improve ruleset

[wesley]

Hello,

I'm using OpenBSD 4.6, i have this ruleset in production.
Is there someone that can help me to improve it ?
Thank's

Code:

# MACROS AND TABLES
wifi="vr0"
lan="fxp0"
dmz="rl0"
wan="vr1"
gwftp="192.168.0.46"
server="172.17.2.100"
dhcpwifi="{ 10.10.10.10 - 10.10.10.15 }"
table <publicts> persist
table <publicftp> persist

#NO FILTERING LOOPBACK
set skip on lo

#BLOCK POLICY
set block-policy drop

#TRAFFIC STANDARDIZATION
match in all scrub (no-df max-mss 1440) 

#NAT
nat on egress -> egress

#TRANSLATIONS
# ANCHOR TO PROTECT OUR FTP SERVER 
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

#LAN TO FTP SERVER 
rdr on $lan proto tcp from $lan:network to \
	$server port 21 -> $gwftp \
	port 21

#FTP ACCESS FROM A SPECIFIC IP ADDRESS
rdr on egress proto tcp from <publicftp> to any port 21 -> $gwftp port 21 

#TS ACCESS FROM A SPECIFIC IP ADDRESS
rdr on egress proto tcp from <publicts> to any \
port 3389 -> $server port 3389
 
#FILTERING
# BLOCK ALL AND LOG !
block log all

#PROTECTION
antispoof for { $dmz, $lan, $wifi, egress } 

#ALLOW PINGS FROM LAN
pass inet proto icmp from $lan:network \
to any icmp-type { echoreq, unreach }

#FW OUT
pass out quick on egress proto tcp from egress 
pass out quick on egress proto udp from egress 

# WIFI PORTS OUT https, smtp, et pop3
pass in quick on { !$lan, !$dmz } proto tcp from $dhcpwifi \
	to any port { https, smtp, pop3 }

# WIFI DOMAIN PORT OUT
pass in quick on { !$lan, $dmz } proto udp from $dhcpwifi \
	to any port domain

# ALLOW LAN TO ANYTHING
pass in quick on { !$wifi, !dmz } proto tcp from $lan:network
pass in quick on { !$wifi, $dmz } proto udp from $lan:network

#DMZ TS ACCESS FROM LAN AND WAN
pass out on $dmz proto tcp from $lan:network to $server port 3389
pass out on $dmz proto tcp from <publicts> to $server port 3389
pass in on egress proto tcp from <publicts> to $server port 3389 

#DMZ FTP ACCESS
pass in on egress inet proto tcp from <publicftp> to $gwftp port 21 \
	flags S/SA keep state
pass out on $dmz inet proto tcp to $server port 21 \
	user proxy flags S/SA keep state
anchor "ftp-proxy/*"

[jggimi]

Wesley, that is a clear and easy to read set of rules; nice job!

The following are for consideration, they are just my suggestions:

• I prefer block-policy return to block-policy drop. From my experience, such "stealth" settings do not hide your system from port scanning script kiddies very well, and cause delay to legitimate users who either select the wrong port or the right port when a service is down. And, in the same way, I permit ICMP traffic to flow both ways, not just outbound, as you have.

• Syntax error?

Code:

pass in quick on { !$wifi, !dmz } proto tcp from $lan:network
pass in quick on { !$wifi, $dmz } proto udp from $lan:network

First line has "!dmz" and the second line has "$dmz".

• I do not allow unrestricted SMTP output, as you have for your LAN users. I only permit TCP traffic to destination port 25 with a limited number of valid MTAs. This is to prevent any platform on my networks from becoming an effective spam-spewing robot. They may still get p0wned, but they will not be able to simulate being their own MTA and spew spam randomly; any e-mail output must go through a valid MTA, where such things should be quickly noticed.

[J65nko]

Some of your rules still could use quick.

If you do not use IPv6, you could use inet proto tcp in all rules. In some rules you already use it, so why not be consistent?

You still use S/SA keep state in some tcp rules. This has been the default for quite some time. Do a verbose listing of your rules to see this

Code:

# pfctl -vvnf /etc/pf.conf