################################################################# # The following rules were takes from: # # "Building Firewalls with OpenBSD and PF, second edition" # by Jacek Artymiak, November 2003, ISBN: 83-916651-1-9 # # Copyright (c) 2003-2004 Jacek Artymiak # # You may copy and use these rules in your own rulesets. # # Please do not publish copies of this file on your own # servers with public access. Instead, point people to: # # http://www.devguide.net/books/openbsdfw-02-ed/rules.txt # # You can order "Building Firewalls with OpenBSD and PF" from: # # http://www.devguide.net/distributors.html # http://www.amazon.com/exec/obidos/ASIN/8391665119/ # http://www.amazon.ca/exec/obidos/ASIN/8391665119/ # http://www.amazon.co.uk/exec/obidos/ASIN/8391665119/ # http://www.amazon.de/exec/obidos/ASIN/8391665119/ # http://www.amazon.fr/exec/obidos/ASIN/8391665119/ # http://www.amazon.jp/exec/obidos/ASIN/8391665119/ # # Errata, free chapters: # # http://www.devguide.net/books/openbsdfw-02-ed/index.html # ################################################################# # --- page [127] --- ######################################################## # macro definitions #------------------------------------------------------- # ext_if -- the name of the firewall's external # interface ext_if = "ne1" # dmz_ad -- the DMZ network address dmz_ad = "192.168.255.1/24" ######################################################## # scrub rules: "scrub" #------------------------------------------------------- # example 1: scrub all incoming packets on all # interfaces scrub in all # example 2: scrub all packets on all interfaces scrub in all scrub out all # example 3: scrub all incoming packets on the external # interface sent from any address to the DMZ # segment scrub in on $ext_if from any to $dmz_ad # --- page [128] --- ######################################################## # options: "set" #------------------------------------------------------- # limit the number of fragments kept in memory to 30000 set limit frags 30000 # --- page [130 - 131] --- ######################################################## # macro definitions #------------------------------------------------------- # ext_if -- the name of the firewall's external # interface ext_if = "ne1" # src_ad -- the address of the firewall's external # interface src_ad = "s.s.s.s/32" dmz_ad = "d.d.d.d/24" ######################################################## # options: "set" #------------------------------------------------------- # limit the number of fragments kept in memory to 30000 set limit frags 10000 ######################################################## # scrub rules: "scrub" #------------------------------------------------------- # example 1: scrub all outbound packets departing from # the external interface and replace their # IP identification numbers with random # values scrub out on $ext_if all random-id # example 2: scrub all inbound packets arriving on the # external interface, clear their DF flags, # set TTL to 100, set MSS to 1460, use # fragment reassemble scrub in on $ext_if all \ no-df min-ttl 100 max-mss 1460 fragment reassemble # example 3: scrub all outbound packets departing from # the external interface, clear their DF # flags, set TTL to 10, set MSS to 1460, use # fragment crop scrub out on $ext_if all \ no-df min-ttl 10 max-mss 1460 fragment crop # example 4: scrub all inbound packets arriving on the # external interface trying to reach hosts # in the DMZ segment, clear their DF flags, # set TTL to 10, set MSS to 1460, use # fragment drop-ovl scrub in on $ext_if from $src_ad to $dmz_ad \ no-df min-ttl 100 max-mss 1460 fragment drop-ovl # --- page [140] --- ######################################################## # macro definitions #------------------------------------------------------- # ext_if -- the name of the firewalls's external # interface ext_if = "ne1" # ext_ad -- the public IPv4 address assigned to the # firewall's external interface ext_ad = "e.e.e.e/32" # prv_ad -- the range of private IPv4 addresses # assigned to hosts on the screened LAN prv_ad = "p.p.p.p/24" # nat_proto -- NAT-ed protocols nat_proto = "{tcp, udp, icmp}" ######################################################## # NAT rules: "rdr", "nat", "binat" #------------------------------------------------------- nat on $ext_if inet proto $nat_proto \ from $prv_ad to any -> $ext_ad # --- page [140 - 141] --- ######################################################## # macro definitions #------------------------------------------------------- # ext_if -- the name of the firewalls's external # interface ext_if = "ne1" # ext_ad -- the public IPv4 address assigned to the # firewall's external interface ext_ad = "e.e.e.e/32" # prv1_ad -- the range of private IPv4 addresses # assigned to hosts on the screened LAN #1 prv1_ad = "p.p.1.p/24" # prv2_ad -- the range of private IPv4 addresses # assigned to hosts on the screened LAN #2 prv2_ad = "p.p.2.p/24" # nat_proto -- NAT-ed protocols nat_proto = "{tcp, udp, icmp}" ######################################################## # NAT rules: "rdr", "nat", "binat" #------------------------------------------------------- nat on $ext_if inet proto $nat_proto from \ {$prv1_ad, $prv2_ad} to any -> $ext_ad # --- page [141 - 142] --- ######################################################## # macro definitions #------------------------------------------------------- # ext_if -- the name of the firewalls's external # interface ext_if = "ne1" # ext_ad -- the public IPv4 address assigned to the # firewall's external interface ext_ad = "e.e.e.e/32" # prv1_ad -- the range of private IPv4 addresses # assigned to hosts on the screened LAN #1 prv1_ad = "p.p.1.p/24" # prv2_ad -- the range of private IPv4 addresses # assigned to hosts on the screened LAN #2 prv2_ad = "p.p.2.p/24" # nat_proto -- NAT-ed protocols nat_proto = "{tcp, udp, icmp}" ######################################################## # NAT rules: "rdr", "nat", "binat" #------------------------------------------------------- no nat on $ext_if inet proto $nat_proto \ from $prv1_ad to $prv2_ad no nat on $ext_if inet proto $nat_proto \ from $prv2_ad to $prv1_ad nat on $ext_if inet proto $nat_proto \ from {$prv1_ad, $prv2_ad} to any -> $ext_ad # --- page [143] --- ######################################################## # macro definitions #------------------------------------------------------- # ext_if -- the name of the firewalls's external # interface ext_if = "ne1" # ext1_ad -- the first public IPv4 address assigned to # the firewall's external interface ext1_ad = "e.e.e.e/32" # ext2_ad -- the second public IPv4 address assigned to # the firewall's external interface ext2_ad = "e.e.e.f/32" # prv1_ad -- the range of private IPv4 addresses # assigned to hosts on the screened LAN #1 prv1_ad = "p.p.1.p/24" # prv2_ad -- the range of private IPv4 addresses # assigned to hosts on the screened LAN #2 prv2_ad = "p.p.2.p/24" # nat_proto -- NAT-ed protocols nat_proto = "{tcp, udp, icmp}" ######################################################## # NAT rules: "rdr", "nat", "binat" #------------------------------------------------------- no nat $ext_if inet proto $nat_proto \ from $prv1_ad to $prv2_ad no nat $ext_if inet proto $nat_proto \ from $prv2_ad to $prv1_ad nat on $ext_if inet proto $nat_proto \ from $prv1_ad to any -> $ext1_ad nat on $ext_if inet proto $nat_proto \ from $prv2_ad to any -> $ext2_ad # --- page [144] --- nat on $ext_if inet proto $nat_proto from $prv1_ad to any \ -> $ext1_ad port 10000:20000 nat on $ext_if inet proto $nat_proto from $prv2_ad to any \ -> $ext2_ad port 20001:30000 # --- page [144] --- nat on $ext_if inet proto $nat_proto from $prv1_ad port 22 \ to any -> $ext1_ad port 8022 # --- page [144] --- nat on $ext_if inet proto $nat_proto \ from $prv1_ad port 1024:65535 to any -> $ext1_ad port 1024:* # --- page [144] --- nat on $ext_if inet proto $nat_proto from $prv1_ad port 22 \ to any -> $ext1_ad static-port # --- page [144] --- nat on $ext_if inet proto $nat_proto from $prv1_ad \ to any -> $ext1_ad static-port # --- page [144 - 145] --- # NAT internal hosts on the external interface ext_if nat on $ext_if inet proto tcp from $prv_ad to any -> ($ext_if) # block connections to port 25 on any external host block out on $ext_if inet proto tcp \ from ($ext_if) to any port 25 # --- page [145] --- nat pass on $ext_if inet proto tcp \ from $prv_ad to any port != 25 -> ($ext_if) # --- page [146 - 147] --- ######################################################## # macro definitions #------------------------------------------------------- # ext_if -- the name of the firewall's external # interface ext_if = "ne1" # ext_ad -- the public IPv4 address assigned to the # firewall's external interface ext_ad = "e.e.e.e/32" # www_ad -- the private IPv4 address assigned to the # HTTP server in the DMZ www_ad = "w.w.w.w/32" ######################################################## # NAT rules: "rdr", "nat", "binat" #------------------------------------------------------- rdr on $ext_if inet proto tcp \ from any to $ext_ad port 80 -> $www_ad port 8080 # --- page [148] --- ######################################################## # macro definitions #------------------------------------------------------- # ext_if -- the name of the firewalls's external # interface ext_if = "ne1" # prv_if -- the name of the firewalls's screened LAN # interface prv_if = "ne2" # ext_ad -- the public IPv4 address assigned to the # firewall's external interface ext_ad = "e.e.e.e/32" # prv_ad -- the range of private IPv4 addresses # assigned to hosts on the screened LAN prv_ad = "p.p.p.p/24" # www_ad -- the private IPv4 address assigned to the # HTTP server in the DMZ www_ad = "w.w.w.w/32" ######################################################## # NAT rules: "rdr", "nat", "binat" #------------------------------------------------------- rdr on $ext_if inet proto tcp \ from any to $ext_ad port 80 -> $www_ad port 8080 rdr on $prv_if inet proto tcp \ from $prv_ad to $ext_ad port 80 -> $www_ad port 8080 # --- page [148 - 149] --- ######################################################## # macro definitions #------------------------------------------------------- # ext_if -- the name of the firewalls's external # interface ext_if = "ne1" # prv_if -- the name of the firewalls's screened LAN # interface prv_if = "ne2" # ext_ad -- the public IPv4 address assigned to the # firewall's external interface ext_ad = "e.e.e.e/32" # prv_ad -- the range of private IPv4 addresses # assigned to hosts on the screened LAN prv_ad = "p.p.p.p/24" # www_ad -- the private IPv4 address assigned to the # HTTP server in the DMZ www_ad = "w.w.w.w/32" ######################################################## # NAT rules: "rdr", "nat", "binat" #------------------------------------------------------- rdr on {$ext_if, $prv_if} inet proto tcp \ from any to $ext_ad port 80 -> $www_ad port 8080 # --- page [150] --- ######################################################## # macro definitions #------------------------------------------------------- # ext_if -- the name of the firewalls's external # interface ext_if = "ne1" # prv_if -- the name of the firewalls's screened LAN # interface prv_if = "ne2" # prv_ad -- the range of private IPv4 addresses # assigned to hosts on the screened LAN prv_ad = "p.p.p.p/24" # ch_ad -- the private IPv4 address assigned to the # HTTP cache server ch_ad = "w.w.w.w/32" ######################################################## # NAT rules: "rdr", "nat", "binat" #------------------------------------------------------- rdr on $prv_if inet proto tcp \ from $prv_ad to any port 80 -> $ch_ad port 1080 # --- page [150 - 151] --- ######################################################## # macro definitions #------------------------------------------------------- # ... # boss_ad -- the address of the privileged user who can # bypass the HTTP cache. boss_ad = "p.p.p.b/24" ######################################################## # NAT rules: "rdr", "nat", "binat" #------------------------------------------------------- no rdr on $prv_if inet proto tcp \ from $boss_ad to any port 80 rdr on $prv_if inet proto tcp \ from $prv_ad to any port 80 -> $ch_ad port 1080 # --- page [151] --- rdr on ! ne1 inet proto tcp from ! s.s.s.s/32 to \ ! e.e.e.e/32 port 80 -> d.d.d.d/32 port 8080 # --- page [152] --- rdr on $ext_if inet proto tcp from any to $ext_ad port 22 \ -> 192.168.1.1 port 1022 rdr on $ext_if inet proto tcp from any to $ext_ad port 25 \ -> 192.168.1.2 port 1025 rdr on $ext_if inet proto tcp from any to $ext_ad port 53 \ -> 192.168.1.3 port 1053 rdr on $ext_if inet proto tcp from any to $ext_ad port 80 \ -> 192.168.1.4 port 8080 # --- page [153] --- binat on $ext_if inet proto tcp from 192.168.1.37 to any \ -> $ext_ad_1 binat on $ext_if inet proto tcp from 192.168.1.38 to any \ -> $ext_ad_2 binat on $ext_if inet proto tcp from 192.168.1.54 to any \ -> $ext_ad_3 # --- page [156] --- block in all block out all # --- page [156] --- pass in all pass out all # --- page [156] --- block in all block out all # --- page [157 - 158] --- ######################################################## # macro definitions #------------------------------------------------------- # ext_if -- the name of the firewall's external # interface ext_if = "ne1" # ext_ad -- the address of the firewall's external # interface ext_ad = "e.e.e.e/32" ######################################################## # packet filtering rules: "antispoof", "block", "pass" #------------------------------------------------------- # block all inbound connections block in all # block all inbound connections to port 113 (auth) # and return ICMP destination-unreachable block return-icmp in quick on $ext_if proto tcp \ from any to $ext_ad port auth # allow inbound connections to port 25 (smtp) pass in quick on $ext_if \ from any to $ext_ad port smtp # --- page [158 - 159] --- ######################################################## # macro definitions #------------------------------------------------------- # ext_if -- the name of the firewall's external # interface ext_if = "ne1" # ext_ad -- the address of the firewall's external # interface ext_ad = "e.e.e.e/32" ######################################################## # packet filtering rules: "antispoof", "block", "pass" #------------------------------------------------------- block return-rst in quick on $ext_if proto tcp \ from any to $ext_ad port auth # --- page [159] --- block return-rst (ttl 100) quick in on $ext_if proto tcp \ from any to $ext_ad port auth # --- page [159] --- block return quick in on $ext_if \ from any to $ext_ad # --- page [159 - 160] --- ######################################################## # options: set #------------------------------------------------------- # answer blocked TCP packets with TCP RSP and # blocked UDP with ICMP destination-unreachable set block-policy return ######################################################## # packet filtering rules: "antispoof", "block", "pass" #------------------------------------------------------- # block and drop packets (override set block-policy # return) block drop in quick on $ext_if proto tcp \ from any to $ext_ad port auth # --- page [161] --- pass in log-all quick on $ext_if proto tcp from any \ to $ext_ad port 80 # --- page [161] --- pass in quick on $ext_if proto tcp from any \ to $ext_ad port 80 # --- page [162] --- block in on $ext_if block in log-all on $ext_if block in log-all quick on $ext_if # --- page [163] --- pass in on $ext_if route-to ($int_if $int_ad) all pass in on $ext_if route-to $int_if all # --- page [163] --- # ext_if -- external interface on the firewall # log_if -- interface connecting the loging station pass in on $ext_if dup-to $log_if all pass out on $ext_if dup-to $log_if all # --- page [163] --- # ext_if -- external interface on the logging station block in log on $ext_if all # --- page [164] --- # ext_if -- external interface on the logging station # log_keeper -- the address of the logging station block in log on $ext_if all block return-icmp in log quick on $ext_if proto tcp \ from any to $log_keeper port auth pass in log on $ext_if from any to $log_keeper port ssh # --- page [164] --- block in quick inet6 all # --- page [165] --- block in all pass in inet all pass out inet all block out quick inet6 all # --- page [165] --- pass in quick on $ext_if proto tcp # --- page [165] --- $block_ads = \ {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, \ 224.0.0.0/4, 240.0.0.0/5, 127.0.0.0/8, 0.0.0.0} block in quick on $ext_if from $block_ads # --- page [166] --- block in quick on $ext_if from ! $allow_ads to any # --- page [166] --- block in quick on $log_if from any to $log_ad block in quick on $ext_if from $blockIPs to any # --- page [166] --- block in on $ext_if from any to any block in on $ext_if all # --- page [166] --- block in on $ext_if proto tcp from any port 80 # --- page [167] --- # block packets destined for port 80 block in on $ext_if proto tcp from any to \ $dmz_www_ad port = 80 # block packets destined for all ports except port 80 block in on $ext_if proto tcp from any to \ $dmz_www_ad port != 80 # block packets destined for ports lower than port 80 block in on $ext_if proto tcp from any to \ $dmz_www_ad port < 80 # block packets destined for ports lower than and equal # to port 80 block in on $ext_if proto tcp from any to \ $dmz_www_ad port <= 80 # block packets destined for ports higher than block in on $ext_if proto tcp from any \ to $dmz_www_ad port > 80 # block packets destined for ports higher than and equal # to port 80 block in on $ext_if proto tcp from any to \ $dmz_www_ad port >= 80 # block packets destined for ports higher than port 80 # and lower than port 1024 block in on $ext_if proto tcp from any to \ $dmz_www_ad port 80 >< 1024 # block packets destined for ports lower than port 80 # and higher than port 1024 block in on $ext_if proto tcp from any to \ $dmz_www_ad port 80 <> 1024 # --- page [168] --- pass in on $ext_if proto tcp from any os "Windows" # --- page [168] --- pass in on $ext_if proto tcp from any os "Windows 2000" # --- page [168] --- pass in on $ext_if proto tcp from any os "Windows 2000 SP4" # --- page [169] --- pass in on ne1 proto tcp from any os "unknown" # --- page [169] --- set fingerprints "/etc/pf.os-special-modifications" # --- page [169] --- pass in on $ext_if from any to $dmz_www_ad # --- page [170] --- pass in on $ext_if proto tcp from any to \ $ext_www_ad port $ext_www_port pass in on $ext_if proto tcp from any to \ $ext_smtp_ad port $ext_smtp_port pass in on $ext_if proto tcp from any to \ $ext_ftp_ad port $ext_ftp_port # --- page [170] --- pass out on $ext_if proto {tcp, udp} \ from any to any user joe keep state pass out on $ext_if proto {tcp, udp} \ from any to any user > 10000 group users keep state # --- page [172] --- # FIN must be set, ignore the rest block in proto tcp all flags F/F # FIN must be unset, ignore the rest block in all flags /F # FIN must be set, the rest must be unset block in all flags F # FIN must be set, ACK must be unset, ignore the rest block in all flags F/FA # FIN and ACK must be unset, ignore the rest block in all flags /FA # --- page [173] --- pass in inet proto icmp icmp-type 8 code 0 keep state # --- page [173] --- pass in inet6 proto icmpv6 icmpv6-icmp-type 8 code 0 keep state # --- page [174] --- pass out on $ext_if proto TCP all keep state # --- page [174] --- pass in proto tcp all port 80 keep state pass out proto tcp all keep state # --- page [174] --- pass in proto tcp all port 80 flags S/SA keep state pass out proto tcp all flags S/SA keep state # --- page [175] --- pass out inet proto icmp all icmp-type echoreq keep state # --- page [175] --- pass in proto tcp all port 80 flags S/SA keep state pass out proto tcp all flags S/SA keep state # --- page [175] --- pass in proto tcp all port 80 flags S/SA modulate state pass out proto tcp all flags S/SA modulate state # --- page [175] --- pass in proto tcp all port 80 flags S/SA synproxy state # --- page [176] --- ######################################################## # options: "set" # ex. 1 sets timeout of the stateful connection to 20 # seconds after receiving the first packet from the host # initializing this connection. set timeout tcp.first 20 # ex. 2 sets timeout of the stateful connection to 20 # seconds after receiving the first packet from the host # initializing this connection, then, if the connection # is established, every packet that matches the # established state of a TCP connection resets the # timeout of the TCP connection it is a part of to 10 # seconds. This is very aggressive, and will result in # a high percentage of lost valid connections on slow # links. set timeout tcp.first 20 set timeout tcp.established 10 # ex. 3 same as ex. 2, but both rules have been combined # on a single line (the order of protocol.state rules is # not relevant) set timeout { tcp.first 20, tcp.established 10 } # --- page [177] --- set timeout {adaptive.start 5000, adaptive.end 20000} # --- page [178] --- ######################################################## # options: "set" set timeout interval 20 set timeout frags 20 # --- page [179] --- pass in proto tcp all port 80 flags S/SA modulate \ state (max 1000, tcp.established 120, tcp.closing 10) # --- page [179] --- ######################################################## # macro definitions #------------------------------------------------------- # ext_if -- the name of the firewall's external # interface ext_if = "ne1" ######################################################## # packet filtering rules: "antispoof", "block", "pass" #------------------------------------------------------- pass in on $ext_if all allow-opts # --- page [180] --- pass in on rl0 all label "incoming" pass out on rl0 all label "departing" # --- page [181] --- antispoof for ne1 # --- page [182] --- # redirect all packets sent from the internal private # network ($prv_ad) to port 80 on any address arriving # at the interface connecting the private network with # the firewall ($prv_if) to port 8080 on the cache # server whose address is $ch_ad rdr on $prv_if proto tcp from $prv_ad \ to any port 80 -> $ch_ad port 8080 pass in on $prv_if proto tcp from $prv_ad \ to $ch_ad port 8080 # --- page [182] --- # NAT hosts in the private network ($prv_ad) on the # interface connecting the firewall to the Internet # ($ext_if) using the firewall's external address # ($ext_ad) nat on $ext_if from $prv_ad to any -> $ext_ad pass out on $ext_if proto tcp from $ext_ad to any # --- page [182 - 183] --- ####################################################### # workstation_int -- the internal IP address of the # binat-ed workstation # workstation_ext -- the external IP address of the # binat-ed workstation binat on $ext_if from $workstation_int to any \ -> $workstation_ext pass in on $ext_if proto tcp from any \ to $workstation_int pass out on $ext_if proto tcp \ from $workstation_ext to any # --- page [189] --- # anchor ziggy will be evaluated only when packets match # the filtering conditions listed after anchor ziggy anchor ziggy in on ne1 inet proto tcp \ from any port 80 to any port > 1023 # --- page [193] --- rdr on ne0 proto tcp from any to $ext_ad port 80 \ -> { 10.1.1.1/24 } round-robin # --- page [193] --- rdr on ne0 proto tcp from any to $ext_ad port 80 \ -> { 10.1.1.1/24, 192.168.22.5/8, 10.34.2.76 } round-robin # --- page [193] --- rdr on ne0 proto tcp from any to $ext_ad port 80 \ -> { 10.1.1.45, 192.168.22.5, 10.34.2.76 } round-robin # --- page [194] --- rdr on ne0 proto tcp from any to $ext_ad port 80 \ -> 10.4.3.6/29 random # --- page [194] --- rdr on ne0 proto tcp from any to $ext_ad port 80 \ -> 10.4.3.6/29 source-hash # --- page [194] --- rdr on ne0 proto tcp from any to $ext_ad port 80 \ -> 10.4.3.6/29 source-hash hashstringcanbeanystring # --- page [194 - 195] --- # redirect connections: # from 192.168.1.1 to 10.4.3.1 # from 192.168.1.2 to 10.4.3.2 # from 192.168.1.3 to 10.4.3.3 # and so on ... nat on ne0 proto tcp from 192.168.1/24 to any \ -> 10.4.3/24 bitmask # --- page [195] --- nat on $ext_if from 10.3.3.1/24 to any \ -> 192.168.23.34/31 source-hash # --- page [197] --- # define a parent queue and give it a total of 45Mb of # bandwidth to manage; define four child queues: ssh, www, # other (default), ctrl (control); managed with PRIQ altq on $ext_if priq bandwidth 45Mb \ queue{ssh, www, other, ctrl} # define a parent queue with a bandwidth of 45Mb and six child # queues: accounting, developers, managers, users, other # (default), ctrl (control); managed with CBQ altq on $ext_if cbq bandwidth 45Mb \ queue{accounting, developers, managers, users, other, ctrl} # define a parent queue with a bandwidth of 45Mb and six child # queues: accounting, developers, managers, users, other # (default), ctrl (control); managed with HFSC altq on $ext_if hfsc bandwidth 45Mb \ queue{accounting, developers, managers, users, other, ctrl} # --- page [199] --- pass out quick on $ext_if from any to any queue users # --- page [199] --- pass out quick on $ext_if from any to any queue (users, admins) # --- page [200 - 202] --- # MACROS # external interface ext_if = "ne1" # PARENT QUEUE DEFINITION # define a PRIQ parent queue: bandwidth 45Mb, and # five child queues: dns, ssh, www, mail, other (default) altq on $ext_if priq bandwidth 45Mb \ queue{dns, ssh, www, mail, other} # CHILD QUEUE DEFINITIONS # DNS lookups are given the highest priority, because we # need them done asap queue dns priority 14 priq(red) # SSH connections are given one of the highest priorities, # because they are often used for administrative purposes queue ssh priority 13 priq(red) # mail connections are given lower priority than SSH, but # higher than HTTP/HTTPS, because we want to send/receive our # mail as quickly as possible queue mail priority 12 priq(red) # HTTP/HTTPS connections are given lower priority, because they # are not as time-sensitive as the other queues queue www priority 11 priq(red) # other connections are assigned to the default queue queue other priority 10 priq(default) # FILTERING RULES ASSIGNED TO QUEUES # packets sent to port 53 (DNS) will be assigned to the dns # queue, (note the use of keep state, instead of synproxy # state or modulate state, as UDP packets can only be # filtered with keep state pass out quick on $ext_if inet proto udp \ from any to any port 53 keep state queue dns pass out quick on $ext_if inet proto tcp \ from any to any port 53 synproxy state queue dns # packets sent to port 22 (SSH), 23 (TELNET) will be assigned # to the ssh queue pass out quick on $ext_if inet proto tcp \ from any to any port {22, 23} synproxy state queue ssh # packets sent to port 25 (SMTP), 109 (POP2), 110 (POP3), # 143 (IMAP), 220 (IMAP3), 995 (POP3S) will be assigned to # the mail queue pass out quick on $ext_if inet proto tcp \ from any to any port {25, 109, 110, 143, 220, 995} \ synproxy state queue mail # packets sent to port 80 (HTTP), 443 (HTTPS) will be assigned # to the www queue pass out quick on $ext_if inet proto tcp \ from any to any port {80, 443} synproxy state queue www # --- page [202 - 203] --- # MACROS # external interface ext_if = "ne1" # administrators' machines admins_ad = "{a.a.a.a, a.a.a.b}" # accounts' machines accounts_ad = "{a.a.a.c, a.a.a.d, a.a.a.e}" # coders' machines coders_ad = "{a.a.a.f, a.a.a.g, a.a.a.h}" # users' machines users_ad = "{a.a.a.i, a.a.a.j, a.a.a.k}" # PARENT QUEUE DEFINITION # define a PRIQ parent queue: bandwidth 45Mb, and # five child queues: admins, accounts, coders, users # others (default) altq on $ext_if priq bandwidth 45Mb \ queue{admins, accounts, coders, users, others} # CHILD QUEUE DEFINITIONS # admins get the higest priority queue admins priority 14 priq(red) # the accounts department queue accounts priority 13 priq(red) # coders queue coders priority 12 priq(red) # ordinary users queue users priority 11 priq(red) # others queue others priority 10 priq(default) # FILTERING RULES ASSIGNED TO QUEUES # admins pass out quick on $ext_if inet proto tcp \ from $admins_ad to any synproxy queue admins pass out quick on $ext_if inet proto udp \ from $admins_ad to any keep state queue admins # accounts pass out quick on $ext_if inet proto tcp \ from $accounts_ad to any synproxy state queue accounts pass out quick on $ext_if inet proto udp \ from $accounts_ad to any keep state queue accounts # coders pass out quick on $ext_if inet proto tcp \ from $coders_ad to any synproxy state queue coders pass out quick on $ext_if inet proto udp \ from $coders_ad to any keep state queue coders # users pass out quick on $ext_if inet proto tcp \ from $users_ad to any synproxy state queue users pass out quick on $ext_if inet proto udp \ from $users_ad to any keep state queue users # --- page [204 - 206] --- # MACROS # external interface ext_if = "ne1" # administrators' machines admins_ad = "{a.a.a.a, a.a.a.b}" # accounts' machines accounts_ad = "{a.a.a.c, a.a.a.d, a.a.a.e}" # coders' machines coders_ad = "{a.a.a.f, a.a.a.g, a.a.a.h}" # users' machines users_ad = "{a.a.a.i, a.a.a.j, a.a.a.k}" # PARENT QUEUE DEFINITION # define a PRIQ parent queue: bandwidth 45Mb, and # five child queues: admins, accounts, coders, users # others (default) altq on $ext_if priq bandwidth 45Mb \ queue{admins, accounts, coders, users, others} # CHILD QUEUE DEFINITIONS # admins get the higest priority queue admins priority 14 priq(red) # the accounts department queue accounts priority 13 priq(red) # coders queue coders priority 12 priq(red) # ordinary users queue users priority 11 priq(red) # others queue others priority 10 priq(default) # NAT RULES # admins nat on $ext_if inet proto {tcp, udp} \ from a.a.a.a to any -> ($ext_if) port 1024:6888 nat on $ext_if inet proto {tcp, udp} \ from a.a.a.b to any -> ($ext_if) port 6889:12753 # accounts nat on $ext_if inet proto {tcp, udp} \ from a.a.a.c to any -> ($ext_if) port 12754:18618 nat on $ext_if inet proto {tcp, udp} \ from a.a.a.d to any -> ($ext_if) port 18619:24483 nat on $ext_if inet proto {tcp, udp} \ from a.a.a.e to any -> ($ext_if) port 24484:30348 # coders nat on $ext_if inet proto {tcp, udp} \ from a.a.a.f to any -> ($ext_if) port 30349:36213 nat on $ext_if inet proto {tcp, udp} \ from a.a.a.g to any -> ($ext_if) port 36214:42078 nat on $ext_if inet proto {tcp, udp} \ from a.a.a.h to any -> ($ext_if) port 42079:47943 # users nat on $ext_if inet proto {tcp, udp} \ from a.a.a.i to any -> ($ext_if) port 47944:53808 nat on $ext_if inet proto {tcp, udp} \ from a.a.a.j to any -> ($ext_if) port 53809:59673 nat on $ext_if inet proto {tcp, udp} \ from a.a.a.k to any -> ($ext_if) port 59674:65535 # FILTERING RULES ASSIGNED TO QUEUES # admins pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 1024 >< 6888 to any queue admins pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 6889 >< 12753 to any queue admins # accounts pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 12754 >< 18618 to any queue admins pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 18619 >< 24483 to any queue admins pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 24484 >< 30348 to any queue admins # coders pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 30349 >< 36213 to any queue admins pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 36214 >< 42078 to any queue admins pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 42079 >< 47943 to any queue admins # users pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 47944 >< 53808 to any queue admins pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 53809 >< 59673 to any queue admins pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 59674 >< 65535 to any queue admins # --- page [206 - 208] --- # MACROS # external interface ext_if = "ne1" # DMZ interface dmz_if = "ne2" # private interface prv_if = "ne3" # PARENT QUEUE DEFINITION # define a CBQ parent queue with 45Mb of the total bandwidth # and three child queues: dmznet (hosts in the DMZ), # prvnet (hosts in the private segment), # others (default, connections from the firewall itself) altq on $ext_if cbq bandwidth 45Mb \ queue{dmznet, prvnet, others} # CHILD QUEUE DEFINITIONS # give the outbound traffic from the DMZ 50% of parent # bandwidth queue dmznet bandwidth 50% priority 6 cbq(red) # give the outbound traffic from the private network 49Mb of # bandwidth queue prvnet bandwidth 45% priority 6 cbq(red) # give the outbound traffic from the firewall host itself queue others bandwidth 5% priority 5 cbq(default) # PACKET TRANSLATION # Add NAT rules with clearly defined port ranges, so we know # where the outbound packets are coming from (NAT will change # their source address, and we'll need to use port numbers to # know who's who # Turn NAT off for connections between the private network # and the DMZ segment no nat on $ext_if inet proto {tcp, udp} \ from $dmz_if:network to $prv_if:network no nat on $ext_if inet proto {tcp, udp} \ from $prv_if:network to $dmz_if:network # do NAT between the DMZ network segment and the outside # world nat on $ext_if inet proto {tcp, udp} \ from $dmz_if:network to any -> $ext_if port 1024:32255 # do NAT between the private network segment and the outside # world nat on $ext_if inet proto {tcp, udp} \ from $prv_if:network to any -> $ext_if port 32256:65535 # PACKET FILTERING RULES BOUND TO QUEUES pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 1024 >< 32255 to any queue dmznet pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 32256 >< 65535 to any queue prvnet # --- page [209 - 213] --- # MACROS # external interface ext_if = "ne1" # DMZ interface dmz_if = "ne2" # private interface prv_if = "ne3" # PARENT QUEUE DEFINITION # define a CBQ parent queue: bandwidth 45Mb, and # three child queues: dmznet (hosts in the DMZ), # prvnet (hosts in the private segment), # others (default) altq on $ext_if cbq bandwidth 45Mb \ queue{dmznet, prvnet, others} # CHILD QUEUE DEFINITIONS # give the outbound traffic from the DMZ 50% of bandwidth queue dmznet bandwidth 50% priority 6 cbq(red) \ queue(dns, ssh, www, mail) # give the outbound traffic from the private network 49% of # bandwidth queue prvnet bandwidth 49% priority 5 cbq(red) \ queue(host1, host2, host3, host4) # give the outbound traffic from the firewall host itself queue others bandwidth 1% priority 4 cbq(default) # CHILD QUEUE DEFINITIONS: (for dmznet) queue dns priority 6 cbq(red, borrow) queue ssh priority 5 cbq(red, borrow) queue mail priority 4 cbq(red, borrow) queue www priority 3 priq(red, borrow) # CHILD QUEUE DEFINITIONS: (for prvnet) queue host1 bandwidth 25% priq(red) {dns1, ssh1, mail1, www1} queue host2 bandwidth 25% priq(red) {dns2, ssh2, mail2, www2} queue host3 bandwidth 25% priq(red) {dns3, ssh3, mail3, www3} queue host4 bandwidth 25% priq(red) {dns4, ssh4, mail4, www4} # CHILD QUEUE DEFINITIONS: (for host1) queue dns1 priority 6 cbq(red, borrow) queue ssh1 priority 5 cbq(red, borrow) queue mail1 priority 4 cbq(red, borrow) queue www1 priority 3 cbq(red, borrow) # CHILD QUEUE DEFINITIONS: (for host2) queue dns2 priority 6 cbq(red, borrow) queue ssh2 priority 5 cbq(red, borrow) queue mail2 priority 4 cbq(red, borrow) queue www2 priority 3 cbq(red, borrow) # CHILD QUEUE DEFINITIONS: (for host3) queue dns3 priority 6 cbq(red, borrow) queue ssh3 priority 5 cbq(red, borrow) queue mail3 priority 4 cbq(red, borrow) queue www3 priority 3 cbq(red, borrow) # CHILD QUEUE DEFINITIONS: (for host4) queue dns4 priority 6 cbq(red, borrow) queue ssh4 priority 5 cbq(red, borrow) queue mail4 priority 4 cbq(red, borrow) queue www4 priority 3 cbq(red, borrow) # NAT RULES no nat on $ext_if from $dmz_if:network to $prv_if:network no nat on $ext_if from $prv_if:network to $dmz_if:network nat on $ext_if from $dmz_if:network to any \ -> ($ext_if) port 1024:32255 nat on $ext_if from $prv_if:network to any \ -> ($ext_if) port 32256:40574 nat on $ext_if from $prv_if:network to any \ -> ($ext_if) port 40575:48893 nat on $ext_if from $prv_if:network to any \ -> ($ext_if) port 48894:57212 nat on $ext_if from $prv_if:network to any \ -> ($ext_if) port 57213:65535 # FILTERING RULES ASSIGNED TO QUEUES: (for dmznet) pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 1024 >< 32255 to any port 53 queue dns pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 1024 >< 32255 to any port {22, 23} \ queue ssh pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 1024 >< 32255 to any \ port {25, 109, 110, 143, 220, 995} queue mail pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 1024 >< 32255 to any port {80, 443} \ queue www # FILTERING RULES ASSIGNED TO QUEUES: (for host1) pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 32256 >< 40574 to any port 53 queue dns1 pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 32256 >< 40574 to any port {22, 23} \ queue ssh1 pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 32256 >< 40574 to any \ port {25, 109, 110, 143, 220, 995} queue mail1 pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 32256 >< 40574 to any port {80, 443} \ queue www1 # FILTERING RULES ASSIGNED TO QUEUES: (for host2) pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 40575 >< 48893 to any port 53 queue dns2 pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 40575 >< 48893 to any port {22, 23} \ queue ssh2 pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 40575 >< 48893 to any \ port {25, 109, 110, 143, 220, 995} queue mail2 pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 40575 >< 48893 to any port {80, 443} \ queue www2 # FILTERING RULES ASSIGNED TO QUEUES: (for host3) pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 48894 >< 57212 to any port 53 queue dns3 pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 48894 >< 57212 to any port {22, 23} \ queue ssh3 pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 48894 >< 57212 to any \ port {25, 109, 110, 143, 220, 995} queue mail3 pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 48894 >< 57212 to any port {80, 443} \ queue www3 # FILTERING RULES ASSIGNED TO QUEUES: (for host4) pass out quick on $ext_if inet proto {tcp, udp} \ from ($ext_if) port 57213 >< 65535 to any port 53 queue dns4 pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 57213 >< 65535 to any port {22, 23} \ queue ssh4 pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 57213 >< 65535 to any \ port {25, 109, 110, 143, 220, 995} queue mail4 pass out quick on $ext_if inet proto tcp \ from ($ext_if) port 57213 >< 65535 to any port {80, 443} \ queue www4 # --- page [214] --- altq on $ext_if hfsc bandwidth 45Mb \ queue{dns, ssh, www, mail, other} queue dns bandwidth 20% queue ssh bandwidth 20% queue mail bandwidth 20% queue www bandwidth 20% queue other hfsc(default) # --- page [214 - 215] --- altq on $ext_if hfsc bandwidth 45Mb \ queue{dns, ssh, www, mail, other} queue dns hfsc(linkshare 20%) queue ssh hfsc(linkshare 20%) queue mail hfsc(linkshare 20%) queue www hfsc(linkshare 20%) queue other hfsc(default) # --- page [215] --- # PARENT QUEUE DEFINITION altq on $ext_if hfsc bandwidth 45Mb \ queue{dmznet, prvnet, others} # CHILD QUEUE DEFINITIONS # backlogs that last less than 10 seconds get 50% or more # of the total available bandwidth, after 10 seconds, that limit # goes up to 65% of the total available bandwidth queue dmznet hfsc(linkshare (50% 10000 65%)) # backlogs that last less than 5 seconds get 50% or more # of the total available bandwidth, after 5 seconds, that limit # goes down to 25% of the total available bandwidth queue prvnet hfsc(linkshare (40% 5000 25%)) queue others hfsc(default) # --- page [216] --- # PARENT QUEUE DEFINITION altq on $ext_if hfsc bandwidth 45Mb \ queue{dmznet, prvnet, others} # CHILD QUEUE DEFINITIONS # backlogs that last less than 10 seconds get 50% or more # of the total available bandwidth, after 10 seconds, that # limit goes up to 65% of the total available bandwidth queue dmznet hfsc(linkshare (50% 10000 65%)) # backlogs that last less than 5 seconds get 50% or more # of the total available bandwidth, after 5 seconds, that # limit goes down to 25% of the total available bandwidth queue prvnet \ hfsc(realtime (40% 5000 25%) linkshare (40% 5000 25%)) queue others hfsc(default) # --- page [217] --- # PARENT QUEUE DEFINITION altq on $ext_if hfsc bandwidth 45Mb \ queue{dmznet, prvnet, others} # CHILD QUEUE DEFINITIONS # backlogs that last less than 10 seconds get 50% or more # of the total available bandwidth, after 10 seconds, that limit # goes up to 65% of the total available bandwidth queue dmznet hfsc(linkshare (50% 10000 65%) \ upperlimit (60% 10000 75%)) # backlogs that last less than 5 seconds get 50% or more # of the total available bandwidth, after 5 seconds, that limit # goes down to 25% of the total available bandwidth queue prvnet hfsc(realtime (35% 5000 20%) \ linkshare (35% 5000 20%) upperlimit (40% 5000 25%)) queue others hfsc(default) # --- page [217 - 218] --- # CBQ altq on $ext_if cbq bandwidth 20Mb \ queue{dmznet, prvnet, others} # prvnet gets 8Mb queue prvnet bandwidth 40% queue{host1, host2} # host1 gets 4Mb queue host1 bandwidth 50% # host2 gets 4Mb queue host2 bandwidth 50% # HFSC altq on $ext_if hfsc bandwidth 20Mb \ queue{dmznet, prvnet, others} # prvnet gets 8Mb queue prvnet hfsc(linkshare 40%) queue{host1, host2} # host1 gets 4Mb queue host1 hfsc(linkshare 20%) # host2 gets 4Mb queue host2 hfsc(linkshare 20%) # --- page [222] --- # block all incoming packets block in on $ext_if all # block and log all incoming packets block in log on $ext_if all # --- page [223] --- # allow TCP IPv4 connections to the outside world, # keep state pass out on $ext_if inet proto tcp all flags S/SA \ synproxy state pass out on $ext_if inet proto { udp, icmp } all \ keep state # --- page [223 - 224] --- # allow and log TCP IPv4 connections to the outside # world, keep state pass out log on $ext_if inet proto tcp all flags S/SA \ synproxy state pass out log on $ext_if inet proto { udp, icmp } all \ keep state # --- page [236 - 237] --- ext_if = "ne1" int_if = "ne2" nat-anchor authpf rdr-anchor authpf binat-anchor authpf block in on $ext_if all block out on $ext_if all # allow connections to SSH on the internal interface (otherwise # joe, residing in the private network segment will not be able # to connect and authenticate. pass in on $int_if inet proto tcp \ from any to ($int_if) port 22 flags S/SA synproxy state anchor authpf # --- page [237] --- # MACROS ext_if = "ne1" # allow user joe to connect to HTTP servers pass out on $ext_if inet proto tcp \ from $user_ip to any port 80 flags S/SA synproxy state # --- page [240 - 241] --- # MACROS ext_if = "ne1" # Tables table persist # NAT rules # redirect connections from spammers to spamd, all legitimate # connections will not be redirected rdr on $ext_if inet proto tcp \ from to ($ext_if) port 25 -> 127.0.0.1 port 8025 # block all incoming connections block in on $ext_if all # pass redirected connections to spamd listening on the local # loop interface (lo0) pass in on lo0 inet proto tcp \ from to 127.0.0.1 port 8025 # pass legitimate connections to port 25 on the # external interface pass in on $ext_if inet proto tcp \ from any to ($ext_if) port 25 flags S/SA synproxy state # --- page [241 - 242] --- # MACROS ext_if = "ne1" # here, we assume that the MTA is running on a machine # located in the DMZ and connected to the DMZ interface $dmz_if = "ne2" mta_ad = "192.168.24.63" mta_pt = "1025" # Tables table persist # NAT rules # redirect connections from spammers to spamd rdr on $ext_if inet proto tcp \ from to ($ext_if) port 25 -> 127.0.0.1 port 8025 # redirect all legitimate connections to the real MTA rdr on $ext_if inet proto tcp \ from any to ($ext_if) port 25 -> $mta_ad port $mta_pt # block all incoming connections block in on $ext_if all # pass redirected connections to spamd listening on the local # loop interface (lo0) pass in on lo0 inet proto tcp \ from to 127.0.0.1 port 8025 pass out on $dmz_if inet proto tcp \ from any to $mta_ad port $mta_pt flags S/SA synproxy state # --- page [272] --- # if -- the interface on which packets arrive # block both TCP and UDP IPv4 block in on $if inet proto {tcp, udp} \ from any to ($if) port $blocked_port # block both TCP and UDP IPv6 block in on $if inet6 proto {tcp, udp} \ from any to ($if) port $blocked_port # --- page [272] --- # if -- the interface on which packets arrive # block both TCP and UDP IPv4 block in on $if inet proto {tcp, udp} \ from any to ($if) port $blocked_port pass in on $if inet proto {tcp, udp} from $OK_address \ to ($if) port $blocked_port # block both TCP and UDP IPv6 block in on $if inet6 proto {tcp, udp} \ from any to ($if) port $blocked_port pass in on $if inet6 proto {tcp, udp} from $OK_address \ to ($if) port $blocked_port # --- page [272] --- # ext_if -- the external interface rdr in on $ext_if inet \ from any to ($ext_if) port $target_ports \ -> $target_host $redirected_port rdr in on $ext_if inet6 \ from any to ($ext_if) port $target_ports \ -> $target_host $redirected_port # --- page [272 - 273] --- # ext_if -- the external interface # int_if -- the internal interface rdr in on $int_if \ from any to any port $target_port \ -> $proxy_host $redirected_port # --- page [274] --- # prv_if -- the interface that private hosts connect # to the firewall pass in on $prv_if inet proto icmp \ from $admin_hosts \ to any icmp-type 8 code 0 keep state # --- page [274] --- # prv_if -- the interface that private hosts connect # to the firewall pass in on $prv_if inet proto icmp \ from $prv_if:network \ to ($prv_if) icmp-type 8 code 0 keep state # --- page [274] --- # ext_if -- the interface that firewall host connects # to the outside world pass in on $ext_if inet proto icmp \ from $ISP_net_address \ to ($ext_if) icmp-type 8 code 0 keep state # --- page [274] --- # ext_if -- the interface that firewall host connects # to the outside world # prv_if -- the interface that private hosts connect # to the firewall pass in on $ext_if inet proto icmp \ from any \ to any icmp-type 3 pass out on $ext_if inet proto icmp \ from any \ to any icmp-type 3 code 4 keep state pass in on $prv_if inet proto icmp \ from prv_if:network \ to any icmp-type 3 pass out on $prv_if inet proto icmp \ from any \ to prv_if:network icmp-type 3 code 4 keep state # --- page [275] --- # ext_if -- the interface that the firewall host connects # to the outside world # prv_if -- the interface that private hosts connect # to the firewall host pass in on $ext_if inet proto icmp \ all \ icmp-type 4 keep state pass in on $prv_if inet proto icmp \ all \ icmp-type 4 keep state # --- page [275] --- # ext_if -- the interface that the firewall host connects # to the outside world # prv_if -- the interface that private hosts connect # to the firewall host pass in on $ext_if inet proto icmp \ all \ icmp-type 11 keep state pass in on $prv_if inet proto icmp \ all \ icmp-type 11 keep state # --- page [275 - 276] --- # ext_if -- the interface that the firewall host connects # to the outside world # prv_if -- the interface that private hosts connect # to the firewall host pass in on $ext_if inet proto icmp \ all \ icmp-type 12 keep state pass in on $prv_if inet proto icmp \ all \ icmp-type 12 keep state # --- page [276] --- pass in on $ext_if proto tcp from any \ to any port 21 keep state pass in on $ext_if proto tcp from any \ to any port > 49151 keep state # --- page [277 - 278] --- #### Bastion Host #### # a lone host connected directly to the Internet or LAN # macros for the bastion host: # ext_if -- the name of the interface connecting the bastion # host to other (external) hosts ext_if = "ne1" # filtering rules for the bastion host: # -- allow connections from the bastion host to external hosts # on port 22 (SSH) # note: to let IPv6 packets pass, copy the following rule and # change inet to inet6 pass out on $ext_if inet proto tcp \ from ($ext_if) port > 1023 \ to any port 22 \ flags S/SA modulate state # -- allow connections from external hosts to the bastion host # on port 22 (SSH) # note: to let IPv6 packets pass, copy the following rule and # change inet to inet6 pass in on $ext_if inet proto tcp \ from any port > 1023 \ to ($ext_if) port 22 \ flags S/SA modulate state # -- block connections from the bastion host to external hosts # on port 22 (SSH) # note: you need two rules to block IPv4 and IPv6 packets, if # you use the ($ext_if) notation instead of the numeric # address, and the $ext_if interface has both IPv4 and # IPv6 addresses. block out on $ext_if inet proto {tcp, udp} \ from ($ext_if) \ to any port 22 block out on $ext_if inet6 proto {tcp, udp} \ from ($ext_if) \ to any port 22 # -- block connections from external hosts to the bastion host # on port 22 (SSH) # note: you need two rules to block IPv4 and IPv6 packets, if # you use the ($ext_if) notation instead of the numeric # address, and the $ext_if interface has both IPv4 and # IPv6 addresses. block in on $ext_if inet proto {tcp, udp} \ from any \ to ($ext_if) port 22 block in on $ext_if inet6 proto {tcp, udp} \ from any \ to ($ext_if) port 22 # --- page [278 - 280] --- #### Screened Host/LAN #### # the firewall has public IP addresses assigned to its # interfaces, the private hosts also have public IP addresses # macros for the screened host/LAN: # ext_if -- the name of the interface connecting the firewall # to external hosts, the Internet, the outside world ext_if = "ne1" # prv_if -- the name of the interface connecting the firewall # to the private (internal) host(s) prv_if = "ne1" # filtering rules for the screeened host(s): # -- allow connections from the private host(s) to external # hosts on port 22 (SSH) # note: private hosts can connect to the firewall's port 22 # too pass in on $prv_if inet proto tcp \ from $prv_if:network port > 1023 \ to any port 22 pass out on $ext_if inet proto tcp \ from $prv_if:network port > 1023 \ to any port 22 \ flags S/SA modulate state # -- allow connections from external hosts to the private # host(s) on port 22 (SSH) pass in on $ext_if inet proto tcp \ from any port > 1023 \ to $prv_if:network port 22 \ flags S/SA modulate state pass out on $prv_if inet proto tcp \ from any port > 1023 \ to $prv_if:network port 22 # -- block connections from the private host(s) to external # hosts on port 22 (SSH), also block connections to port 22 # on the firewall host # note: you need two rules to block IPv4 and IPv6 packets, if # you use the :network notation instead of the numeric # address, and the $ext_if interface has both IPv4 and # IPv6 addresses. block in on $prv_if inet proto {tcp, udp} \ from $prv_if:network \ to any port 22 block in on $prv_if inet6 proto {tcp, udp} \ from $prv_if:network \ to any port 22 # -- block connections from external hosts to the private # host(s) on port 22 (SSH) # note: you need two rules to block IPv4 and IPv6 packets, if # you use the :network notation instead of the numeric # address, and the $ext_if interface has both IPv4 and # IPv6 addresses. block in on $ext_if inet proto {tcp, udp} \ from any \ to $prv_if:network port 22 block in on $ext_if inet6 proto {tcp, udp} \ from any \ to $prv_if:network port 22 # -- allow connections from external hosts to the firewall # on port 22 (SSH) pass in on $ext_if inet proto tcp \ from any port > 1023 \ to ($ext_if) port 22 \ flags S/SA modulate state pass out on $prv_if inet proto tcp \ from any port > 1023 \ to ($ext_if) port 22 # -- block connections from external hosts to the firewall # on port 22 (SSH) # note: you need two rules to block IPv4 and IPv6 packets, if # you use the ($ext_if) notation instead of the numeric # address, and the $ext_if interface has both IPv4 and # IPv6 addresses. block in on $ext_if inet proto {tcp, udp} \ from any \ to ($ext_if) port 22 block in on $ext_if inet6 proto {tcp, udp} \ from any \ to ($ext_if) port 22 # -- allow connections from the private hosts to the firewall # on port 22 (SSH) pass in on $prv_if inet proto tcp \ from $prv_if:network port > 1023 \ to ($prv_if) port 22 \ flags S/SA modulate state # -- block connections from private hosts to the firewall # on port 22 (SSH) # note: you need two rules to block IPv4 and IPv6 packets, if # you use the ($ext_if) notation instead of the numeric # address, and the $ext_if interface has both IPv4 and # IPv6 addresses. block in on $prv_if inet proto {tcp, udp} \ from $prv_if:network \ to ($prv_if) port 22 block in on $prv_if inet6 proto {tcp, udp} \ from $prv_if:network \ to ($prv_if) port 22 # --- page [280 - 282] --- #### Invisible Bridge #### # the firewall has no IP addresses assigned to its # interfaces, the private hosts have public IP addresses # macros for the screened host/LAN: # ext_if -- the name of the interface connecting the firewall # to external hosts, the Internet, the outside world ext_if = "ne1" # prv_if -- the name of the interface connecting the firewall # to the private (internal) host(s) prv_if = "ne1" # prv_ad -- the addresses of the private hosts prv_ad = "{x.x.x.a, x.x.x.b, ...}" # filtering rules for the screeened host(s): # -- allow connections from the private host(s) to external # hosts on port 22 (SSH) pass out on $ext_if inet proto tcp \ from $prv_ad port > 1023 \ to any port 22 \ flags S/SA modulate state # -- allow connections from external hosts to the private # host(s) on port 22 (SSH) pass in on $ext_if inet proto tcp \ from any port > 1023 \ to $prv_ad port 22 \ flags S/SA modulate state # -- block connections from the private host(s) to external # hosts on port 22 (SSH) # note: you need two rules to block IPv4 and IPv6 packets, if # you use the :network notation instead of the numeric # address, and the $ext_if interface has both IPv4 and # IPv6 addresses. block out on $ext_if inet proto {tcp, udp} \ from $prv_ad \ to any port 22 block out on $ext_if inet6 proto {tcp, udp} \ from $prv_ad \ to any port 22 # -- block connections from external hosts to the private # host(s) on port 22 (SSH) # note: you need two rules to block IPv4 and IPv6 packets, if # you use the :network notation instead of the numeric # address, and the $ext_if interface has both IPv4 and # IPv6 addresses. block in on $ext_if inet proto {tcp, udp} \ from any \ to $prv_ad port 22 block in on $ext_if inet6 proto {tcp, udp} \ from any \ to $prv_ad port 22 # --- page [282 - 283] --- #### NAT + Screened Host/LAN #### # the firewall has public a IP addresse assigned to its # external interface, the private hosts also have no public IP addresses # macros for the screened host/LAN: # ext_if -- the name of the interface connecting the firewall # to external hosts, the Internet, the outside world ext_if = "ne1" # prv_if -- the name of the interface connecting the firewall # to the private (internal) host(s) prv_if = "ne1" # NAT rules for the NAT + Screened Host/LAN setup: # -- NAT connections from the private host(s) to external # hosts on port 22 (SSH) nat on $ext_if inet proto tcp \ from $prv:network port > 1023 \ to any port 22 \ -> ($ext_if) # filtering rules for the NAT + Screened Host/LAN setup: # -- allow connections from the private host(s) to external # hosts on port 22 (SSH) pass out on $ext_if inet proto tcp \ from $prv_if:network port > 1023 \ to any port 22 \ flags S/SA modulate state # -- allow connections from external hosts to the firewall # on port 22 (SSH) pass in on $ext_if inet proto tcp \ from any port > 1023 \ to ($ext_if) port 22 \ flags S/SA modulate state # -- block connections from external hosts to the firewall # on port 22 (SSH) # note: you need two rules to block IPv4 and IPv6 packets, if # you use the ($ext_if) notation instead of the numeric # address, and the $ext_if interface has both IPv4 and # IPv6 addresses. block in on $ext_if inet proto {tcp, udp} \ from any \ to ($ext_if) port 22 block in on $ext_if inet6 proto {tcp, udp} \ from any \ to ($ext_if) port 22 # -- allow connections from the private hosts to the firewall # on port 22 (SSH) pass in on $prv_if inet proto tcp \ from $prv_if:network port > 1023 \ to ($prv_if) port 22 \ flags S/SA modulate state # -- block connections from private hosts to the firewall # on port 22 (SSH) # note: you need two rules to block IPv4 and IPv6 packets, if # you use the ($ext_if) notation instead of the numeric # address, and the $ext_if interface has both IPv4 and # IPv6 addresses. block in on $prv_if inet proto {tcp, udp} \ from $prv_if:network \ to ($prv_if) port 22 block in on $prv_if inet6 proto {tcp, udp} \ from $prv_if:network \ to ($prv_if) port 22 # --- page [287 - 288] --- # Macros # ext_if -- the interface to the outside world ext_if="ne0" # Options set require-order yes set block-policy drop set optimization normal set loginterface none # Normalize packets scrub in all scrub out all # Filter packets # block all incoming connections sent from the outside # log all blocked packets block in log all # pass all connections originating from the screened # host pass out quick on $ext_if inet \ from ($ext_if) to any flags S/SA keep state # anitspoof rule on the external interface antispoof for $ext_if # --- page [288 - 289] --- # Macros # ext_if -- the interface to the outside world ext_if="ne0" # Options set require-order yes set block-policy drop set optimization normal set loginterface none # Normalize packets scrub in all scrub out all # Filter packets # block all incoming connections sent from the outside # log all blocked packets block in log all # pass all connections originating from the bastion # host pass out quick on $ext_if inet \ from ($ext_if) to any flags S/SA keep state # pass all connections originating from external hosts to port 80 (WWW) on the bastion host pass in quick on $ext_if inet proto tcp \ from ($ext_if) \ to ($ext_if) port 80 \ flags S/SA synproxy state # pass all connections originating from external hosts to # port 22 (SSH) on the bastion host pass in quick on $ext_if inet proto tcp \ from ($ext_if) \ to ($ext_if) port 22 \ flags S/SA synproxy state # pass all connections originating from external hosts to # port 25 (SMTP) on the bastion host pass in quick on $ext_if inet proto tcp \ from ($ext_if) \ to ($ext_if) port 25 \ flags S/SA synproxy state # anitspoof rule on the external interface antispoof for $ext_if # --- page [289 - 290] --- # Macros # ext_if -- the interface to the outside world ext_if="ne0" # prv_if -- the interface to the private hosts prv_if="ne1" # prv_hosts -- the list of addresses of hosts on the # screened LAN prv_hosts = "{x.x.x.1, x.x.x.10, x.x.x.5}" # Options set require-order yes set block-policy drop set optimization normal set loginterface none # Normalize packets scrub in all scrub out all # Filter packets # block all incoming connections sent from the outside # log all blocked packets block in log all # pass all connections originating from the firewall and # the screened LAN pass out quick on $ext_if inet \ from ($ext_if) to any flags S/SA modulate state # pass all connections originating from the screened LAN pass in quick on $prv_if inet from $prv_hosts to any flags S/SA # anitspoof rule on the external interface antispoof for $ext_if # anitspoof rule on the private interface antispoof for $prv_if # --- page [290 - 292] --- # Macros # ext_if -- the interface to the outside world ext_if="ne0" # prv_if -- the interface to the private hosts prv_if="ne1" # prv_hosts -- the list of addresses of hosts on the # screened LAN prv_hosts = "{x.x.x.1, x.x.x.10, x.x.x.5}" # prv_www -- the address of host running the HTTP server prv_www = "x.x.x.1" # prv_smtp -- the address of host running the SMTP server prv_smtp = "x.x.x.10" # Options set require-order yes set block-policy drop set optimization normal set loginterface none # Normalize packets scrub in all scrub out all # block all incoming connections sent from the outside # log all blocked packets block in log all # pass all connections originating from the firewall # and the screened LAN pass out quick on $ext_if inet \ from ($ext_if) to any flags S/SA modulate state # pass all connections originating from the screened LAN pass in quick on $prv_if inet from $prv_hosts to any flags S/SA # pass all connections originating from external hosts to # port 80 (WWW) on one of the internat hosts pass in quick on $ext_if inet proto tcp \ from ($ext_if) \ to $prv_www port 80 \ flags S/SA synproxy state # pass all connections originating from external hosts to # port 22 (SSH) on all internal hosts pass in quick on $ext_if inet proto tcp \ from ($ext_if) \ to $prv_ad port 22 \ flags S/SA synproxy state # pass all connections originating from external hosts to # port 25 (SMTP) on one of the internal hosts pass in quick on $ext_if inet proto tcp \ from ($ext_if) \ to $prv_smtp port 25 \ flags S/SA synproxy state # anitspoof rule on the external interface antispoof for $ext_if # anitspoof rule on the private interface antispoof for $prv_if # --- page [292 - 293] --- # Macros # ext_if -- the interface to the outside world ext_if="ne0" # prv_if -- the interface to the private hosts prv_if="ne1" # prv_hosts -- the list of addresses of hosts on the # screened LAN prv_hosts = "{192.168.1.1, 192.168.1.10, 10.3.1.5}" # Options set require-order yes set block-policy drop set optimization normal set loginterface none # Normalize packets scrub in all scrub out all # Translate packets nat on $ext_if inet proto {tcp, udp} \ from $prv_hosts to any -> ($ext_if) # Filter packets # block all incoming connections sent from the outside # log all blocked packets block in log all # pass all connections originating from the firewall pass out quick on $ext_if \ from ($ext_if) to any flags S/SA modulate state # pass all connections originating from the screened LAN pass in quick on $prv_if from $prv_hosts to any flags S/SA # anitspoof rule on the external interface antispoof for $ext_if # anitspoof rule on the private interface antispoof for $prv_if # --- page [293 - 295] --- # Macros # ext_if -- the interface to the outside world ext_if="ne0" # prv_if -- the interface to the private hosts prv_if="ne1" # dmz_if -- the interface to the DMZ dmz_if="ne2" # prv_hosts -- the list of addresses of hosts on the # screened LAN prv_hosts = "{192.168.1.1, 192.168.1.10, 10.3.1.5}" # dmz_hosts -- the list of addresses of hosts in the # DMZ dmz_hosts = "{192.168.2.1/32, 192.168.2.2/32, 192.168.2.3}" # dmz_www -- the address of the WWW server in the DMZ dmz_www = "192.168.2.1/32" # dmz_smtp -- the address of the SMTP server in the DMZ dmz_smtp = "192.168.2.2/32" # dmz_dns -- the address of the DNS server in the DMZ dmz_dns = "192.168.2.3/32" # Options set require-order yes set block-policy drop set optimization normal set loginterface none # Normalize packets scrub in all scrub out all # Translate packets # nat for the private hosts nat on $ext_if inet from $prv_hosts to any -> ($ext_if) # nat for the DMZ hosts nat on $ext_if inet from $dmz_hosts to any -> ($ext_if) # redirect connections to port 80 (HTTP) to DMZ rdr on $ext_if inet proto tcp \ from any to ($ext_if) port 80 -> $dmz_www # redirect connections to port 25 (SMTP) to DMZ rdr on $ext_if inet proto tcp \ from any to ($ext_if) port 25 -> $dmz_smtp # redirect connections to port 53 (DNS) to DMZ rdr on $ext_if inet proto {tcp, udp} \ from any to ($ext_if) port 53 (DNS) -> $dmz_dns # Filter packets # block all incoming connections sent from the outside # log all blocked packets block in log all # pass all connections originating from the firewall pass out quick on $ext_if inet \ from ($ext_if) to any flags S/SA modulate state # pass all connections originating from the screened LAN pass in quick on $prv_if from $prv_hosts to any flags S/SA # pass all connections originating from the DMZ pass in quick on $dmz_if from $dmz_hosts to any flags S/SA # pass all connections to the WWW host in the DMZ pass in on $ext_if from any to $dmz_www \ port 80 flags S/SA synproxy state # pass all connections to the SMTP host in the DMZ pass in on $ext_if from any to $dmz_smtp \ port 25 flags S/SA synproxy state # pass all connections to the DNS host in the DMZ pass in on $ext_if from any to $dmz_dns \ port 53 flags S/SA keep state # anitspoof rule on the external interface antispoof for $ext_if # anitspoof rule on the private interface antispoof for $prv_if # --- page [295 - 296] --- # Macros # ext_if -- the interface to the outside world ext_if="ne0" # prv_if -- the interface to the private hosts prv_if="ne1" # prv_hosts -- the list of addresses of hosts on the # screened LAN prv_hosts = "{x.x.x.1, x.x.x.10, x.x.x.5}" # Options set require-order yes set block-policy drop set optimization normal set loginterface none # Normalize packets scrub in all scrub out all # Filter packets # block all incoming connections sent from the outside # log all blocked packets block in log on $ext_if all # pass all connections originating from the screened LAN pass out quick on $ext_if inet \ from $prv_hosts to any flags S/SA modulate state # anitspoof rule on the external interface antispoof for $ext_if # anitspoof rule on the private interface antispoof for $prv_if