
int_if=fxp1
tcp_services = { 25 }
tcp_int_services = { 22 }
table NoRouteIPs { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }
# Clean up fragmented and abnormal packets
scrub in all
#default Deny all
block log all
#loopback rules
pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from NoRouteIPs to any
block out log quick on $ext_if from any to NoRouteIPs
# block NMAP stuff
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log on $ext_if all
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
flags S/SAFR keep state
#Passing in SSH from intranet
pass in on $int_if inet proto tcp from $int_if:network port
$tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state
# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
Im reading over the PF FAQ right now, trying to see where i've gone wrong.
I'm wondering if I need to add something like this:
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
Like I said, I want to be able to SSH to the box on the DMZ.
Any recommendations?
Thanks.
jason
