newbie to pf

Daniel Bye freebsd-questions at slightlystrange.org
Mon Dec 4 12:14:08 PST 2006 

On Mon, Dec 04, 2006 at 12:36:09PM +0100, Niklas Saers wrote:
> 
> The main problem turned out to be the ADSL router, not pf. The
> forwarded data was not being forwarded correctly, but a flash update
> and reconfig later the data are coming in fine and being forwarded
> just fine.
> 
> What I'm wondering about now is: what weaknesses are there in my
> setup? Is there anything I should be particularly aware of?

I can't see any glaring holes in it, but there are a few things you
can do to simplify your rules.

> 
> # macros
> ext_if = "sis0"
> int_if = "sis1"
> bus_if = "sis2"
> internal_net = "10.0.2.0/24"
> business_net = "10.0.3.0/24"
> soekris = "{ 10.0.0.4, 10.0.2.1, 10.0.3.1 }"
> 
> # tables
> table <firewall> const { self }
> 
> # options
> set block-policy drop
> set state-policy if-bound
> #set require-order yes
> #set fingerprints "/etc/pf.os"
> #set loginterface $ext_if
> 
> # scrub incoming packets
> set skip on lo
> scrub all reassemble tcp fragment reassemble
> 
> # redirection
> rdr pass on $ext_if proto tcp from any to any port 22 -> 10.0.3.2
> rdr pass on $ext_if proto tcp from any to any port 443 -> 10.0.3.2
> rdr pass on $ext_if proto tcp from any to any port 3306 -> 10.0.3.2

You can do this as one rule with a macro:

office_ports={ ssh https 3306 }
rdr pass on $ext_if proto tcp port $office_ports -> 10.0.3.2

> 
> # nat
> nat on $ext_if from $internal_net to any -> ($ext_if)
> nat on $ext_if from $business_net to any -> ($ext_if)
> no nat on $ext_if from $internal_net to $business_net
> no nat on $ext_if from $internal_net to $soekris
> 
> # setup a default deny policy
> block drop log all
> 
> # pass traffic on the loopback interface in either direction
> pass quick on lo0 all

As you have `set skip on lo', above, this rule is redundant.

> pass quick on $int_if all
> pass quick on $bus_if all
> 
> # outgoing dns, ntp
> pass out quick on $ext_if inet proto udp from ($ext_if) to any port {
> 53, 123 } keep state
> 
> # outgoing from firewall
> pass out log quick on $ext_if inet proto tcp from ($ext_if) to any
> flags S/SA keep state
> pass out log quick on $ext_if inet proto { udp, icmp } from ($ext_if)
> to any keep state

You can specify these as one rule in pf.conf - sounds odd, but pf
is smart enough to apply the flags only to TCP connections.

pass out log quick on $ext_if inet proto { tcp udp icmp } from ($ext_if) \
  to any flags S/SA modulate state.

Load the rule, and see what pf does to it.  It wil create three
separate rules, one for each protocol, with only the one for tcp having
the flags applied.  In addition, the udp and icmp rules will end with
a simple keep state, while the modulate state is applied to the tcp 
rule.

> 
> # incoming active ftp-data (this is required for active ftp to work)
> pass in log quick on $ext_if inet proto tcp from any port 20 to
> ($ext_if) port >= 1024 flags S/SA keep state
> 
> # incoming tcp and udp from the internal network to the internet
> pass in log quick on $int_if inet proto tcp from $internal_net to
> !<firewall> flags S/SA modulate state
> pass in log quick on $int_if inet proto udp from $internal_net to
> !<firewall> keep state
> pass in log quick on $bus_if inet proto tcp from $business_net to
> !<firewall> flags S/SA modulate state
> pass in log quick on $bus_if inet proto udp from $business_net to
> !<firewall> keep state

You could reduce this to two rules, as well.

pass  in log quick on $int_if inet proto { tcp udp } from $int_if:network \
  to !<firewall> flags S/SA modulate state
pass  in log quick on $bus_if inet proto { tcp udp } from $bus_if:network \
  to !<firewall> flags S/SA modulate state

I'm sure that if I'm off the mark, someone more knowledgeable will put
me right.

Cheers,

Dan

-- 
Daniel Bye

PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc
PGP Key fingerprint: D349 B109 0EB8 2554 4D75  B79A 8B17 F97C 1622 166A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20061204/cca99826/attachment.pgp

More information about the freebsd-pf mailing list