Any mistakes in my pf file?

[thegolum35]

Hi, I would like you to say me if there is something wrong with my pf configuration please.

pf.conf

#Macro

ext_if = "fxp0"
int_if = "lo1"

# Tables

table <flood> persist
table <test> persist
table <tor> persist

# Rules

scrub in all

nat on $ext_if from lo1:network to any -> ($ext_if)
rdr on $ext_if proto tcp from !$ext_if:network to 192.168.1.40 port 22 -> 192.168.50.1 port 22
rdr on $ext_if proto tcp from any to 192.168.1.40 port 9001 -> 192.168.50.1 port 9001
rdr on $ext_if proto tcp from any to 192.168.1.40 port 445 -> 192.168.50.2 port 445
rdr on $ext_if proto tcp from any to 192.168.1.40 port 139 -> 192.168.50.2 port 139
rdr on $ext_if proto udp from any to 192.168.1.40 port 137 -> 192.168.50.2 port 137
rdr on $ext_if proto udp from any to 192.168.1.40 port 138 -> 192.168.50.2 port 138
#rdr on $ext_if proto {tcp, udp} from any to 192.168.1.40 port 631 -> 192.168.50.2 port 631

set skip on lo0
block all # Drop all

pass quick on $ext_if proto icmp # Allow ping

#pass in log quick on $ext_if inet proto {tcp, udp} from any to 192.168.50.2 port 631

pass in quick on $ext_if inet proto tcp from 192.168.1.29 to 192.168.1.40 port ssh
pass in log on $ext_if inet proto tcp from any to 192.168.50.1 port 22 flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/30, overload <flood> flush global)
pass in on $ext_if inet proto tcp from any to 192.168.50.1 port 9001 flags S/SA keep state (max-src-conn 1, overload <tor> ) 

#Samba

pass in on $ext_if inet proto tcp from any to 192.168.50.2 port {445, 139}
pass in on $ext_if inet proto udp from any to 192.168.50.2 port {137, 138}

pass out inet 

block log quick on $ext_if from <flood>
block log quick on $ext_if to <flood>
block quick on $ext_if from <test>
block quick on $ext_if to <test>

Thank you

 

[fbsd1]

int_if = "lo1" is wrong.
int_if = "nic name facing private lan"
Your nat rule is also wrong.
In general you block all inbound traffic from the public Internet. Exceptions are dns port 53 and dhcp port 67 and apache port 80. Block all outbound traffic except for services you want to use like port 80 and enable keepstate on that port.

I recommend you read the handbook section on firewalls.
ipfilter firewall rules all most the same as pf and the example ipfilter firewall rules in the handbook is a great sample to use as starting point.

Also keep in mind that you cannot use Openbsd pf manual as your guild. Freebsd's pf is way back level compared to what is currently used in Openbsd. The syntax of the nat command is different. You have to use the man pf for correct syntax of Freebsd's version of pf.

 

[SirDice]

int_if = "lo1" is wrong.
int_if = "nic name facing private lan"

It's not wrong. You can clone lo0 to lo1 and bind jails to it. Quite a common way to do.

In general you block all inbound traffic from the public Internet. Exceptions are dns port 53 and dhcp port 67 and apache port 80.

Unless you are serving DNS and HTTP why allow ports 53 and 80? DHCP probably isn't needed either.

 

[SirDice]

block log quick on $ext_if from <flood>
block log quick on $ext_if to <flood>
block quick on $ext_if from <test>
block quick on $ext_if to <test>

It's not wrong but I'd move these to the top of the rules. Reason is that this is traffic you don't want to have anyway so there's no point in having it go through the entire ruleset only to get blocked at the end.

 

[thegolum35]

So, is my NAT rule wrong ?

Thank you.

 

[SirDice]

I don't see anything wrong with it. Doesn't it work? Or are you just wondering if you did it correctly?

 

[thegolum35]

It works fine, I was just wondering after having seen what fbsd1 said.