Previously I was unable to reach the Internet from my internal network, but have made a change and am now able to get out.
I know this pf.conf is for 4.7, but I am *hoping* someone could review my configuration and let me know if there are any problems I need to fix before I put it in place.
This is going to be a (OpenBSD 4.7) firewall in front of my FreeBSD laptop on an internal network and a FreeBSD server running VirtualBox guests in a DMZ. I realize it isn't the FreeBSD pf, so I'd be grateful for a review and not get the thread bounced.
I know this pf.conf is for 4.7, but I am *hoping* someone could review my configuration and let me know if there are any problems I need to fix before I put it in place.
This is going to be a (OpenBSD 4.7) firewall in front of my FreeBSD laptop on an internal network and a FreeBSD server running VirtualBox guests in a DMZ. I realize it isn't the FreeBSD pf, so I'd be grateful for a review and not get the thread bounced.
Code:
##### Macros #####
# ext_if -- the interface to the outside world
ext_if="axe0"
# prv_if -- the interface to the private hosts
prv_if="axe1"
localnet = $prv_if:network
# dmz_if -- the interface to the DMZ
dmz_if="axe2"
# prv_hosts -- the list of addresses of hosts on the screened LAN
prv_hosts = "{ 192.168.1.129/25, 192.168.1.130/25 }"
# dmz_hosts -- the list of addresses of hosts in the DMZ
dmz_hosts = "{ 192.168.1.1/25, 192.168.1.2/25, 192.168.1.3/25 }"
# dmz_www -- the address of the WWW server in the DMZ
dmz_www = "192.168.1.1/25"
# dmz_smtp -- the address of the SMTP server in the DMZ
dmz_smtp = "192.168.1.2/25"
# dmz_dns -- the address of the DNS server in the DMZ
dmz_dns = "192.168.1.3/25"
# known ports
www_ports = "{ http, https }"
mail_ports = "{ smtp, pop3, imap, imaps, pop3s }"
##### Tables #####
# Non-routable addresses
table <rfc1918> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }
##### Options #####
set skip on lo
set reassemble yes
set require-order yes
set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
set optimization aggressive
set timeout { frag 30, tcp.established 120 }
set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
##### Traffic Normalization #####
match in all scrub (no-df random-id min-ttl 5 set-tos lowdelay max-mss 1440 reassemble tcp)
match out on $ext_if scrub (no-df random-id)
##### Queueing #####
##### Translation (NAT) #####
# Network Address Translation
# nat for the private hosts
match out on egress from $prv_hosts to any nat-to egress
# nat for the DMZ hosts
match out on egress from $dmz_hosts to any nat-to egress
# redirect connections to port 80 (HTTP) to DMZ
match in on egress inet proto tcp from any to any port $www_ports rdr-to $dmz_www
# redirect connections to port 25 (SMTP) to DMZ
match in on egress inet proto tcp from any to any port 25 rdr-to $dmz_smtp
# redirect connections to port 53 (DNS) to DMZ
match in on egress inet proto { tcp, udp } from any to any port 53 rdr-to $dmz_dns
##### Filtering #####
# Block all incoming connections sent from the outside
# Log all blocked packets
block log on $ext_if
block return log on $prv_if
block return log on $dmz_if
# Block to/from illegal sources/destinations
block drop in quick on $ext_if from <rfc1918> to any
block drop out quick on $ext_if from any to <rfc1918>
block in quick on $ext_if inet from any to 255.255.255.255
block in log quick on $ext_if inet from urpf-failed to any
block in log quick on $ext_if inet from no-route to any
# Block spoofed packets: enable "set state-policy if-bound" above
antispoof log quick for { lo0 $dmz_if $prv_if ($ext_if) }
# pass all connections originating from the firewall
pass out quick on $ext_if inet \
from ($ext_if) to any flags S/SA modulate state
# pass all connections originating from the screened LAN
pass in quick on $prv_if from $prv_hosts to any flags S/SA
# pass all connections originating from the DMZ
pass in quick on $dmz_if from $dmz_hosts to any flags S/SA
# pass all connections to the WWW host in the DMZ
pass in on $ext_if proto { tcp, udp } from any to $dmz_www \
port $www_ports flags S/SA synproxy state
# pass all connections to the SMTP host in the DMZ
pass in on $ext_if proto { tcp, udp } from any to $dmz_smtp \
port $mail_ports flags S/SA synproxy state
# pass all connections to the DNS host in the DMZ
pass in on $ext_if proto { tcp, udp } from any to $dmz_dns \
port 53 flags S/SA keep state
# Allow anything from the internal network out onto the Internet
pass out on $ext_if proto tcp from $localnet to any modulate state flags S/SA
pass out on $ext_if proto { tcp, icmp } from $localnet to any keep state