Suggestions and corrections for my pf.conf?

[initpy]

Hi guys,

So I made that old Pentium III work again, and I'm trying to use it as a little home server and a gateway for some machines that aren't connected to the home router.

I'm learning PF and wrote this configuration file for this Pentium III that I named KAGURA.

# The Topology:
# =============
# 
#                                        +-----------+       
# +-----------+    +-----------+   (ath0)|  OPENBSD  |(fxp0)   +------------+
# | INTERNET  +<---+  ROUTER   +<--------+    5.2    +<--------+  CHILDREN  |
# +-----------+    +-----+-----+         |  KAGURA   |         +------------+
#                        ^               +-----------+       
#                        |
#                        |               +-----------+
#                        +---------------+  FRIENDS  |
#                                        +-----------+
# 
# The Rules:
# ==========
# 1) KAGURA and FRIENDS are connected to the home ROUTER
# 1) KAGURA connects to the ROUTER via ath0
# 2) KAGURA serves NAT for its CHILDREN
# 3) CHILDREN and FRIENDS can access KAGURA's offered_services
# 4) Other connections are blocked.
# 5) ath0 is in 192.168.1.0/24
# 6) fxp0 is in 192.168.0.0/24


# == macros ==
ext_if = "ath0"
int_if = "fxp0"
localnet = $int_if:network
friends = "192.168.1.0/24"
children = "192.168.0.0/24"

#6969: torrents tracker, 51413:torrents port, 9091:transmission-web
#9418: git
#2082: cpanel
tcp_services = "{domain, ssh, gopher, www, https, ftp, ftp-data, \
                auth, imaps, 2082, 6969, 51413, 9091, 9418}"
udp_services = "{domain, ftp, ftp-data}"
offered_services = "{ssh, www, 9418, 9091}"
icmp_types="echoreq"

# == tables ==
table <me> const {self}

# == global options ==
set skip on {lo0}
set block-policy drop
set loginterface $ext_if

# == traffic normalization ==
antispoof for {$int_if, $ext_if}

# == queueing rules ==

# == nat ==
#sad ftp-thing using ftp-proxy 127.0.0.1:8021
anchor "ftp-proxy/*"
pass in quick on $ext_if inet proto tcp to port 21 divert-to 127.0.0.1 port 8021

# == match rules ==
match out on egress inet from $children to any nat-to (egress:0)

# == filter rules ==
block in quick from urpf-failed 
block log all

#the rest of our rules
pass out proto tcp from {<me>, $children} to any port $tcp_services
pass out proto udp from {<me>, $children} to any port $udp_services
pass out inet proto icmp from {<me>, $children} to any icmp-type $icmp_types
pass in proto tcp from {$children, $friends} to <me> port $offered_services
pass in inet proto icmp from {$friends, $children} to <me> icmp-type $icmp_types
pass in on $int_if inet

I would like to know whether this configuration satisfies my needs. If not how should I correct it? and if yes how should I improve it?

Thanks a lot!

 

[CoTones]

Hi initpy,

First, this is not an OpenBSD forum and pf in FreeBSD is older one, so it may differ. Generally, it is better to have only one router and configure it standard way, especially, when learning.

Some ideas about pf.conf: no need for NAT, because router do this?; ftp-proxy should get packets from internal interface; normalization means scrub; block-policy better to leave as reject.

CoTones

 

[plamaiziere]

I would like to know whether this configuration satisfies my needs.

Only you can reply to this. Don't trust anyone.

Well. I would prefer to let the router doing NAT, because there is no need to NAT twice and it will be hard to filter the flows coming from "childrens" on "friends" machines (the source address will be the PF box).

the table <me> is useless, I would use self instead.
the rule #3 "CHILDREN and FRIENDS can access KAGURA's offered_services" is not true, childrens have a full access on your PF boxes because of the "pass in $int_if" rule.

The rules "pass out proto tcp from {<me>, $children} to any port $tcp_services" is IMO bad, a firewall shouldn't be able to connect by itself to someone else (with few exceptions). If someone breaks the firewall, it will be able to attack the internal LAN.

OpenBSD 5.2 isn't a bit out of topic?

My 2 centimes, Regards.

 

[initpy]

Thank you, CoTones and plamaiziere!

Sorry, yes, I know this is a FreeBSD forum and knowing how friendly and knowledgeable it is, I asked

Well, actually Kagura serves as a gateway and a home-server. Why a gateway? because the Kagura connects to the router via its wifi interface (the router is in another room) and Kagura's children are in the same room with Kagura but don't have wifi interfaces, so their only chance to have Internet is via Kagura.

normalization means scrub

Time to re-read the faq! Thanks, CoTones!

the table <me> is useless, I would use self instead.

I think you're absolutely right about this one, plamaiziere! Thanks!

plamaiziere, you said that

the rule #3 "CHILDREN and FRIENDS can access KAGURA's offered_services" is not true, childrens have a full access on your PF boxes because of the "pass in $int_if" rule.

but if I remove

pass in on $int_if inet

I no longer have NAT. I'm sure I'm missing something that I didn't figured out yet.

Thanks again, guys, and sorry for being out of topic with OpenBSD, it's just that it's my first install of OpenBSD and wanted to use its PF version because I'm sure it will be ported soon to FreeBSD.