|
Thu
13
Oct '05
|
The OpenBSD box is running as a router and a firewall for the internal network. The main objective is to let the internal computers access the Internet freely and protect them from the Internet. Only necessary traffic is allowed in. Here are all the rules. Note that ftp clients behind the firewall do not work in active mode. We need ftp-proxy running on the firewall to enable active mode. I have no intention for now, since most ftp servers support passive mode nowadays anyway.
# macros.
ext_if="sis0"
int_if="sis1"
rd_box = "192.168.0.10"
bt_box = "192.168.0.10"
bt_ports = "6881:6999"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
tcp_services = "{ 22, 25, 143 }"
icmp_types = "echoreq"
# options.
set block-policy return
# normalize all packets.
scrub in all
# nat on the external interface.
nat on $ext_if from $int_if:network to any -> ($ext_if)
# redirect certain ports.
# Windows Remote Desktop Service.
rdr on $ext_if proto tcp from any to any port 3389 -> $rd_box
# BitTorrent.
rdr on $ext_if proto tcp from any to any port $bt_ports -> $bt_box
# default to deny-all policy.
block all
# loopback interface is OK.
pass quick on lo0 all
# block rfc 1918 addresses from the public Internet.
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
# pass the redirected ports. protect internal machines from tcp syn flood.
pass in on $ext_if proto tcp from any to $rd_box port 3389 \
flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $bt_box port $bt_ports \
flags S/SA synproxy state
# allow certain types of icmp.
pass in inet proto icmp all icmp-type $icmp_types keep state
# allow connections from and to the internal network
pass in on $int_if from $int_if:network to any
pass out on $int_if from any to $int_if:network
# allow outgoing connections
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state