# See pf.conf(5) and /usr/share/pf for syntax and examples. # pf.conf configuration for monet.dk # $Id$ # # Layout: # # ext_if1 -------+ +------- int_if1 # 80.80.80.2 | +--------+ | 192.168.1.1 # +-|Router /|-+ # +-|Firewall|-+ # | +--------+ | # ext_if2 -------+ +------- int_if2 # 90.90.90.246 192.168.2.1 # # ext_if1: # SITE1's external interface # ext_if2: # SITE2's external interface # int_if1: # SITE1's internal interface # int_if2: # SITE2's internal interface # # Traffic from SITE1's subnet must be NAT'ed through its own # ADSL connection. # Traffic from SITE2's subnet must be NAT'ed through its own # ADSL connection. # All network traffic must flow unrestricted between SITE1 and SITE2 subnets. # # Macro definitions # # Adresses and subnets: #ext_if1 -- SITE1's external interface and gateway ext_if1 = "fxp0" ext_gw1 = "80.80.80.1" #ext_if2 -- SITE2's external interface and gateway ext_if2 = "fxp1" ext_gw2 = "90.90.90.245" #int_if1 -- SITE1's internal interface int_if1 = "fxp2" #int_if2 -- SITE2's internal interface int_if2 = "fxp3" #SITE1's subnet subnet1 = "fxp2:network" #SITE2's subnet subnet2 = "fxp3:network" # Tabledefinitions table persist file "/etc/spamd.list" table persist file "/etc/spamd.white.list" table persist file "/etc/black.list" table const { 127/8, 192.168/16, 172.16/12, 10/8 } # Protocols/services: nat_proto = "{tcp, udp, icmp}" public_services = "{ssh, http, dns}" # Options set limit frags 30000 set limit states 10000 set loginterface $ext_if1 set loginterface $ext_if2 set optimization normal set block-policy drop set state-policy if-bound set fingerprints "/etc/pf.os" set debug urgent # Scrub rules scrub in all scrub out all random-id # NAT rules nat on $ext_if1 inet proto $nat_proto from $subnet1 to any -> ($ext_if1) nat on $ext_if2 inet proto $nat_proto from $subnet2 to any -> ($ext_if2) # Filtering rules # # Start by blocking everything! block log all label "block all" # Tag the two subnets when traffic comes in pass in on $int_if1 all tag SUB1 keep state label "tagging SUB1" pass in on $int_if2 all tag SUB2 keep state label "tagging SUB2" # Block my different lists block in log quick on { $ext_if1, $ext_if2 } from to any label "blacklist" block in log quick on { $ext_if1, $ext_if2 } from to any label "privnets" block in log quick on { $ext_if1, $ext_if2 } from to any label "spamd" block in log quick on { $ext_if1, $ext_if2 } from to any label "spamd-white" # Allow all on loopback interface pass quick on lo0 all label "loopback" # Allow connections from the private LAN pass in on $int_if1 from $subnet1 to any flags S/SA keep state label "intranet1 inbound tcp" pass in on $int_if2 from $subnet2 to any flags S/SA keep state label "intranet2 inbound tcp" pass out on $int_if1 from {$subnet1, $subnet2} to $subnet1 flags S/SA keep state label "intranet1 outbound tcp" pass out on $int_if2 from {$subnet1, $subnet2} to $subnet2 flags S/SA keep state label "intranet2 outbound tcp" pass in on $int_if1 proto udp from $subnet1 to any keep state label "intranet1 udp inbound" pass in on $int_if2 proto udp from $subnet2 to any keep state label "intranet2 udp inbound" pass out on $int_if1 proto udp from {$subnet1, $subnet2} to $subnet1 keep state label "intranet1 udp outbound" pass out on $int_if2 proto udp from {$subnet1, $subnet2} to $subnet2 keep state label "intranet2 udp outbound" # Allow DNS lookups pass out on $ext_if1 proto udp from ($ext_if1) to any port 53 tagged SUB1 keep state label "outbound DNS ext_if1" pass out on $ext_if2 proto udp from ($ext_if2) to any port 53 tagged SUB2 keep state label "outbound DNS ext_if2" # Allow all connections originating from the firewall # This redirects traffic from int_if1 (tagged SUB1) to the ext_if1 interface and # traffic from int_if2 (tagged SUB2) to ext_if2 pass out quick on $ext_if1 from ($ext_if1) to any flags S/SA tagged SUB1 keep state label "ext_if1 outbound" pass out quick on $ext_if2 from ($ext_if2) to any flags S/SA tagged SUB2 keep state label "ext_if2 outbound" # No, you cannot spoof one of the firewalls interface addresses! antispoof log for {$ext_if1, $ext_if2, $int_if1, $int_if2} label "antispoof" # And no, we don't route RFC1918 addresses either! block drop in log quick on $ext_if1 from to any label "block inbound privnets ext_if1" block drop in log quick on $ext_if2 from to any label "block inbound privnets ext_if2" block out log quick on $ext_if1 from any to label "block outbound privnets ext_if1" block out log quick on $ext_if2 from any to label "block outbound privnets ext_if2" # Block inbound connections to port 113(auth) and # return ICMP destination unreachable block return-icmp in log quick on $ext_if1 proto tcp from any to ($ext_if1) port auth label "block auth ext_if1" block return-icmp in log quick on $ext_if2 proto tcp from any to ($ext_if2) port auth label "block auth ext_if2" # Allow inbound connections to port 25 (smtp) pass in quick on $ext_if1 inet proto {tcp, udp} from any to ($ext_if1) port smtp label "smtp inbound ext_if1" pass in quick on $ext_if2 inet proto {tcp, udp} from any to ($ext_if2) port smtp label "smtp inbound ext_if2" # Allow ssh connections pass in on $ext_if1 inet proto tcp from any to ($ext_if1) port ssh keep state label "ssh inbound ext_if1" pass in on $ext_if2 inet proto tcp from any to ($ext_if2) port ssh keep state label "ssh inbound ext_if2" pass in on $int_if1 inet proto tcp from any to ($int_if1) port ssh keep state label "ssh inbound int_if1" pass in on $int_if2 inet proto tcp from any to ($int_if2) port ssh keep state label "ssh inbound int_if2"