Hi,
I'm trying to figure out if the antispoof ruleset will do anything extra for me if I'm already blocking RFC1918 on $ext_if, cause with my ruleset I don't think it does - am I wrong?
"The basic idea of anti-spoofing protection is to create a firewall rule assigned to the external interface of the firewall that examines source address of all packets crossing that interface coming from outside. If the address belongs to the internal network or the firewall itself, the packet is dropped."
What would this rule do for me?
Better just paste my entire ruleset here for you to evaluate, having antispoof commented for now.
I got a public IP on em0/$ext_if
I'm trying to figure out if the antispoof ruleset will do anything extra for me if I'm already blocking RFC1918 on $ext_if, cause with my ruleset I don't think it does - am I wrong?
"The basic idea of anti-spoofing protection is to create a firewall rule assigned to the external interface of the firewall that examines source address of all packets crossing that interface coming from outside. If the address belongs to the internal network or the firewall itself, the packet is dropped."
Code:
nonroute="{ 0.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16,
172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3,
255.255.255.255 }"
Code:
## Block nonrouteable
block drop in quick on $ext_if from $nonroute to any
block drop out quick on $ext_if from any to $nonroute
What would this rule do for me?
Code:
antispoof log quick for $ext_if
Better just paste my entire ruleset here for you to evaluate, having antispoof commented for now.
I got a public IP on em0/$ext_if
Code:
ext_if ="em0"
int_if="em1"
internal_net="10.0.0.0/24" # my internal subnet
gaming="10.0.0.20" # gaming pc
nonroute="{ 0.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16,
172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3,
255.255.255.255 }"
tcp_services = "{ xxxx, xxxx, xxxx, ssh }"
udp_services = "{ xxx, xxxx }"
warzone_tcp_udp = "{ 27000:27050, 3074 }"
warzone_udp = "{ 4379:4380, 3478 }"
## Traffic Normalization
scrub in all fragment reassemble no-df random-id max-mss 1440
# NAT
nat on $ext_if from $internal_net to any -> ($ext_if) static-port
# Port forwarding
rdr pass on $ext_if inet proto { tcp, udp } from any to ($ext_if) port $warzone_tcp_udp -> $gaming
rdr pass on $ext_if inet proto udp from any to ($ext_if) port $warzone_udp -> $gaming
## Allow all traffic on loopback, virtual and internal interfaces
set skip on { lo0, $int_if, vm-public, tap0, tap1 }
# antispoof
# antispoof log quick for $ext_if
## Block inbound on external NIC
block return log on $ext_if all
# Pass outbound on external interface
pass out on $ext_if inet all keep state
## Open up traffic for FreeBSD services
pass in quick proto tcp to any port $tcp_services keep state
pass in quick proto udp to any port $udp_services keep state
# Allow ping
pass inet proto icmp from any to any
## Block nonrouteable
block drop in quick on $ext_if from $nonroute to any
block drop out quick on $ext_if from any to $nonroute