OpenBSD Portugal

pf Packet Filter - HOW-TO's, exemplos de configurações, rulesets, NAT, etc.

Para o desenvolvimento deste documento e seu aperfeiçoamento contribuirá, em larga medida, a atitude activa dos utilizadores cuja colaboração, nas modalidades de consulta, sugestão ou comentário, se agradece. Obrigado.

Desde a versão 3.0, a firewall do OpenBSD é o pf. Antes disso existia o IPFilter.

Referências:

Este é o url do 'official pf faq'. É a principal referência.
PF: Firewall Ruleset Optimization por Daniel Hartmeier
Firewalling with OpenBSD's PF packet filter por Peter N. M. Hansteen
The Open Road: OpenBSD's Packet Filter - 1 em Unix Review
The Open Road: Return of Packet Filter - 2 em Unix Review
Existe um repositório de rulesets de pf e altq aqui.

Exemplos:

Configuração para servir de router/firewall e alguns serviços; ligação ADSL.

# Exemplo de configuração do pf - pf.conf
# OpenBSD 3.6 GENERIC
# Nuno Morgadinho <nuno@openbsd-pt.org>
# 12-06-2005

# Macros: Variaveis definidas pelo utilizador; Podem conter IP's, interfaces, etc.

ext_if = "tun0"
int_if = "ne3"
tcp_services = "{ 22, 80, 8080, 443 }"
icmp_types = "{ 8, 11 }"
internal_net="192.168.1.0/24"

# Tables: Estrutura usada para guardar listas de IP's

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# Options: Várias opções para controlar o funcionamento da firewall

set loginterface $ext_if

# Scrub: Reprocessing packets to normalize and defragment them.

scrub in all

# Queueing: Provides bandwidth control and packet prioritization.

# Translation: Controls NAT and packet redirection.

nat on $ext_if from $internal_net to any -> ($ext_if)

# forward de trafego para maquinas na rede interna local
rdr on $ext_if proto tcp from any to any port 80 -> 192.168.1.34 port 80
rdr on $ext_if proto tcp from any to any port 8080 -> 127.0.0.1 port 443 
rdr on $ext_if proto tcp from any to any port 22 -> 192.168.1.34 port 22

# forward do trafego www para o squid
rdr on $int_if proto tcp from any to any port www -> 127.0.0.1 port 3128

# rdr para o squid report
rdr on $int_if proto tcp from any to any port 8080 -> 127.0.0.1  

# Filter Rules: Allows the selective filtering or blocking of packets

# setup a default deny policy
block in log all
block out log all
pass in on $ext_if inet proto tcp from any to any port www

# www transparent proxy
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state

pass out on $ext_if inet proto tcp from any to any port www keep state
pass out on $ext_if inet proto tcp from any to any port 8080 keep state

# pass traffic on the loopback interface in either direction
pass quick on lo0 all

# activate spoofing protection for the internal interface.
antispoof quick for $int_if inet

# pass all traffic to and from the local network
pass in  on $int_if from $internal_net to any
pass out on $int_if from any to $internal_net

# pass tcp, udp, and icmp out on the external (Internet) interface. 
# keep state on udp and icmp and modulate state on tcp.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

# stuff to block but not log because it's irritating
block in quick on $ext_if proto {tcp, udp} from any to any port {67, 68}
block in quick on $ext_if proto {tcp, udp} from any port {67, 68} to any
# because these should never appear on a public internet interface
block in  quick on $ext_if from $priv_nets to any
block out quick on $ext_if from any to $priv_nets

# allow our services
pass in on $ext_if inet proto tcp from any to any port $tcp_services keep state

pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $internal_net to any keep state
pass out on $int_if from any to $internal_net keep state

pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state

# Immediate blocks
# fuzz any "nmap" attempt
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP 
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA 

# dont allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from $priv_nets to any
block out log quick on $ext_if from any to $priv_nets

Num laptop i386 com OpenBSD 3.5 GENERIC a configuração é a seguinte para um simples cliente Wireless:

# /etc/pf.conf
# Rui Reis
# simple firewall configuration for an OpenBSD wireless client 

wifi_if = "wi0"

# block by default
block in log all

# loopback is good
pass out quick on lo0 all
pass in quick on lo0 all

# keep broadcast away from your logs
block in quick on $wifi_if inet from any to { 255.255.255.255, 192.168.0.255 }

# allow everything outbound
pass out quick on $wifi_if all keep state

pf Packet Filter - HOW-TO's, exemplos de configurações, rulesets, NAT, etc.

OpenBSD Portugal

OpenBSD

OpenBSD .PT

Eventos

Links

Wikipedia