pf and mpd

Greg Hennessy Greg.Hennessy at nviz.net
Tue May 17 14:39:12 PDT 2005 

 
>
> # options
> # expire state connections early
> set optimization aggressive

Why ? 

> set block-policy drop

set block-policy return  # makes you a good internet citizen and helps debug
problems on your own network. 

> # to the ftp-proxy running on the firewall host (via inetd on 
> port 8081) rdr on ep1 proto tcp from any to any port 21 -> 
> 127.0.0.1 port 8021
> 
> # pass loopback traffic

# Stick a 

block log all 

# here, a default deny posture is the most secure. 

# if you cannot see whats being dropped by default
# it impossible to debug. Log everything! You can always tone it 
# down when the policy has been debugged. 

> pass quick on lo0 all
> 
> # block windows email relays
> block in quick on $EXT inet proto tcp from any os "Windows" 
> to any port 25

You've just killed anyone using Exchange as an MTA by doing that. 

> 
> # immediately prevent IPv6 traffic from entering or leaving 
> all interfaces block quick inet6 all

A default block policy will do that anyway. 

> # silently block and drop broadcast cable modem noise block 
> in quick on $EXT from any to 255.255.255.255
> 
> # Block bad tcp flags from malicious people and nmap scans

A waste of time, scrub will sort that. 
 
> flags S/AUPRFS modulate state

This is a *really* bad idea, use flags 'S/SA' only. Otherwise it *will*
cause problems. 

Applying 'modulate state' to each rule is overkill, let scrub of the form 

scrub on $Ext reassemble tcp random-id

take care of it. 


> 
> # allow firewall to contact ftp server on behalf of passive 
> ftp client # on control port 21 pass out on $EXT \ inet proto 
> tcp \ from $EXT to any \ port 21 \ flags S/AUPRFS modulate state
> 
> # allow firewall to contact ftp server on behalf of passive 
> ftp client # on standard unprivileged port range ( > 1024 ) 
> pass out on $EXT \ inet proto tcp \ from $EXT to any \ port > 
> 1024 \ flags S/AUPRFS modulate state
> 
> # block everything from entering LAN
> block in on $LAN all

Handled by a default block policy. 

> 
> # allow UDP requests to port 53 from lan clients to enter LAN 
> # in order to perform dns queries on the firewall (keep state on this
> connection)
> pass in on $LAN \
> inet proto udp \
>  from $LAN_clients to $LAN_firewall \
>  port 53 \
>  keep state
> 
> # allow lan traffic from lan clients to enter lan # in order 
> to contact internet web servers (keep state on this 
> connection) pass in on $LAN \ inet proto tcp \  from 
> $LAN_clients to any \ port $LAN_TO_INT_SERVICES \ flags 
> S/AUPRFS modulate state

PPTP consists of two parts, 

IP protocol 47 or GRE

And 

1723/tcp 

You're not allowing in the GRE part of the traffic. 

When I used mpd and pf last you need a rule of the form 

pass in on $EXT inet proto gre to $EXT keep state. 

& you need to add rules to allow traffic to flow for the ng* interfaces mpd
will create on the fly for each tunnel. 



Greg

More information about the freebsd-pf mailing list