[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[openbsd] pf.conf - покритикуйте

To: openbsd@uaoug.org.ua
Subject: [openbsd] pf.conf - покритикуйте
From: "P.Demydyuk" <P.Demydyuk@intergal.com.ua>
Date: Mon, 07 Dec 2009 11:21:44 +0200
Delivered-to: <openbsd@uaoug.org.ua>
Reply-to: openbsd@uaoug.org.ua
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Приветствую!

В связи с планируемым переходом на OpenBSD с другой OS, а также
введением DMZ, прошу конструктивно покритиковать мой первый pf.conf
Пока нет всех планируемых серверов, экспериментирую на "бумаге" :(

Планируемая схема подключения такая:
WAN----ext_if-OPENBSD_0-dmz_if----DMZNET_WITH_SOME_SERVERS----dmz_if-OPENBSD_1-int_if----LAN

Сервисы для LAN такие:
  - доступ к ВЕБ через прокси-сервер, котрый розмещен в DMZNET;
  - доступ к FTP-серверам в WAN;
  - доступ к MAILSERVER (smtp, pop3), котрый розмещен в DMZNET.

в DMZNET будут размещены :
  - PROXYSERVER (http, https);
  - MAILSERVER (smtp, pop3).

Со стороны WAN доступ есть  лишь к MAILSERVER (smtp) и к OPENBSD_0 (ssh).


# OPENBSD_0's pf.conf v.1
#
################### Macros #####################
ext_if="em1"
dmz_if="em0"
dmznet=$dmz_if:network

tcp_services="{ ssh }"
udp_services="{ domain, ntp }"
icmp_types="{ echoreq, unreach }"

proxyserver="10.10.10.10"
mailserver="10.10.10.11"
#dnsserver="10.10.10.12"
#openbsd_0="10.10.10.1"
#openbsd_1="10.10.10.100"

webports="{ http, https }"
mailports="{ smtp }"
################### Macros #####################

################### Tables #####################
#table <clients> persist file "/etc/clients"
table <spammers> persist file "/etc/spammers"
table <brutforcers> persist
# crontab -u root -e
# 1 * * * * /sbin/pfctl -t brutforcers -T expire 86400

table <rfc1819> const {192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \
169.254.0.0/16}
table <restricted> const {169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, \
240.0.0.0/4}
################### Tables #####################

################### Options ####################
#set block-policy drop
set block-policy return
set loginterface $ext_if
set skip on lo
################### Options ####################

################### Scrub ######################
match in all scrub (no-df)
################### Scrub ######################

################### Translation ################
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# forward outgoing ftp-connection to ftp-proxy
rdr pass on $dmz_if proto tcp to port ftp -> 127.0.0.1 port 8021

# incoming smtp connection
rdr on $ext_if proto tcp from any to $ext_if port $mailports -> \
$mailserver
# No redir to mailserver from spammers
no rdr on $ext_if from <spammers>
################### Translation ################

################### Filtering ##################
block all
antispoof quick for { lo $dmz_if $ext_if }
block drop in log quick on $ext_if from {<rfc1819>, <restricted>, \
<brutforcers>, <spammers>} to any
block drop out log quick on $ext_if from any to {<rfc1819>, \
<restricted>, <brutforcers>, <spammers>}

# SMTP
# Only mailserver can establish outgoing smtp-connection
block drop in log quick on $dmz_if proto tcp from !$mailserver to any \
port $mailports
pass in quick on $dmz_if proto tcp from $mailserver to any port \
$mailports tag MAIL-OUT
pass in quick on $ext_if proto tcp from any to $mailserver port \
$mailports tag MAIL-IN synproxy state
pass out quick on $ext_if proto tcp from $mailserver to any port \
$mailports tagged MAIL-OUT
pass out quick on $dmz_if proto tcp from any to $mailserver port \
$mailports tagged MAIL-IN

# FTP
#
anchor "ftp-proxy/*"
pass in on $dmz_if proto tcp from $dmznet to 127.0.0.1 port 8021 keep \
state
pass out on $ext_if proto tcp from 127.0.0.1 to any port 21 keep state

# SSH
# SSH from DMZ-network
pass in on $dmz_if inet proto tcp from $dmznet to $dmz_if port ssh \
synproxy state (max-src-conn-rate 3/60, overload <brutforcers> flush \
global)
# SSH from WAN
pass in on $ext_if inet proto tcp from any to $ext_if port ssh \
synproxy  state (max-src-conn-rate 3/60, overload <brutforcers> flush \
global)

# DNS & NTP
#
pass in quick on $dmz_if proto {tcp, udp} from $dmznet to any port \
$udp_services keep state
pass out quick on $ext_if proto {tcp, udp} from $dmznet to any port \
$udp_services keep state

# WEB
# Only proxyserver can establish  HTTP & HTTPS connections
pass in on $dmz_if proto tcp from $proxyserver to any port $webports \
tag PROXY keep state
pass out on $ext_if proto tcp from $proxyserver to any port $webports \
tagged PROXY keep state

# ICMP
#
pass log inet proto icmp all icmp-type $icmp_types keep state
################### Filtering ##################


Спасибо.

-- 
With best regards,
Paul Demydyuk

--
To unsubscribe send an e-mail to openbsd+unsubscribe@uaoug.org.ua
For retrieval in messages archive http://www.uaoug.org.ua/archive

Prev by Date: Re: [openbsd] Re: Failed to open bpf device for ...
Next by Date: [openbsd] Вопрос по pfctl -i
Previous by thread: [openbsd] Failed to open bpf device for ...
Next by thread: [openbsd] Вопрос по pfctl -i
Index(es):
- Date
- Thread