SEO

hi

need some help refining my pf rules
the majority of the rules are from various sources on the net
so you might find some rules that are redundent

general details
connection type = cable
ip address = dynamic (dhcp)


thanx
Shadrock
--------------------------------------------------------------------------------





# PF ruleset, 14 June 2003
# # Liberally adapted from the pf man page,
# the OpenBSD "Network How-To",
# and my own rulesets.
# Ras Shadrock Uhuru
#--------------------------------------------------------------------------
# MACROS
# INTERFACES

# internal network
INT_IFACE = "xl0"
# demilitarised network
DEMIL_IFACE = "xl1"
# external network
EXT_IFACE = "ep0"
# local host interface
LO_IFACE = "lo0"
# wireless network
# WIRE_IFACE = ""

# NETWORKS
INT_ZONE = "192.168.1.0/24"
DEMIL_ZONE = "172.16.1.0/12"

++++++++++++++++++++++++++++++++++++++++++++++++++ ++
================================================== ==
(Q1) how do i refer to the external zone
how do i refer to the firewall itself e.g. to ssh to the
firewall for administration
================================================== ==
EXT_ZONE = "x.x.x.0/24"
FIREWALL = x.x.x.x
++++++++++++++++++++++++++++++++++++++++++++++++++ +++

# DMZ SERVERS
DNS_SERV1 = "172.16.1.1"
DNS_SERV2 = "172.16.1.2"
MAIL_SERV = "172.16.1.3"
WEB_SERV = "172.16.1.4"

++++++++++++++++++++++++++++++++++++++++++++++++++ +++
================================================== ====
(Q2) these are macros for the binat rule,
should they have proper inet address instead of the x's
==================================================
DNS_EXT1 = "x.x.x.1"
DNS_EXT2 = "x.x.x.2"
MAIL_EXT = "x.x.x.3"
WEB_EXT = "x.x.x.4"
++++++++++++++++++++++++++++++++++++++++++++++++++ +++

# SPECIALS
# Non-routable IP numbers
#-----------------------------------------------------------------------
#192.168.0.0/16 #RFC 1918 private IP
#172.16.0.0/12 #RFC 1918 private IP
#10.0.0.0/8 #RFC 1918 private IP
#127.0.0.0/8 #loopback
#0.0.0.0/8 #loopback
#169.254.0.0/16 #DHCP auto-config
#192.0.2.0/24 #reserved for doc's
#204.152.64.0/23 #Sun cluster interconnect
#224.0.0.0/3 #Class D & E multicast


RESERVED = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23,
224.0.0.0/3}"

# TRUSTED = "{tba}"

InServicesTCP = "{ ssh, smtp, auth, http, https, pop3 }"
OutServicesTCP = "{ http, https, smtp, pop3,pop3s, whois, domain,
ssh,telnet, ftp, ftp-data, sftp, nntp, auth, ntp }"
# OUTTCP =
"{21,22,23,25,43,53,80,110,443,554,871,1214,1863,2 401,5050}"
++++++++++++++++++++++++++++++++++++++++++++++++++ +++
InServicesUDP = "{ domain }"
================================================== ===
(Q3) should i add port 67/68 to InServicesUDP
================================================== ===
#INUDP = "{68}"
OutServicesUDP = "{ domain,ntp }"
# OUTUDP = "{53,123}"
INICMP = "{3,11}"

+++++++++++++++++++++++++++++++++++++++++++++
============================================
(Q4) are these correct
===========================================
OUTTRACEROUTE = "{33434><33525}"
FTPPORTS="{ 55000 >< 57000 }"
++++++++++++++++++++++++++++++++++++++++++++

XMMS = "{ 6000, 7500, 8000, 8004, 8044, 8034, 8052, 8038, 8010, 8400,
8014, 8026, 8048, 8002, 8024, 8028, 8080 }"
RealAudio = "{ 554, 7070, 8080 }"


#--------------------------------------------------------------------------
# OPTIONS
#--------------------------------------------------------------------------
# log all packets on external interface
set loginterface $EXT_IFACE

# set max of 20k keep states and 20k scrub entries
set limit {state 20000,frag 20000}

# set optimisation to normal
set optimisation normal

#
#--------------------------------------------------------------------------
# Clean up fragmented and abnormal packets
# By default in pf, packets which contain IP options are blocked.
Good.
# scrub in on { $EXT_IFACE , $INT_IFACE} all
scrub in all


#--------------------------------------------------------------------------
# QUEUEING
#-------------------------------------------------------------------------
# NAT


# nat internal ip addr range 192.168.1.0/24
# to external ip routable ip on external interface
nat on $EXT_IFACE from $INT_ZONE to any -> ($EXT_IFACE )

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++
================================================== =============
(Q5) is the first binat rule ok
i've modified if from
binat on $EXT_IFACE inet from $WEB_SERV to any ->
$WEB_EXT
the idea was to let the EXT_IFACE be the final
address
================================================== ===========
# web servers in dmz
# binat on $EXT_IFACE inet from $WEB_SERV to any -> $EXT_IFACE
# binat on $INT_IFACE inet from $WEB_SERV to any -> $INT_IFACE

# mail servers in dmz
# binat on $EXT_ZONE inet from $MAIL_SERV to any -> $MAIL_EXT
# binat on $INT_ZONE inet from $MAIL_SERV to any -> $MAIL_EXT

# dns servers in dmz
# binat on $EXT_ZONE inet from $DNS_SERV to any -> $DNS_EXT
# binat on $INT_ZONE inet from $DNS_SERV to any -> $DNS_EXT
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++


# add to /etc/inetd.conf
# 127.0.0.1:8081 stream tcp nowait root /usr/libexec/ftp_proxy

# redirect ftp client behind nat on external interface to ftp proxy
daemon
rdr on $INT_IFACE inet proto tcp from any to $EXT_ZONE port 21 ->
127.0.0.1 port 8081

# redirect web
rdr on $INT_IFACE inet proto tcp from any to any port www ->
127.0.0.1 port 3128



# FILTERS


# Defaults

# Immediate blocks
# fuzz any 'nmap' fingerfrinting attempt

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++
block in log quick on $EXT_IFACE inet proto tcp from any to any \
flags { FUP/FUP, SF/SFRA,P/SFRA, F/SFRA, U/SFRAU }
#SFUP,/SFRA
=============================================
(Q6) do i use all the flags above or just these below
=============================================

block in log quick on $EXT_IFACE inet proto tcp from any to any
flags FUP/FUP
block in log quick on $EXT_IFACE inet proto tcp from any to any
flags SF/SFRA
block in log quick on $EXT_IFACE inet proto tcp from any to any
flags /SFRA
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++
# prevent spoofing of non-routable addresses on DMZ network
===============================
(Q7) do i need this
==============================
block in log quick on $DEMIL_IFACE inet proto tcp from ! $DEMIL_ZONE
to any
block out log quick on $DEMIL_IFACE inet proto tcp from any to !
$DEMIL_ZONE
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++

# don't allow anyone to spoof non-routeable addresses
# block anything coming from source we have no back routes for

block in log quick on $EXT_IFACE inet proto tcp from $RESERVED to
any
block out log quick on $EXT_IFACE inet proto tcp from any to
$RESERVED


# antispoof for local interface
antispoof for lo0
# antispoof for internal interface
antispoof for xl0
# antispoof for demilitary interface
antispoof for xl1
# antispoof for external interface
antispoof for ep0
# antispoof for wireless interface
# antispoof for wp0

# silently drop broadcasts (cable modem noise)
block in quick on $EXT_IFACE from any to 255.255.255.255/32
block out quick on $EXT_IFACE from 255.255.255.255/32 to any

block in quick inet6 all
block out quick inet6 all

# egress filtering
# filter outbound traffic that doesn't have a valid external address
as source
block out log quick on $EXT_IFACE inet proto tcp from !$EXT_ZONE
to any

# loopback packets left unmolested
pass in quick on $LO_IFACE all
pass out quick on $LO_IFACE all

#allow internal traffic to flow freely
pass in quick on $INT_IFACE all
pass out quick on $INT_IFACE all

#allow outgoing DMZ traffic to flow freely(not to internal network)
pass in quick on $DMZ_IFACE inet proto tcp from $DMZ_ZONE to
!$INT_ZONE flag S/SA keep state

# block and log everything
# block out log all
# block in log all

block return log all
================================================== =========
(Q8) as some of the rules are from various source
there my be some redundency in the rules
please remove redundent rules
================================================== ==========

# ICMP (ping)

# Pass desired ICMP traffic
pass in log quick inet proto icmp all icmp-type 3 code 4 keep state

# traceroute from internal host , recieving error code of icmp-type 11
(time exceeded)
pass in log quick inet proto icmp all icmp-type 11 keep state

pass in log quick on $EXT_IFACE inet proto icmp all icmp-type 8 code 0
keep state

pass in log quick on $EXT_IFACE inet proto icmp all icmp-type 30 code
0 keep state
#--------------------------------------------------------------------------------

# traceroute to internal host , recieving error code of icmp-type 11
(time exceeded)
pass out quick on $EXT_IFACE inet proto icmp from any to any icmp-type
$INICMP

pass out quick on $EXT_IFACE inet proto icmp all icmp-type 8 code 0
keep state

pass out quick on $EXT_IFACE inet proto icmp all icmp-type 30 code 0
keep state

#
-----------------------------------------------------------------------------

block in on $EXT_IFACE inet proto icmp all

# handle outgoing icmp traffic , allow everything directed to the
internet from
# LAN/DMZ and related replies
# allow icmp packets dir3ected to the DMZ server
# block and log all other icmp packets (especially from DMZ to LAN)

# enable internet access
pass out on $EXT_IFACE inet proto icmp from $EXT_ZONE to any keep
state

# enable dmz access
pass in on $EXT_IFACE inet proto icmp from any to $DEMIL_ZONE keep
state

# dmz -> internet
pass in on $DMZ_IFACE inet proto icmp from $DEMIL_ZONE to $EXT_ZONE
keep state

# internet-> dmz
pass out on $DMZ_IFACE inet proto icmp from any to $DEMIL_ZONE keep
state

#
-----------------------------------------------------------------------------


# handle outgoing udp traffic , everything directed at the internet
from LAN/DMZ and related replies
#block and log all other udp packets

# traceroute
pass out quick on $EXT_IFACE inet proto udp from any to any port
$OUTTRACEROUTE
# allow internal and firewall initiated connection from behind network

#Services we provide to the outside world
# Bootpc to fw
pass in quick on $EXT_IFACE inet proto udp from any to any port
$InServicesUDP keep state

# Standard services we want to access in the world
pass out quick on $EXT_IFACE inet proto udp from any to any port
$OutServicesUDP keep state

# syslog is open by default, if not used remove with next rule
#### block in quick log on $INT_IFACE proto udp from any to any port
524
#-------------------------------------------------------------------------------

block in on $EXT_IFACE inet proto udp all

# enable internet access
pass out on $EXT_IFACE inet proto udp from $EXT_ZONE to any keep state

# enable dmz access
pass in on $EXT_IFACE inet proto udp from any to $DEMIL_ZONE port 53
keep state

# enable dmz to internet access
pass in on $DEMIL_IFACE inet proto udp from $DEMIL_ZONE to $INT_ZONE
keep state

# enable internet to dmz access
pass out on $DEMIL_IFACE inet proto udp from any to $DEMIL_ZONE port
53 keep state

================================================== ==================
(Q9) do i need the following two rules
================================================== ==================
# These two rules make BOOTP/DHCP services available to the protected
hosts, via a server on the
# public side of the network. They may be overly restrictive, but have
worked properly during testing.
pass out on $EXT_IFACE inet proto udp from any port = bootpc to {
$INT_ZONE, 255.255.255.255 } port = bootps
pass in on $EXT_IFACE inet proto udp from $INT_ZONE port = bootps to
{ $INT_ZONE, 255.255.255.255 } port = bootpc


#
-----------------------------------------------------------------------------
# handle outgoing tcp traffic , allow everything directed to the
internet and related replies
# block and log all other tcp packets
pass out quick on $EXT_IFACE inet proto tcp all keep state


# ACK+PUSH usually for already established ssh/irc sessions
pass in log quick inet proto tcp from any to any flags AP/FSRPAU
pass in log quick inet proto tcp from any to any flags AF/FSRAU
pass in log quick inet proto tcp from any to any flags R/FSRPAU


# DCC
#### pass in on $INT_IFACE inet proto tcp from any to 10.0.1.3 port
65400>

#
-----------------------------------------------------------------------------
# allow all traffic to DMZ servers on port 21(ftp),80(http)
# also allow connection to the ssh remote admin server coming from
trusted address
# all other tcp packets are blocked and logged epeacially those coming
from DMZ to LAN
# note the specification of the "flags S/SA" allow us to accept only
tcp packet with
# SYN flag (and not ACK) set this is more restrictive than " flags
S/S"

# remote management
#pass in on $EXT_IFACE inet proto tcp from $TRUSTED to any(firewall)
port 22 flag S/SA

# only allow ssh connections from the local network if it's from the
trusted computer,
# 192.168.1.10. use "block drop" so that a TCP RST is sent to close
blocked connections right away.
# use "quick" so that this rule is not overridden by the "pass" rules
below.
block drop in quick on $INT_IFACE inet proto tcp from ! 192.168.1.10
to $INT_IFACE port ssh flags S/SA

# allow ssh connections in on the external interface as long as
they're
# NOT destined for the firewall (ie, they're destined for a machine on
# the local network). log the initial packet so that we can later tell
who is trying to connect.
pass in log on $EXT_IFACE inet proto tcp from any to { !$EXT_IFACE ,
!$INT_IFACE } port ssh flags S/SA keep state

#
-----------------------------------------------------------------------------
# enable internet access
pass out on $EXT_IFACE inet proto tcp from $EXT_ZONE to any flag
S/SA keep state


# enable dmz web server access
pass in on $EXT_IFACE inet proto tcp from any to $WEB_DMZ port {21,80}
pass out on $DMZ_IFACE inet proto tcp from any to $WEB_DMZ port
{21,80}

# enable dmz mail server access
pass in on $EXT_IFACE inet proto tcp from any to $MAIL_DMZ port
{25,11}
pass out on $DMZ_IFACE inet proto tcp from any to $MAIL_DMZ port
{25,11}

# enable dmz dns server access
pass in on $EXT_IFACE inet proto tcp from any to $DNS_DMZ port {68}
pass out on $DMZ_IFACE inet proto tcp from any to $DNS_DMZ port {68}

# web proxy
pass in on $INT_IFACE inet proto tcp from any to 127.0.0.1 port 3128
keep state
pass out on $EXT_IFACE inet proto tcp from any to any port www keep
state

# passsive ftp
pass out log quick on $EXT_IFACE inet proto tcp from any to any port >
1023 flags S/SA keep state

#pass in data mode connections for ftp-proxy running on this host.
#active ftp
pass in log quick on $EXT_IFACE inet proto tcp from any port 20 to any
port $FTPPORTS flags S/SA keep state

# IMPORTANT: Note that the "rdr" rule in the NAT section refers to the
INTERNAL
# network interface. Its purpose is to redirect all ftp-data requests
from the intranet to be redirected to
# the ftp-proxy on the firewall. Then the ftp-proxy channels those
into ports 49152-65535, and outputs # them on the internet. This is
why we have this hole in the firewall starting at port 49152. I know,
it is # in the IN direction, but that is how passive ftp works... It
is quite a broken protocol.

# Special services
pass out quick on $EXT_IFACE inet proto tcp from any to any port $XMMS
flags S/SA modulate state
pass out quick on $EXT_IFACE inet proto tcp from any to any port
$RealAudio flags S/SA modulate state

# Standard services we want to access in the world
pass out quick on $EXT_IFACE inet proto tcp from any to any port
$OutServicesTCP flags S/SA modulate state

# Services we provide to the outside world
pass in quick on $EXT_IFACE inet proto tcp from any to any port
$InServicesTCP flags S/SA keep state

# allow internal and firewall initiated connection from behind network
pass out quick on $EXT_IFACE inet proto tcp from any to any port
$OUTTCP



###----------------------------------------------------------------------
###
### WIRELESS INTERFACE
###

# INCOMING: traffic to fw, accept ssh & dhcp only, block the rest
pass in quick on $WIRE_IFACE proto tcp from $WIRE_IFACE /24 to
$WIRE_IFACE /32 port = 22 flags S/SA keep state

pass in quick on $WIRE_IFACE proto { tcp,udp } from $WIRE_IFACE /24 to
$WIRE_IFACE /32 port = 67 keep state

block in quick on $WIRE_IFACE from any to $WIRE_IFACE /32

# INCOMING: forward traffic to all over destinations (except bad ports
& broadcasts)
pass in quick on $WIRE_IFACE from $WIRE_IFACE /24 to any

# INCOMING DEFAULT: block the rest (spoofed packets...)
# OUTGOING: pass all.
pass out quick on $WIRE_IFACE proto { tcp,udp,icmp } from any to
$WIRE_IFACE /24 keep state



================================================== ======================

VPN ACCESS
The following ruleset is configured on the office firewall (firewall
A). Firewall B will be similar.

# xl0 is external interface
# ep0 is internal interface

# Default Deny and Log Everything
block in log all
block out log all

# Passing in encrypted traffic from security gateways
pass in on ep0 proto sipp-esp from 192.168.1.254 to 192.168.2.1
pass out on ep0 proto sipp-esp from 192.168.2.1 to 192.168.1.254

# Allow packets to pass from the internal (local) side of the VPN
# to the internal (remote) side of the VPN. This traffic will get
# encapsulated within the VPN tunnel on enc0 before going
# out the physical interface.

pass in quick on xl0 from 10.0.0.0/24 to 10.0.3.0/24
pass out quick on xl0 from 10.0.3.0/24 to 10.0.0.0/24

# If packets are on the encrypted interface, enc0, they have been
# authenticated / decrypted. Pass them.

pass in quick on enc0
pass out quick on enc0