mefizto
October 22nd, 2010, 05:42
Greetings all,
this is my first attempt to write a rule-set for PF firewall:
# Macros
#Interfaces
ExtInt="bge0"
#Services
TcpServices="{ssh, www, https, domain, smtp}"
UdpServices="{domain}"
IcmpTypes="{echoreq, unreach}" #Ping
MailPorts="{smtp, imaps}"
# Tables
# Global Options
set loginterface $ExtInt #Log all traffic on ExtInt
set block-policy return #Filter Rule catch-all
set skip on lo #Do not filter lo interface traffic
# Traffic Normalization
#Scrub all packets
scrub in on $ExtInt all fragment reassemble
scrub out on $ExtInt all fragment reassemble random-id no-df #Fool monitoring
# Queueing Rules
# Network Address Translation
# Filter rules
block all #Block all traffic
block in quick from urpf-failed to any #Activate spoofing protection
antispoof quick for {lo,$ExtInt} #Activate antispoofing
#TCP policy
block return-rst in on $ExtInt proto TCP all
pass in quick on $ExtInt proto TCP from any to $ExtInt port $TcpServices keep state
#UDP policy
block in on $ExtInt proto UDP all #Block all incomming UDP traffic
#ICMP policy
block in on $ExtInt proto ICMP all
pass in quick on $ExtInt inet proto ICMP from any to $ExtInt icmp-type $IcmpTypes k
eep state
# Other traffic
block out on $ExtInt all
pass out quick on $ExtInt from $ExtInt to any keep state
The "Other traffic" rules permit unrestricted traffic to leave the firewall. However, I would like to allow outbound traffic only from certain services, e.g., request web access, ssh, get e-mail, etc. I thought that modifying the last line as follows:
-pass out quick on $ExtInt from $ExtInt to any keep state
+pass out quick on $ExtInt from $ExtInt port $TcpServices to any keep state
would accomplish this, but I get an error:
port only applies to tcp/udp
I do not understand why. In my understanding the IP addresses assigned to the $ExtInt interface will be substituted into the rule, and according to the syntax:
action [direction] [log] [quick] [on interface] [af] [proto protocol] \
[from src_addr [port src_port]] [to dst_addr [port dst_port]] \
[flags tcp_flags] [state]
I am allowed to use src_port. Any help would be appreciated.
Kindest regards,
M
this is my first attempt to write a rule-set for PF firewall:
# Macros
#Interfaces
ExtInt="bge0"
#Services
TcpServices="{ssh, www, https, domain, smtp}"
UdpServices="{domain}"
IcmpTypes="{echoreq, unreach}" #Ping
MailPorts="{smtp, imaps}"
# Tables
# Global Options
set loginterface $ExtInt #Log all traffic on ExtInt
set block-policy return #Filter Rule catch-all
set skip on lo #Do not filter lo interface traffic
# Traffic Normalization
#Scrub all packets
scrub in on $ExtInt all fragment reassemble
scrub out on $ExtInt all fragment reassemble random-id no-df #Fool monitoring
# Queueing Rules
# Network Address Translation
# Filter rules
block all #Block all traffic
block in quick from urpf-failed to any #Activate spoofing protection
antispoof quick for {lo,$ExtInt} #Activate antispoofing
#TCP policy
block return-rst in on $ExtInt proto TCP all
pass in quick on $ExtInt proto TCP from any to $ExtInt port $TcpServices keep state
#UDP policy
block in on $ExtInt proto UDP all #Block all incomming UDP traffic
#ICMP policy
block in on $ExtInt proto ICMP all
pass in quick on $ExtInt inet proto ICMP from any to $ExtInt icmp-type $IcmpTypes k
eep state
# Other traffic
block out on $ExtInt all
pass out quick on $ExtInt from $ExtInt to any keep state
The "Other traffic" rules permit unrestricted traffic to leave the firewall. However, I would like to allow outbound traffic only from certain services, e.g., request web access, ssh, get e-mail, etc. I thought that modifying the last line as follows:
-pass out quick on $ExtInt from $ExtInt to any keep state
+pass out quick on $ExtInt from $ExtInt port $TcpServices to any keep state
would accomplish this, but I get an error:
port only applies to tcp/udp
I do not understand why. In my understanding the IP addresses assigned to the $ExtInt interface will be substituted into the rule, and according to the syntax:
action [direction] [log] [quick] [on interface] [af] [proto protocol] \
[from src_addr [port src_port]] [to dst_addr [port dst_port]] \
[flags tcp_flags] [state]
I am allowed to use src_port. Any help would be appreciated.
Kindest regards,
M