[ Home | Liste | F.A.Q. | Risorse | Cerca... ]


[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]


Archivio: openbsd@sikurezza.org
Soggetto: R: [openbsd] PF: block all e direzioni
Mittente: Maurizio D'Antonio
Data: Tue, 11 Oct 2005 18:38:10 +0200 (CEST)
Potreste gentilmente verificare le seguenti regole di fw ed aiutarmi a fare
un po di pulizia e di tuning. 
E’ un copia incolla di diversi esempi di PF presi su internet e di alcuni
naturali adattamenti.

La mia realtà è la seguente:
#
# LAN---[FW2]----|
#                |
#         WWW----|
#       MAIL1----|-------[OBSDPF]------[cisco]- - -<adsl>
#       MAIL2----|
#        DNS1----|
#        DNS2----|
#

ext_if="xl0"
int_if="xl1"
network="212.203.x.0/24"

MAIL1="212.203.x.5"
MAIL2="212.203.x.6"

WWW="212.203.x.7"

DNS1="212.203.x.3"
DNS2="212.203.x.4"

set limit { states 20000, frags 20000 }
set optimization aggressive
set block-policy return
set state-policy if-bound
set loginterface $ext_if
set skip on { lo0 }

table <reserved> const { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16,
172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3, 255.255.255.255 }

scrub in on $ext_if all

# Da fare... 
# Devo dedicare maggiore banda al www_in(3) smtp_in(5) dns(4) il resto la
dedico ai client della lan_out
#altq on $ext_if priq bandwidth 512Kb queue { std_out, std_ack, ssh_upl,
ssh_int, str_out, str_ack }
#    queue std_out priority 0 priq(default)
#    queue std_ack priority 2
#    queue ssh_upl priority 1
#    queue ssh_int priority 3
#    queue str_out priority 4
#    queue str_ack priority 5

# Default policy. 
block out log on $ext_if all
block in  log on $ext_if all

# Traffic from the local interface is allowed.
pass in quick on $int_if from ($int_if) keep state

# scarta gli  spoofed packets ed i martians
block in  quick on $ext_if inet from <reserved> to   any
block out quick on $ext_if inet from any to <reserved>
block out log quick on $ext_if from ! ($ext_if) to   any

# antispoof
antispoof for { $int_if, $ext_if }

# OS detection
block drop in quick on $ext_if from any os { SCO, NMAP }

#stop port scanning
block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP

# Si Permette il web browsing dall'interno della rete
pass in quick on $int_if proto udp from $network to any port = 53 keep state
pass in quick on $int_if proto tcp from $network to any port = 80 flags S/SA
keep state

# Permetto l'accesso da internet ai seguenti servizi 
# DNS 1/2
pass in  quick on $ext_if inet proto {tcp,udp} from any to $DNS1 port =
domain flags S/SA keep state
pass out quick on $ext_if inet proto {tcp,udp} from $DNS1 to any port =
domain keep state
pass in  quick on $ext_if inet proto {tcp,udp} from any to $DNS2 port =
domain flags S/SA keep state
pass out quick on $ext_if inet proto {tcp,udp} from $DNS2 to any port =
domain keep state

# WWW
pass in quick on $ext_if proto tcp from any to $WWW port = 80 flags S/SA
keep state

# SMTP 1/2 
pass in quick on $ext_if inet proto {tcp,udp} from any to $MAIL1 port = smtp
flags S/SA keep state
pass out quick on $ext_if inet proto {tcp,udp} from $MAIL1 to any port =
smtp keep state
pass in quick on $ext_if inet proto tcp from any to $MAIL2 port = smtp flags
S/SAFR modulate state

#
block return-rst in quick on $ext_if proto tcp all
block return-icmp in quick on $ext_if proto udp all
block in quick on $ext_if all

#Stop Broadcasts, garbage, etc
block drop in quick on $ext_if inet from any to ! ($ext_if)





[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005