OpenBSD PF Firewall Script – /etc/pf.conf File February 10th, 2010
Following script will protect collocated FreeBSD / OpenBSD / NetBSD server running PF firewall. My box has 2 interface one for VPN and other for public interface. I only run http, dns and ssh on public port. Read pf, rc.conf and pf.conf man page for details. Tested on FreeBSD and OpenBSD.
Sample /etc/pf.conf
#### First declare a couple of variables ####
### Outgoing tcp / udp port ####
### 43 - whois, 22 - ssh ###
tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}"
udp_services = "{ domain, ntp }"
### allow ping / pong ####
icmp_types = "{ echoreq, unreach }"
#### define tables. add all subnets and ips to block
table <blockedip> persist file "/etc/pf.block.ip.conf"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
### admin server ranges ###
adminrange = "112.220.11.0/23"
# connected to internet
ext_if = "em1"
# connected to vpn / lan
int_if = "em0"
##### ftp proxy
#proxy="127.0.0.1"
#proxyport="8021"
#### Normalization
#scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments
scrub in all
#### NAT and RDR start
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
# redirect ftp traffic
#rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
# Drop incoming everything
block in all
block return
# keep stats of outgoing connections
pass out keep state
# We need to have an anchor for ftp-proxy
#anchor "ftp-proxy/*"
# unlimited traffic for loopback and lan / vpn
set skip on {lo0, $int_if}
# activate spoofing protection for all interfaces
block in quick from urpf-failed
#antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
antispoof log for $ext_if
#Block RFC 1918 addresses
block drop in log (all) quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians
# Block all ips
# pfctl -t blockedip -T show
block drop in log (all) quick on $ext_if from <blockedip> to any
block drop out log (all) quick on $ext_if from any to <blockedip>
# allow outgoing
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services
# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
# Allow admin to get into box
pass in on $int_if from $adminrange to any
# Allow incoming ssh, http, bind traffic
# pass in on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy modulate state
pass inet proto icmp all icmp-type $icmp_types keep state
## add your rule below ##
source here
Tags: /etc/pf.conf, BSD PF, BSD PF IPv6 and IPv4 /etc/pf.conf Firewall Script, Firewall Script, freebsd, IPv6 and IPv4
This entry was posted on Wednesday, February 10th, 2010 at 9:47 am and is filed under fedora, Networking. You can follow any responses to this entry through the RSS 2.0 feed.You can leave a response, or trackback from your own site.
This entry was posted on Wednesday, February 10th, 2010 at 9:47 am and is filed under fedora, Networking. You can follow any responses to this entry through the RSS 2.0 feed.You can leave a response, or trackback from your own site.
