Hey guys,
First off, I would like to tell you all this is my first experience with pf. So I apologise if the solution is a simply and blatantly obvious fix :e
Now I am trying to set up a new gateway to replace the old FreeBSD 6.x version that we have running. While doing the upgrade I thought it would be a good time to implement a new firewall, and had read that pf was a good alternative for performance and features. The gateway is to be used in a school environment so controlling outgoing connections is as important as incoming ones. We don't want the little kiddies to be able to get out on the internet without using the proxy server.
The problem I am having with my firewall rules is I cannot get certain IP addresses to 'bypass' the stricter filtering rules. These addresses include servers will need direct access to the net as things just don't work well through the proxy.
The full_access_ips table is pulled in from a file which has a list of local IP addresses and it is being populated.
So I am trying to allow 192.168.0.55 to have full access to the outside world. They can open up a connection on any port.
The rest of the network I want restricted to only use ports in the $xxxAllowedOUTServices macros.
It doesn't matter if I put a specific rule at the bottom such as
If I use a pass out on $ext_if rule than it all works like it should.
I am at a loss and have spent many hours looking reading examples and documentation to see what's going on and have come up empty. Hopefully I have provided enough information and haven't gone out on a tangent somewhere (which I have a tendency to do)
Anyone got any ideas?
First off, I would like to tell you all this is my first experience with pf. So I apologise if the solution is a simply and blatantly obvious fix :e
Now I am trying to set up a new gateway to replace the old FreeBSD 6.x version that we have running. While doing the upgrade I thought it would be a good time to implement a new firewall, and had read that pf was a good alternative for performance and features. The gateway is to be used in a school environment so controlling outgoing connections is as important as incoming ones. We don't want the little kiddies to be able to get out on the internet without using the proxy server.
The problem I am having with my firewall rules is I cannot get certain IP addresses to 'bypass' the stricter filtering rules. These addresses include servers will need direct access to the net as things just don't work well through the proxy.
Code:
####################################################################################
#
# St Martins Lutheran College PF Firewall
# Version: 1.0
# Author: Shayne Jellesma (donotpostemailaddresses@forumsplease)
#
#####################################################################################
# define macros and some settings
ext_if="tun0"
int_if="em1"
set skip on lo0
scrub in
# Load the tables
table <blocked_ips> file "/usr/local/etc/pf/blocked_ips"
table <full_access_ips> file "/usr/local/etc/pf/full_access_ips"
table <fail2ban> persist
# Ports allowed to be contacted from the outside world
tcpAllowedINServices="{ 22, 25, 80, 143, 110, 993, 995, 1723, 1701, 4500,500 }"
udpAllowedINServices="{ 500, 4500, 1701 }"
tcpAllowedOUTServices="{ 3128, 110, 25, 443 }"
udpAllowedOUTServices="{ 80 }"
# External Port Forwarding - VPN Stuff
rdr proto {udp tcp} from any to ($ext_if:0) port 500 -> 192.168.3.1
rdr proto gre from any to ($ext_if:0) -> 192.168.3.1
rdr proto {udp tcp} from any to ($ext_if:0) port 1723 -> 192.168.3.1
rdr proto {tcp udp} from any to ($ext_if:0) port 1701 -> 192.168.3.1
rdr proto {tcp udp} from any to ($ext_if:0) port 4500 -> 192.168.3.1
# Remote desktop redirections
rdr pass proto {udp tcp} from 203.122.192.41 to ($ext_if:0) port 27587 -> 192.168.0.55 port 3389 # Shayne Jellesma - ITOFFICE
rdr pass proto {udp tcp} from 150.101.96.136 to ($ext_if:0) port 27168 -> 192.168.0.135 port 3389 # Wendy Button - FINANCE
rdr pass proto {udp tcp} from 121.215.177.246 to ($ext_if:0) port 29126 -> 192.168.0.118 port 3389 # Carroll Cailler - ARKOFFICE
# Do NAT for anything leaving the external interface
nat on $ext_if from !($ext_if) -> ($ext_if:0)
##
##
# Filters
##
##
# Fail2Ban blocking and other permenant blocking
block in quick on $ext_if from <fail2ban>
block in quick on $ext_if from <blocked_ips>
# Default block policy and antispoof
block log (all, to pflog0) all
block return
antispoof for $ext_if
# Allow public services
pass in on $ext_if inet proto tcp from any to any port $tcpAllowedINServices keep state
pass in on $ext_if inet proto udp from any to any port $udpAllowedINServices keep state
pass in on $ext_if proto {tcp udp} from { 192.231.203.132, 192.231.203.3 } to any port 53 keep state
pass in on $ext_if proto {icmp gre} from any to any
pass in on $ext_if from <full_access_ips> to any
# Allow LAN to do anything
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
# Allow certain outbound traffic and block the rest
pass out on $ext_if proto tcp from any to any port $tcpAllowedOUTServices keep state
pass out on $ext_if proto udp from any to any port $udpAllowedOUTServices keep state
pass out on $ext_if proto icmp all keep state
pass out on $ext_if proto esp from any to any keep state
pass out on $ext_if proto {udp tcp} from any to { 192.231.203.132, 192.231.203.3 } keep state
# Allow certain hosts to have no restrictions through the firewall
pass out on $ext_if from <full_access_ips> to any keep state
The full_access_ips table is pulled in from a file which has a list of local IP addresses and it is being populated.
Code:
david# pfctl -t full_access_ips -T show
No ALTQ support in kernel
ALTQ related functions disabled
192.168.0.55
192.168.3.253
david#
So I am trying to allow 192.168.0.55 to have full access to the outside world. They can open up a connection on any port.
The rest of the network I want restricted to only use ports in the $xxxAllowedOUTServices macros.
It doesn't matter if I put a specific rule at the bottom such as
Code:
pass out on $ext_if from 192.168.0.55 keep state
I am at a loss and have spent many hours looking reading examples and documentation to see what's going on and have come up empty. Hopefully I have provided enough information and haven't gone out on a tangent somewhere (which I have a tendency to do)
Anyone got any ideas?