Reply With QuoteIf there is one great thing about pf, it is that a small configuration can be pretty powerfull.
Enjoy guys:
Code:# Externe -> dc0 EXT="dc0" # Interne -> dc1 INT="dc1" LAN="192.168.1.0/24" # Adresses MIRANDA="192.168.1.1/32" JEROME="192.168.1.7/32" VINCENT="192.168.1.8/32" LAURENT="192.168.1.9/32" # Spoofers SPOOF="{ 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32}" # Politique de base block in log all block out log all scrub in all pass out quick on $EXT from $LAN to any keep state # SSH pass in quick on $EXT proto tcp from any to any port 22 flags S/SA keep state # SMTP pass in quick on $EXT proto tcp from any to any port 25 flags S/SA keep state # HTTP pass in quick on $EXT proto tcp from any to any port 81 flags S/SA keep state # Bloquer les spoofers block out log quick on $EXT from $SPOOF to any block in log quick on $EXT from any to $SPOOF
If there is one great thing about pf, it is that a small configuration can be pretty powerfull.
Some comments:
- you do not block spoofers when they try to access tcp 22, 25 and 81 (just change rule order)
- you should return RST on the ident port if you run an SMTP server (many smtp servers will query that port, if you just block it they will wait for a long time out).
- doesn't ssh use udp sometimes ?
- you cannot access your LAN with these rules (but maybe it's a feature ?)
- your machine is not pingable
Yeah, I changed it right after I posted.Some comments:
- you do not block spoofers when they try to access tcp 22, 25 and 81 (just change rule order)
How would I do that?- you should return RST on the ident port if you run an SMTP server (many smtp servers will query that port, if you just block it they will wait for a long time out).
What do you mean I can't access my LAN?- you cannot access your LAN with these rules (but maybe it's a feature ?)
Added that.- your machine is not pingable
Right now it looks like this. Is it better?
Code:# Externe -> dc0 EXT="dc0" # Interne -> dc1 INT="dc1" LAN="192.168.1.0/24" # Adresses MIRANDA="192.168.1.1/32" JEROME="192.168.1.7/32" VINCENT="192.168.1.8/32" LAURENT="192.168.1.9/32" # Spoofers SPOOF="{ 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32 }" # Politique de base block in log all block out log all scrub in all pass out quick on $EXT from $LAN to any keep state # Bloquer les spoofers block out log quick on $EXT from $SPOOF to any block in log quick on $EXT from any to $SPOOF # Traceroute + Ping pass in quick on $EXT proto icmp from any to any icmp-type trace keep state pass in quick on $EXT proto icmp from any to any icmp-type echoreq keep state # SSH pass in quick on $EXT proto tcp from any to any port 22 flags S/SA keep state # SMTP pass in quick on $EXT proto tcp from any to any port 25 flags S/SA keep state # HTTP pass in quick on $EXT proto tcp from any to any port 81 flags S/SA keep state
Don't know about pf, in IPFilter it would be
How would I do that?
You may also add a rule that will prevent the pf from responding with rst to broadcasts (I just drop all the broadcasts on the floor).Code:block return-rst in log on $EXT proto tcp from any to any port = 113
Either I'm missing something or you block everything from the firewall to $LAN, except for NATed connections. There are no rules about $INT and $LAN therefore the default block policy is applied. I'm not saying that this is bad.
What do you mean I can't access my LAN?
I'm not sure if I understand, but if I ssh to my firewall (I can do that, right?), you are saying that I will not be able to ssh to my box?
Try it. You'll know better thenI'm not sure if I understand, but if I ssh to my firewall (I can do that, right?), you are saying that I will not be able to ssh to my box?
This will be tonight or tomorrow. I don't know enough about networks and packet filters to tell exactly how it will work (but that's why I'm doing this
Try it. You'll know better then
Thanks for you help by the way, it's very much appreciated!
Latest (I added some changes recommended by a friend of mine):
Code:# Externe -> dc0 EXT="dc0" # Interne -> dc1 INT="dc1" LAN="192.168.1.0/24" # Adresses MIRANDA="192.168.1.1/32" JEROME ="192.168.1.7/32" VINCENT="192.168.1.8/32" LAURENT="192.168.1.9/32" # Spoofers SPOOF="{ 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 }" # Politique de base block in log on $EXT from any to any block out log on $EXT from any to any pass in on $INT from any to any pass out on $INT from any to any pass in quick on lo0 from any to any pass out quick on lo0 from any to any scrub in all pass out quick on $EXT from $EXT to any keep state # Bloquer les spoofers block out log quick on $EXT from $SPOOF to any block in log quick on $EXT from any to $SPOOF block out log quick on $EXT from any to $SPOOF block in log quick on $EXT from $SPOOF to any # Traceroute + Ping #pass in quick on $EXT proto icmp from any to any icmp-type trace keep state #pass in quick on $EXT proto icmp from any to any icmp-type echoreq keep state # SSH pass in quick on $EXT proto tcp from any to any port 22 flags S/SA keep state # SMTP pass in quick on $EXT proto tcp from any to any port 25 flags S/SA keep state # HTTP pass in quick on $EXT proto tcp from any to any port 81 flags S/SA keep state
Posting Permissions
Bookmarks