# (c) EJ van Westen # # v 1.0 20011006 # v 1.1 20020130 # v 1.2 20020406 # v 1.3 20020525 # v 1.4 20020926 # v 1.5 20021103 # cleanup and prepare for authpf # v 1.6 20021117 # v 1.7 cleanup and accept smokeping pings # v 1.8 upgrade to OpenBSD 3.3, needs more cleaning up # added altq tricks # v 1.9 20030523 gre for internal network added # v 2.0 20030731 obliged all traffic through proxy (local or xs4all) # deny all other traffic ($LAN locked down), use pfauth if want more #zone definitions FTPPORTS="{ 55000 >< 57000 }" # proxyed port range for active ftp NETBIOS="{ 137, 138, 139 }" LOCALNET="127.0.0.0/8" ME="192.168.0.1/32" MEOUTSIDE="213.84.187.12/32" IPV6="{ 2001:888:10:1ad::2, 2001:888:10:1ad::1, 2001:888:11ad::/48 }" MEIPV6="2001:888:10:1ad::2" MEDMZ="192.168.3.1/32" UNSAFEDMZ="192.168.1.0/24" MEUNSAFEDMZ="192.168.1.1/32" SAFENET="192.168.0.0/24" UNIXNET="192.168.0.0/25" WINDOWSNET="192.168.0.128/25" UNSAFENET="192.168.2.0/24" DMZ="192.168.3.0/24" WEBSERVER="{ 192.168.3.2 }" MAILSERVER="{ 192.168.3.2 }" SSHSERVER="{ 213.84.187.12/32 }" DNSSERVER="{ 192.168.3.2 }" DNS="{ 192.168.3.2 }" PEEPHOLEME="10.0.0.150/32" PEEPHOLEALC="10.0.0.138/32" #EVILNET="0.0.0.0/0" EVILNET="any" NTP0="193.79.237.14/32" NTP1="193.67.79.202/32" UPDATEDEBIAN="{ 128.101.80.131/32, 208.185.25.38/32, 194.109.137.218/32, 130.89.175.33 }" RAZOR="209.204.62.150" MEBROADCAST="255.255.255.255" EXT_TCP_PORTS="{ 22, 53, 80, 110, 443, 993, 995 }" EXT_UDP_PORTS="{ 53 }" XENON="192.168.1.18/32" ARGON="192.168.1.19/32" FTPNAICOM="{ 161.69.201.237, 161.69.201.238, 205.227.136.41 }" ALLOWED_IPSEC="any" UNIXPORTS="{ 20, 21, 22 }" XS4ALLSERVERS="{ 194.109.133.29/32, 194.109.133.20/32, 194.109.6.55/32 }" XS4ALLPORTS="{ 110, 119 }" WWWPROXY="194.109.10.3/32" ALL="0.0.0.0" BROADCAST="255.255.255.255" PRIVNETS= "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" # and define addresses we do not want to talk to table persist { 210.170.107.58/32, 209.247.41.0/24, 224.0.0.0/8, 209.247.0.0/16, \ 216.237.0.0/16, 209.225.4.64/27, 12.159.168.0/24, 204.74.64.0/26, \ 64.70.38.160/27, 206.142.53.0/24, 209.178.57.143, 64.60.8.190, \ 63.196.54.245, \ 64.156.213.0/24, 66.36.0.0/24, 208.178.50.0/24, \ 209.83.171.0/24, 216.61.164.0/21, 198.95.32.0/21, 194.131.254.0/24, \ 203.126.77.0/24, 203.127.170.0/21, 209.73.225.0/24, 209.10.17.133, \ 212.29.215.3, 209.11.42.240, 208.215.68.0/24, 63.71.110.0/24, \ 207.77.64.2, 199.171.54.0/24, \ 63.72.76.0/24, 164.109.144.80/24, 64.95.66.0/24, \ 216.216.46.128/25, 212.117.137.0/24, 207.174.207.177, 213.244.183.201, \ 212.142.37.162, 208.185.211.71, 63.200.130.236, 64.225.154.175, \ 64.95.64.0/24, 64.95.65.0/24, 204.238.120.0/24, 64.94.89.0/24, \ 64.162.206.0/24, 63.197.87.0/24, 208.184.198.0/24, 216.30.17.0/24, \ 216.141.76.0/24, 209.132.193.0/26, 209.132.220.0/25, 209.132.223.0/25 \ 64.61.30.0/24, 63.167.250.0/24, 212.117.152.0/24, \ 63.241.31.0/24, 192.146.101.0/24, 216.34.94.0/24, 64.12.151.216, \ 207.200.82.138, 208.186.78.81, 216.207.32.0/24, 212.117.137.0/24, \ 147.208.175.70, 12.102.45.2/31, 209.164.21.74/31, 192.151.53.114, \ 12.99.231.36, 12.98.204.163, 209.164.21.84, 209.164.21.66, \ 134.122.0.0/16, 216.33.228.180/31, 208.184.172.0/24, 216.37.13.0/24 \ 207.188.0.0/19, 204.71.154.0/24, \ 205.219.198.0/24, 209.225.53.0/24, 66.35.210.0/24, 208.147.88.0/21, \ 203.89.243.0/24, 203.166.18.0/24, 212.187.205.0/24, 209.132.218.0/24, \ 209.132.205.0/24, 209.132.194.0/21, 207.246.124.0/24, 208.229.231.83, \ 207.246.124.101, 208.185.86.64/27, 63.115.87.192/26, 216.173.63.128, \ 65.200.139.0/27, 164.109.144.179, 209.71.218.64/27, 216.221.200.192/27, \ 63.236.119.0/24, \ 204.248.36.0/24, 216.200.14.0/24, 204.178.107.224/27, \ 208.59.201.70/28, 64.124.157.0/24, 192.232.16.0/24, 204.176.192.0/18, \ 213.161.66.128/25, 209.185.188.0/24, 12.47.217.0/24, 216.32.60.128/25, \ 216.32.65.0/24, 216.32.170.192/26, 216.37.32.32/27, 4.17.143.0/24, \ 206.191.161.51, 204.178.123.0, 204.178.110.0/25, \ 208.184.29.0/24, 208.211.225.0/24, 204.253.104.0/24, \ 204.253.105.0/24, 205.138.3.0/24, 204.176.177.0/24, 206.65.183.0/24, \ 209.67.38.0/24, 199.95.207.0/24, 199.95.208.0/24, 199.95.209.0/24, \ 63.84.167.64/26, 209.167.79.0/24, \ 63.80.0.0/24, 209.225.31.128/25, 63.97.88.0/27, \ 209.225.31.192/26, 64.157.224.0/24, 64.157.225.0/24, 64.157.226.0/24, \ 64.157.227.0/24, 216.40.201.0/24, 216.40.213.0/24, 64.246.10.0/24, \ 216.12.215.0/24, 216.200.199.0/24, 209.15.0.0/16, 63.68.55.189/32, \ 64.70.38.170/32, 217.116.226.11/32, 217.116.226.12/32, 217.116.226.13/32, \ 212.123.210.146/32 } #interface definitions # local LO0="lo0" # safe LAN="fxp0" # DMZ WI0="wi0" # server DMZ DMZIF="fxp1" # internet EXT="ppp0" # link to alcatel ALCATEL="ep1" # tunnel for IPv6 IPV6TUNNEL="gif0" # tunnel for ipsec ENCIF="enc0" # options set block-policy drop set loginterface ppp0 # scrub rules scrub in on $LAN all no-df fragment reassemble scrub out on $EXT all no-df random-id fragment reassemble scrub in on $WI0 all no-df fragment reassemble scrub in on $DMZIF all no-df fragment reassemble scrub in on $EXT all no-df fragment reassemble scrub in on $ENCIF all no-df fragment reassemble # queueing altq on $EXT priq bandwidth 200Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) # nat tables # nat all available interfaces to outside address nat on ppp0 from 192.168.0.0/24 to any -> (ppp0) nat on ppp0 from 192.168.1.0/24 to any -> (ppp0) nat on ppp0 from 192.168.2.0/24 to any -> (ppp0) nat on ppp0 from 192.168.3.0/24 to any -> (ppp0) $ trick to be able to monitor alcatel without changing routing in alcatel nat on ep1 from 192.168.3.0/24 to 10.0.0.138 -> 10.0.0.150 nat-anchor authpf # rdr: packets coming in through ext0 with destination 192.168.1.1:1234 will # be redirected to 10.1.1.1:5678. a state is created for such packets, and # outgoing packets will be translated as coming from the external address. # rdr on ext0 proto tcp from any to 192.168.1.1/32 port 1234 -> 10.1.1.1 port 5678 # dns to dmz dns server rdr on ppp0 proto tcp from any to 213.84.187.12/32 port 53 -> $DNSSERVER port 53 rdr on ppp0 proto udp from any to 213.84.187.12/32 port 53 -> $DNSSERVER port 53 # mail to dmz mail server # accept the mail on the firewall, so disable redirects # web to dmz web server rdr on ppp0 proto tcp from any to 213.84.187.12/32 port 80 -> $WEBSERVER port 80 rdr on ppp0 proto tcp from any to 213.84.187.12/32 port 443 -> $WEBSERVER port 443 # pop3 to dmz pop3 server rdr on ppp0 proto tcp from any to 213.84.187.12/32 port 110 -> $MAILSERVER port 110 # imap4-ssl to dmz imap4 server rdr on ppp0 proto tcp from any to 213.84.187.12/32 port 993 -> $MAILSERVER port 993 # pop3-ssl to dmz imap4 server rdr on ppp0 proto tcp from any to 213.84.187.12/32 port 995 -> $MAILSERVER port 995 # ftp proxy rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 rdr on fxp1 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 rdr on enc0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 rdr-anchor authpf block in log all block out log all block in inet6 all block out inet6 all # # pass localhost # pass in quick on $LO0 all pass out quick on $LO0 all anchor authpf #block in quick from $WEBSERVER to 80.60.102.50 # general blocks from unwanted sites block return-rst in log quick proto tcp from $EVILNET to block return-rst in log quick proto tcp from to $EVILNET # permit pings etc to all interfaces pass in quick inet proto icmp all icmp-type 8 code 0 keep state queue (q_def, q_pri) pass in quick inet proto icmp all icmp-type 3 code 4 keep state queue (q_def, q_pri) pass in quick inet proto icmp all icmp-type 11 keep state queue (q_def, q_pri) # #$LAN is inside zone # effectively only websurfing through local or remote proxy is allowed for security reasons # at least the spyware gets logged this way # #input rules antispoof for $LAN block in log on $LAN all block return-rst in log quick on $LAN proto tcp from $SAFENET to $EVILNET port = 113 block in quick on $LAN proto tcp from $SAFENET to $EVILNET port $NETBIOS block in quick on $LAN proto udp from $SAFENET to $EVILNET port $NETBIOS block in quick on $LAN proto udp from $SAFENET to $EVILNET port 631 pass in quick on $LAN inet proto tcp from $SAFENET port > 1023 to $ME port { 22, 25, 80, 81, 8080 } flags S/SAFR modulate state pass in quick on $LAN inet proto tcp from $SAFENET port > 1023 to $EVILNET port 22 flags S/SAFR modulate state #pass in quick on $LAN inet proto tcp from $SAFENET port > 1023 to 127.0.0.1 port 8081 flags S/SAFR keep state pass in quick on $LAN inet proto tcp from $SAFENET port > 1023 to $WEBSERVER port { 21, 22, 25, 80, 110, 143, 220, 443, 993, 995, 10000 } flags S/SAFR modulate state pass in quick on $LAN inet proto udp from $SAFENET port > 1023 to $WEBSERVER port = 123 keep state pass in quick on $LAN inet proto udp from $SAFENET port = 123 to $WEBSERVER port = 123 keep state pass in quick on $LAN inet proto tcp from $SAFENET port > 1023 to $DNS port = 53 flags S/SAFR keep state pass in quick on $LAN inet proto udp from $SAFENET port > 1023 to $DNS port = 53 keep state pass in quick on $LAN inet proto tcp from $SAFENET port = 53 to $DNS port = 53 flags S/SAFR modulate state pass in quick on $LAN inet proto udp from $SAFENET port = 53 to $DNS port = 53 keep state # allow dhcp pass in quick on $LAN inet proto udp from $SAFENET to $MEBROADCAST port = 67 keep state pass in quick on $LAN inet proto udp from 0.0.0.0 port 68 to 255.255.255.255 port = 67 keep state pass in log quick on $LAN inet proto esp from $UNIXNET to $ME keep state #clean up block return-rst in log quick on $LAN proto tcp all block return-icmp in log quick on $LAN proto udp all block return-icmp in log quick on $LAN proto icmp all #output rules block out log on $LAN all pass out quick on $LAN inet proto tcp from $EVILNET to $SAFENET keep state pass out quick on $LAN inet proto udp from $EVILNET to $SAFENET keep state pass out quick on $LAN inet proto gre from $EVILNET to $SAFENET keep state pass out quick on $LAN inet proto icmp from $EVILNET to $SAFENET keep state # #------------------------------------------------------------------------------------- # #$WI0 is wireless connection # only allow icmp type 8, dhcp and ipsec, openvpn in. # allow access to dns, ntp # Anyone who wants to join must use encrypted link antispoof for $WI0 block in log on $WI0 all # ipsec configuration pass in quick on $WI0 inet proto gre from $UNSAFEDMZ to $MEUNSAFEDMZ keep state pass in quick on $WI0 inet proto esp from $UNSAFEDMZ to $MEUNSAFEDMZ keep state pass in log quick on $WI0 inet proto tcp from $UNSAFEDMZ port > 1023 to $MEUNSAFEDMZ port = 22 flags S/SAFR modulate state pass in quick on $WI0 inet proto udp from $UNSAFEDMZ port = 500 to $MEUNSAFEDMZ port = 500 keep state pass in quick on $WI0 inet proto udp from $UNSAFEDMZ port=68 to $BROADCAST port = 67 keep state pass in quick on $WI0 inet proto udp from $UNSAFEDMZ port=68 to $MEUNSAFEDMZ port = 67 keep state # output to wireless block out on $WI0 all pass out quick on $WI0 all keep state # #------------------------------------------------------------------------------------- # #$DMZIF is DMZ zone # the dmz is not supposed to talk to the outside unless requested # to do so (incoming webtraffic etc) # #input rules block in log on $DMZIF all antispoof for $DMZIF block return-rst in quick on $DMZIF proto tcp from $DMZ to $EVILNET port = 113 pass in quick on $DMZIF inet proto tcp from $WEBSERVER port > 1023 to $EVILNET \ port { 25, 53 } modulate state # proxy is retired, new proxy activated pass in quick on $DMZIF inet proto tcp from $DMZ port > 1023 to $UPDATEDEBIAN flags S/SAFR modulate state # spamassassin pass in log quick on $DMZIF inet proto tcp from $DMZ port > 1023 to $RAZOR flags S/SAFR modulate state pass in quick on $DMZIF inet proto udp from $WEBSERVER to $EVILNET port = 53 keep state pass in quick on $DMZIF inet proto tcp from $WEBSERVER to $EVILNET port = 53 keep state pass in quick on $DMZIF inet proto udp from $WEBSERVER port = 123 to $NTP0 port = 123 keep state pass in quick on $DMZIF inet proto udp from $WEBSERVER port = 123 to $NTP1 port = 123 keep state #output rules block out log on $DMZIF all pass out quick on $DMZIF inet proto tcp from $EVILNET to $DMZ keep state pass out quick on $DMZIF inet proto udp from $EVILNET to $DMZ keep state pass out quick on $DMZIF inet proto icmp from $EVILNET to $DMZ keep state # #------------------------------------------------------------------------------------- # #$EXT is internet zone # altq activated on this interface to prevent traffic congestion # (or at least enhance speeds under heavy load conditions) # #input rules block in log on $EXT all antispoof for $EXT # block RFC1918 traffic on external interface block in quick on $EXT from $PRIVNETS to any block out quick on $EXT from any to $PRIVNETS block in log on $EXT inet proto tcp from any to any flags FUP/FUP block return-rst in log quick on $EXT proto tcp from $EVILNET to $EVILNET port = 113 block in log quick from no-route to any pass in log quick on $EXT inet proto tcp from $EVILNET port > 1023 to $WEBSERVER port $EXT_TCP_PORTS flags S/SAFR modulate state queue (q_def, q_pri) pass in log quick on $EXT inet proto tcp from $EVILNET port > 1023 to $MAILSERVER port 25 flags S/SAFR modulate state queue (q_def, q_pri) pass in log quick on $EXT inet proto tcp from $EVILNET port > 1023 to $SSHSERVER port 22 flags S/SAFR modulate state queue (q_def, q_pri) pass in log quick on $EXT inet proto tcp from $EVILNET port = 53 to $DNS port = 53 flags S/SAFR modulate state queue (q_def, q_pri) pass in log quick on $EXT inet proto udp from $EVILNET port > 1023 to $DNS port $EXT_UDP_PORTS keep state queue (q_def, q_pri) pass in log quick on $EXT inet proto udp from $EVILNET port = 53 to $DNS port $EXT_UDP_PORTS keep state queue (q_def, q_pri) # ipsec tunnels pass in log quick on $EXT inet proto udp from $ALLOWED_IPSEC port = 500 to $MEOUTSIDE port = 500 keep state queue (q_def, q_pri) # ip v6 configuration pass in log quick on $EXT proto ipv6 from $EVILNET to $MEOUTSIDE keep state queue (q_def, q_pri) #output rules block out log on $EXT all pass out quick on $EXT all keep state queue (q_def, q_pri) #$ALCATEL is link to Alcatel modem # #input rules # no stateful since it can seriously break the connection # adsl port, only allow gre and icmp in pass in quick on $ALCATEL proto gre all pass in quick on $ALCATEL proto icmp all pass in quick on $ALCATEL proto tcp from $PEEPHOLEALC port { 23, 80, 1723 } to $PEEPHOLEME port > 1023 # cleanup rule block in log quick on $ALCATEL all block out on $ALCATEL all # no stateful since it can seriously break the connection pass out quick on $ALCATEL proto gre all pass out quick on $ALCATEL proto icmp all pass out quick on $ALCATEL proto tcp from $PEEPHOLEME port > 1023 to $PEEPHOLEALC port { 23, 80, 1723 } #pass out log quick on $ALCATEL proto tcp all keep state #pass out log quick on $ALCATEL proto udp all keep state #block out log quick on $ALCATEL all block in on $IPV6TUNNEL all block in log quick on $IPV6TUNNEL inet6 all block out on $IPV6TUNNEL all pass out log quick on $IPV6TUNNEL inet6 all keep state pass out log quick on $IPV6TUNNEL inet6 proto ipv6 from $MEIPV6 to any keep state block out log quick on $IPV6TUNNEL inet6 all block in log on $ENCIF all # # Allow encapsulated incoming packets. Since incoming packets may be # encapsulated multiple times, we need to specify the rule below, to allow # "peeling" of the encasulation headers until a cleartext packet can be # handled by the other rules. Outgoing packets are already cleartext on the # enc0 interface, so they do not need extra care. # pass in quick on $ENCIF inet proto ipencap all pass in quick on $ENCIF inet proto tcp from any to any keep state pass in quick on $ENCIF inet proto udp from any to any keep state pass in quick on $ENCIF inet proto gre from any to any keep state pass in quick on $ENCIF inet proto esp from any to any keep state block out log on $ENCIF all pass out quick on $ENCIF inet proto tcp from any to any keep state pass out quick on $ENCIF inet proto udp from any to any keep state pass out quick on $ENCIF inet proto icmp from any to any keep state pass out quick on $ENCIF inet proto gre from any to any keep state pass out quick on $ENCIF inet proto esp from any to any keep state