pf and mpd

dave dmehler26 at woh.rr.com
Tue May 17 13:19:59 PDT 2005 

Hello,
    Thanks for your reply. Ok, below is my pf.conf file.
Thanks.
Dave.

# pf.conf
# for use on gateway box

# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last
match.

# define the two interface macros
EXT = "ep0"
LAN = "ep1

# define some address macros
LAN_SERVER = "192.168.0.3"
LAN_FIREWALL = "192.168.0.254"
LAN_CLIENTS = "192.168.0.0/24"
LAN_ADMIN = "192.168.0.0/24"

# define some non-routeable addresses used in spoof attacks originating from
the internet
PRIVATE_BLOCKS = "{
    127.0.0.0/8
    192.168.0.0/16
    172.16.0.0/12
    10.0.0.0/8
!10.40.224.1
  }"

# define some service macros
LAN_TO_INT_SERVICES = "{ ftp-data, ftp, domain, cvsup, ssh, smtp, http,
pop3, imap, https, imaps, pop3s, 8000, 8880,8080, 1793, 1794, 1795, 1790,
1791, 1792 }"
INT_TO_LAN_SERVICES = "{ www, https, ssh, smtp, pop3, pop3s, 8000, 1723 }"
LAN_TO_FW_SERVICES = "{ ssh }"
FW_to_LAN_services = "{ ssh }"

# options
# expire state connections early
set optimization aggressive
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

# normalize packets to prevent fragmentation attacks
scrub in on $EXT all

# translate lan client addresses to that of EXT
nat on $EXT from $LAN_CLIENTS to any -> ($EXT)

# redirections
rdr on $EXT proto tcp from any to any port 80 -> 192.168.0.3 port 80
rdr on $EXT inet proto tcp from any os "Windows" to any port 25 -> 127.0.0.1
port 8025
# redirect lan client active FTP requests (to an FTP server's control port
21)
# to the ftp-proxy running on the firewall host (via inetd on port 8081)
rdr on ep1 proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# pass loopback traffic
pass quick on lo0 all

# block windows email relays
block in quick on $EXT inet proto tcp from any os "Windows" to any port 25

# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all

# silently block and drop broadcast cable modem noise
block in quick on $EXT from any to 255.255.255.255

# Block bad tcp flags from malicious people and nmap scans
block in quick on $EXT proto tcp from any to any flags /S
block in quick on $EXT proto tcp from any to any flags /SFRA
block in quick on $EXT proto tcp from any to any flags /SFRAU
block in quick on $EXT proto tcp from any to any flags A/A
block in quick on $EXT proto tcp from any to any flags F/SFRA
block in quick on $EXT proto tcp from any to any flags U/SFRAU
block in quick on $EXT proto tcp from any to any flags SF/SF
block in quick on $EXT proto tcp from any to any flags SF/SFRA
block in quick on $EXT proto tcp from any to any flags SR/SR
block in quick on $EXT proto tcp from any to any flags FUP/FUP
block in quick on $EXT proto tcp from any to any flags FUP/SFRAUPEW
block in quick on $EXT proto tcp from any to any flags SFRAU/SFRAU
block in quick on $EXT proto tcp from any to any flags SFRAUP/SFRAUP
block in quick on $EXT proto tcp all flags FUP/FUP

# immediately prevent packets with invalid addresses from entering or
exiting EXT (anti-spoofing measure)
block drop in quick on $EXT inet from $PRIVATE_BLOCKS to any
#block drop out quick on $EXT inet from any to $PRIVATE_BLOCKS

# prevent lan originated spoofing from occurring
antispoof for $EXT inet

# block everything from entering EXT
block in on $EXT all

# preventing invalid internet UDP and TCP requests from timing out
block return in on $EXT proto { udp, tcp } all

# allow internet requests to enter EXT
# in order to contact our lan server (keep state on this connection
pass in on $EXT \
inet proto tcp \
from any to 192.168.0.3 \
port $INT_TO_LAN_SERVICES \
flags S/AUPRFS \
synproxy state

# Allow remote FTP servers (on data port 20) to respond to the proxy's
# active FTP requests by contacting it on the port range specified in
inetd.conf
pass in on $EXT \
inet proto tcp \
from any port 20 \
to $EXT port 55000 >< 57000 \
user proxy \
flags S/SA keep state

# block everything from exiting EXT
block out on $EXT all

# allow UDP requests to port 53 from firewall to exit EXT
# in order to contact internet nameservers (keep state on this connection)
pass out on $EXT \
inet proto udp \
 from $EXT to any \
 port 53 \
 keep state

# Allow UDP requests to port 67/68 from firewall to exit EXT
# in order to contact internet dhcp servers (keep state on this connection)
pass out log on $EXT \
proto udp \
from $EXT to any \
port { 67, 68, 123 } \
keep state

# allow lan traffic from internet clients to exit EXT
# (after natting is performed) in order to contact internet web servers
# (keep state on this connection)
pass out on $EXT \
inet proto tcp \
 from $EXT to any \
port $LAN_TO_INT_SERVICES \
flags S/AUPRFS modulate state

# allow ICMP requests from firewall to exit EXT (after natting is performed)
# in order to ping/traceroute internet hosts on the behalf of lan admin
pass out on $EXT \
inet proto icmp \
from $EXT to any \
icmp-type 8 \
keep state

# allow ftp active requests out
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port 20 \
flags S/AUPRFS modulate state

# allow firewall to contact ftp server on behalf of passive ftp client
# on control port 21
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port 21 \
flags S/AUPRFS modulate state

# allow firewall to contact ftp server on behalf of passive ftp client
# on standard unprivileged port range ( > 1024 )
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port > 1024 \
flags S/AUPRFS modulate state

# block everything from entering LAN
block in on $LAN all

# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall (keep state on this
connection)
pass in on $LAN \
inet proto udp \
 from $LAN_clients to $LAN_firewall \
 port 53 \
 keep state

# allow lan traffic from lan clients to enter lan
# in order to contact internet web servers (keep state on this connection)
pass in on $LAN \
inet proto tcp \
 from $LAN_clients to any \
port $LAN_TO_INT_SERVICES \
flags S/AUPRFS modulate state

# lan admin connects to firewall via ssh for administrative purposes
pass in on $LAN \
 inet proto tcp \
 from $LAN_admin to $LAN_firewall \
 port $LAN_to_FW_services \
 modulate state

# allow requests from lan admin to enter LAN
# in order to ping/traceroute any system (firewall, dmz server, and internet
hosts)
pass in on $LAN \
inet proto icmp \
from $LAN_admin to any \
icmp-type 8 \
keep state

# block everything from exiting LAN
block out on $LAN all

# allow internet requests to exit lan
# in order to contact our web server (keep state on this connection)
pass out on $LAN \
inet proto tcp \
 from any to $LAN_server \
port $INT_TO_LAN_SERVICES \
flags S/AUPRFS synproxy state

# firewall connects to the lan server via scp/ssh for backup purposes
pass out on $LAN \
 inet proto tcp \
 from $LAN_firewall to $LAN_server \
 port $FW_to_LAN_services \
 modulate state

More information about the freebsd-pf mailing list