[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Good Example of pf.conf ?

To: misc@openbsd.org
Subject: Good Example of pf.conf ?
From: Philipp Morger <mailinglist_morger@dolphins.ch>
Date: Mon, 2 Jun 2003 18:53:05 +0200
Content-Disposition: inline
Mail-Followup-To: misc@openbsd.org
Organization: Dolphins Network Systems
User-Agent: Mutt/1.5.4i
I just "completed" my ruleset with the queue I intend to use.... and
think my pf.conf might be worth for critism.... maybe it has some
serious flaws in it which someone likes to share.... maybe it has some
parts that look so promising that I is worth to mention in a PF-FAQ....

comments are highly welcome... 
regards
Philipp

PS: And no, I don't care for "security though obscurity"... but I
understand foolks that shake heads when they see people posting their
firewall configuration.... 

###
### Layout
###
#
#   varioushosts.dominion.ch-----(dominion_net4/6/private)-----sanity.dominion.ch-----(dominion_peer4/6)-----isp_router
#
#
###
### MACROS
###
#
dominion_net4="{ 212.25.4.24/29 }"
dominion_net6="{ 2001:08e0:666::0/48 }"
dominion_private_net="{ 192.168.66.0/24 }"
dominion_peer6="{ 2001:8e0:0:1::2/126 }"
dominion_peer4="{ 212.25.27.98 }"
#
ext_if="fxp0"
int_if="xl0"
#
#
#
###
### TABLES
###
# I'm not yet familiar with tables... so here is a prototype....
#
#table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
#
#
###
### OPTIONS
###
#
set block-policy return
set loginterface $ext_if
set optimization conservative
#
#
#
###
### NORMALIZATION
###
#
scrub   in   all
scrub   out  all
#
#
#
###
### QUEUES
###
#
# xl0 doesn't really bandwiith mgmt...
altq on $int_if cbq bandwidth 100Mb queue { dft_xl0, other }
queue   dft_xl0                 bandwidth 100%  priority 0 cbq(borrow ecn default)
queue   other               bandwidth 100%  priority 1 cbq(borrow ecn )
#
altq on $ext_if cbq bandwidth 768Kb queue { dft, tcp, tcp_ack, udp, icmp }
# Let's divide the traffic in 3 main groups: 60% tcp, 20% udp and 5%
# icmp... some bandwith for tcp_ack... howmuch? I dunno... and some
# default for the "unknown" (manditory)
# please note the "tcp_ack" was taken from the PF Website...
# icmp is also important... 
queue	tcp_ack	            bandwidth 10% priority 7 cbq(borrow ecn)
queue   tcp                 bandwidth 60% priority 2 cbq(borrow ecn) { normal_tcp, bulk_tcp, other_tcp }
queue   udp                 bandwidth 20% priority 2 cbq(borrow ecn) { normal_udp, bulk_udp, other_udp }
queue   icmp		    bandwidth 5%  priority 1 cbq(borrow ecn)
queue   dft                 bandwidth 5%  priority 0 cbq(borrow ecn default)
#
# traffic get's seperated into "normal", "bulk" and "other" traffic
# normal traffic is traffic that one "feels" when it get's low... 
# bulk is mass traffic, on earlier days I would have put http to
# "normal" traffic, these days it get's just priority over ftp and
# smtp...
queue   normal_tcp            bandwidth 60% priority 2 cbq(borrow ecn) { dns_tcp, imap, ssh, ssh_intrac }
queue     dns_tcp               bandwidth 10% priority 3 cbq(borrow ecn)
queue     imap                  bandwidth 10% priority 1 cbq(borrow ecn)
queue     ssh                   bandwidth 10% priority 0 cbq(borrow ecn)
queue     ssh_intrac            bandwidth 30% priority 7 cbq(borrow ecn)
queue   bulk_tcp              bandwidth 60% priority 1 cbq(borrow ecn) { http, ftp, smtp }
queue     http                  bandwidth 25% priority 3 cbq(borrow ecn)
queue     ftp                   bandwidth 25% priority 1 cbq(borrow ecn)
queue     smtp                  bandwidth 10% priority 2 cbq(borrow ecn)
queue   other_tcp	      bandwidth 60% priority 0 cbq(borrow ecn)
#
# ntp is quite vital... and should not suffer... despite it's quite
# silent.... snmp is pain for the remote monitoring system if it can't
# fetch the data in a reasonable time... dns, it's just pain if it stops
# working...
queue   normal_udp            bandwidth 60% priority 2 cbq(borrow ecn) { ntp, snmp, dns_udp }
queue     ntp                   bandwidth 20% priority 1 cbq(borrow ecn)
queue     snmp                  bandwidth 20% priority 0 cbq(borrow ecn)
queue     dns_udp               bandwidth 20% priority 2 cbq(borrow ecn)
queue   bulk_udp              bandwidth 60% priority 1 cbq(borrow ecn) 
queue   other_udp	      bandwidth 60% priority 0 cbq(borrow ecn)
#
#
#
#
###
### NAT
###
#
nat on $ext_if from $dominion_private_net to any -> $ext_if
#
#
#
###
### FILTER
###
#
# 'catch all' rule
#
block in   log  all
block out  log  all
# 
# Anti-spoofing rule
# 
block in   log  quick on $ext_if inet  from { $int_if , $ext_if, <rfc1918> }  to any 
# 
# Dominion Traffic
# 
# apply "protocol based" queues... so traffic should not fall into
# default..... at least if it's outbound....
#
# TCP
#
pass out     inet  proto tcp from any to any keep state queue other_tcp
pass out     inet6 proto tcp from any to any keep state queue other_tcp
pass out     inet  proto tcp from any to any flags S/SA keep state queue tcp_ack
pass out     inet6 proto tcp from any to any flags S/SA keep state queue tcp_ack
#
# UDP
#
pass out     inet  proto udp from any to any keep state queue other_udp
pass out     inet6 proto udp from any to any keep state queue other_udp
#
# ICMP
#
pass out     inet  proto icmp from any to any keep state queue icmp
pass out     inet6 proto ipv6-icmp from any to any keep state queue icmp
#
# Known Protocols...
#
# apply the queue to outgoing traffic....
pass out     inet  proto tcp  from $dominion_net4 to any port { 443, 80 } flags S/SAFPRU keep state queue http
pass out     inet6 proto tcp  from $dominion_net6 to any port { 443, 80 } flags S/SAFPRU keep state queue http
pass out     inet  proto tcp  from $dominion_net4 to any port 21 flags S/SAFPRU keep state queue ftp
pass out     inet6 proto tcp  from $dominion_net6 to any port 21 flags S/SAFPRU keep state queue ftp
pass out     inet  proto tcp  from $dominion_net4 to any port { 25, 465 } flags S/SAFPRU keep state queue smtp
pass out     inet6 proto tcp  from $dominion_net6 to any port { 25, 465 } flags S/SAFPRU keep state queue smtp
pass out     inet  proto tcp  from $dominion_net4 to any port 53 flags S/SAFPRU keep state queue dns_tcp
pass out     inet6 proto tcp  from $dominion_net6 to any port 53 flags S/SAFPRU keep state queue dns_tcp
pass out     inet  proto udp  from $dominion_net4 to any port 53 keep state queue dns_udp
pass out     inet6 proto udp  from $dominion_net6 to any port 53 keep state queue dns_udp
pass out     inet  proto tcp  from $dominion_net4 to any port { 143, 993 } flags S/SAFPRU keep state queue imap
pass out     inet6 proto tcp  from $dominion_net6 to any port { 143, 993 } flags S/SAFPRU keep state queue imap
pass out     inet  proto udp  from $dominion_net4 to any port 123 keep state queue ntp
pass out     inet6 proto udp  from $dominion_net6 to any port 123 keep state queue ntp
pass out     inet  proto tcp  from $dominion_net4 to any port 22 keep state queue( ssh, ssh_interac )
pass out     inet6 proto tcp  from $dominion_net6 to any port 22 keep state queue( ssh, ssh_interac )
#
# Local Inbound
#
# as said, no queues for inbound traffic from the LAN
pass in      inet from $dominion_private_net to any keep state 
pass in      inet from $dominion_net4 to any keep state
pass in      inet6 from $dominion_net6 to any keep state
#
#
# 
# SSH is good
# 
# Does that really work?... I do backups over ssh... so it would be
# great to still have a responsive SSH Terminal Session while doing
# backup...
pass in    log  quick inet  proto tcp  from any  to $dominion_net4 port 22 keep state queue( ssh, ssh_interac )
pass in    log  quick inet6 proto tcp  from any  to $dominion_net6 port 22 keep state queue( ssh, ssh_interac )
# 
# Core Services
# 
# apply queues for inbound traffic
pass in    log  quick inet  proto tcp  from any  to $int_if port { 443, 80 } flags S/SAFPRU keep state queue http
pass in    log  quick inet6 proto tcp  from any  to $int_if port { 443, 80 } flags S/SAFPRU keep state queue http
pass in    log  quick inet  proto tcp  from any  to $int_if port 21 flags S/SAFPRU keep state queue ftp
pass in    log  quick inet6 proto tcp  from any  to $int_if port 21 flags S/SAFPRU keep state queue ftp
pass in    log  quick inet  proto tcp  from any  to $int_if port { 25, 465 } flags S/SAFPRU keep state queue smtp
pass in    log  quick inet6 proto tcp  from any  to $int_if port { 25, 465 } flags S/SAFPRU keep state queue smtp
pass in    log  quick inet  proto tcp  from any  to $int_if port 53 flags S/SAFPRU keep state queue dns_tcp
pass in    log  quick inet6 proto tcp  from any  to $int_if port 53 flags S/SAFPRU keep state queue dns_tcp
pass in    log  quick inet  proto udp  from any  to $int_if port 53 keep state queue dns_udp
pass in    log  quick inet6 proto udp  from any  to $int_if port 53 keep state queue dns_udp
pass in    log  quick inet  proto tcp  from any  to $int_if port { 143, 993 } flags S/SAFPRU keep state queue imap
pass in    log  quick inet6 proto tcp  from any  to $int_if port { 143, 993 } flags S/SAFPRU keep state queue imap
pass in    log  quick inet  proto udp  from any  to $int_if port 123 keep state queue ntp
pass in    log  quick inet6 proto udp  from any  to $int_if port 123 keep state queue ntp
# 
# Management
# 
pass in         quick inet  proto udp  from $remote_monitor_host_ip_removed  to  $ext_if  port 161 keep state queue snmp
pass in         quick inet6 proto udp  from $remote_monitor_host_ip_removed  to  $ext_if  port 161 keep state queue snmp
#
# ICMP
#
pass in         quick  inet  proto icmp from any to any keep state queue icmp
pass in         quick  inet6 proto ipv6-icmp from any to any keep state queue icmp
#
#
# Localhost
#
pass in      quick on lo0 from { lo0, $int_if } to lo0
pass out     quick on lo0 from lo0 to { lo0, $int_if }
#
Follow-Ups:
- Re: Good Example of pf.conf ?
  - From: "Peter H. Coffin" <hellsop@ninehells.com>
Prev by Date: ftp on DMZ problems
Next by Date: Re: How to replace WEP with IPSec
Prev by thread: [fixed] Re: ftp on DMZ problems
Next by thread: Re: Good Example of pf.conf ?
Index(es):
- Date
- Thread