PF Examples
From OpenBSD-Wiki
| This article does not apply to any one particular OpenBSD version. |
Anyone is welcome to post their pf.conf here whether it's for your own personal backup or simply to share.
Contents |
[edit] Nazadus
[edit] Notes
- I chose 10.10.2.0/24 not because I needed the addressing space but because I wanted something that would be relatively certain that no one would use that one. From my experiance all but one person used 192.168.x.x/24.
- SSH Brute force was something I found on the mailing list of misc@ and though "hey! that's a good idea!"
- Snort2PF I ran across again in the mailing list archives. It requires a little bit of tweaking though, more specifically the ALERT file is in a different location. I'm just now learning it.. more to come later.
[edit] pf.conf
# begin: /etc/pf.conf
# $Id: pf.conf 2007-06-19 03:07 Nazadus $
####################################
# macros
####################################
###
## Network Cards
###
# LAN
intIF = "re1"
# WAN
extIF = "pppoe0"
###
## Services
###
# Public Services -- ssh, smtp, http, https, imaps, pop3s, svn (respectivly)
tcpPubServices = "{ 22, 25, 80, 443, 993, 995, 3690 }"
# Torrent NAT Forward port
torrentPort = "31177"
# ICMP -- respond to pings
icmpTypes = "echoreq"
###
## LAN Information
###
# Local Subnet
myNet = "10.10.2.0/24"
# Server IP's
mailSvr = "10.10.2.253"
sshSvr = "10.10.2.254"
webSvr = "10.10.2.253"
svnSvr = "10.10.2.253"
dnsSvr = "10.10.2.253"
# Primary Workstation
myLaptop = "10.10.2.48"
# Banned IP's
naughtyIP = "{ 10.10.2.32, 10.10.2.31 }"
table <sshBruteForce> { }
###
## Options
###
# Be nice when sending a fuck you.
set block-policy return
# No need to scan localhost
set skip on lo0
# Enabling logging for debugging
#set loginterface $extIF
#set loginterface $intIF
# Make sure all packets are clean and sane
scrub in all fragment reassemble random-id
# DSL requires the max-mss to be 1440 or certain sites won't work, such as myspace, digg, etc.
scrub out on $extIF max-mss 1440
###
## NAT / Redirection
###
nat on $extIF inet from $myNet to any -> $extIF
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# Public services
rdr on $extIF proto tcp from any to any port 22 -> $sshSvr
rdr on $extIF proto tcp from any to any port 25 -> $mailSvr
rdr on $extIF proto tcp from any to any port 53 -> $dnsSvr
rdr on $extIF proto tcp from any to any port 80 -> $webSvr
rdr on $extIF proto tcp from any to any port 443 -> $webSvr
rdr on $extIF proto tcp from any to any port 993 -> $mailSvr
rdr on $extIF proto tcp from any to any port 995 -> $mailSvr
rdr on $extIF proto tcp from any to any port 3690 -> $svnSvr
# Private services
rdr on $extIF proto { tcp, udp } from any to any port $torrentPort -> $myLaptop
block log (all, to pflog0) all
antispoof for $extIF
# Ban the naughty people
## Tried to hijack my router and suck my bandwidth... luckily they aren't smart enough to change mac's and IP's
block in quick on $intIF from $naughtyIP to any
## still a work in progress
block in quick from <sshBruteForce> to any
# Allow pings incoming; Chris would be sooooo pissed ;-)
pass in inet proto icmp all icmp-type $icmpTypes keep state
# Allow Personal services to run
pass in on $extIF inet proto { tcp, udp } from any to $myLaptop port $torrentPort flags S/SA synproxy state
pass out on $extIF proto { udp, tcp } from $myLaptop port $torrentPort flags S/SA keep state
# Allow public services
pass in on $extIF inet proto tcp from any to any port $tcpPubServices flags S/SA synproxy state
pass in on $extIF inet proto tcp from any to any port ssh modulate state (source-track rule max-src-nodes 8 max-src-conn 8 max-src-conn-rate 3/60 overload <sshBruteForce> flush global)
# Allow outgoing traffic to do as it pleases
pass out on $extIF proto tcp all modulate state flags S/SA
pass out on $extIF proto { udp, icmp } all keep state
pass out on $extIF proto esp from any to any keep state
# Allow LAN to do anything -- I love alone anyways
pass in on $intIF from $intIF:network to any keep state
pass out on $intIF from any to $intIF:network keep state
# Microsoft VPN stuff -- needed to get MS PPTP out
pass in on $intIF proto gre from any to any keep state
pass in on $intIF inet proto tcp from any to any port = 1723 flags S/SA keep state
pass out on $extIF proto gre from any to any keep state
# Snort blockages -- this is a new one for me, so I'm still testing and playing around with it
anchor snort2pf
[edit] Things to come
- VPN incoming -- so I can access home from work
- Tweak snort2pf to only block certain ones
- Finish SSH brute force and allow amnesty time, 5 minutes after 2 failed?
- Make the pf.conf a bit cleaner
[edit] KenD -- Simple Laptop Firewall
Not a fancy pf.conf, but simple is good for a laptop.
[edit] pf.conf
## /etc/pf.conf
# Apply/test via:
# sudo pfctl -f /etc/pf.conf
##########
## MACROS
##########
tcp_services = "{ ssh, smtps, domain, www, auth, pop3s, ftp, sftp, https, imaps }"
udp_services = "{ domain, pop3s, imaps }"
##########
## OPTIONS
##########
# KDE uses loopback
set skip on lo0
# Make sure all packets are clean and sane
scrub in all fragment reassemble random-id
##############################################
## DEFAULT: DENY external access; OK going out
##############################################
block in all
#block in log all
## DEBUG:
## LOG Blocked Packets [uncomment above]:
## block in log all
## VIEW LOG VIA:
## tcpdump -n -e -ttt -i pflog0
####################################################
## Only allow outgoing services which are sensable..
####################################################
##pass out all
pass out proto tcp to any port $tcp_services
pass proto udp to any port $udp_services
# for ping queries [icmp]
pass out inet proto icmp all icmp-type 8 code 0
## E O F ##
