Building Firewalls With OpenBSD And PF, 2nd Edition (2003)
.pdf
277
A word of warning. Do not apply the examples blindly, but choose only those rules that you need. For example, if you block all incoming connections, but want to pass connections to port 22 originating on the outside of the Œrewall, choose the pass rule for the screened host/LAN or the one for the bastion host.
All of these rules Œt nicely into the more general rulesets presented in Appendix C.
#### Bastion Host ####
#a lone host connected directly to the Internet or LAN
#macros for the bastion host:
#ext_if -- the name of the interface connecting the bastion
#host to other (external) hosts
ext_if = "ne1"
#filtering rules for the bastion host:
#-- allow connections from the bastion host to external hosts
#on port 22 (SSH)
#note: to let IPv6 packets pass, copy the following rule and
#change inet to inet6
pass out on $ext_if inet proto tcp \ from ($ext_if) port > 1023 \
to any port 22 \
flags S/SA modulate state
#-- allow connections from external hosts to the bastion host
#on port 22 (SSH)
#note: to let IPv6 packets pass, copy the following rule and
#change inet to inet6
pass in on $ext_if inet proto tcp \ from any port > 1023 \
to ($ext_if) port 22 \ flags S/SA modulate state
#-- block connections from the bastion host to external hosts
#on port 22 (SSH)
#note: you need two rules to block IPv4 and IPv6 packets, if
#you use the ($ext_if) notation instead of the numeric
#address, and the $ext_if interface has both IPv4 and
#IPv6 addresses.
block out on $ext_if inet proto {tcp, udp} \ from ($ext_if) \
to any port 22
278 |
Appendix B: Rules for Popular (and Less Popular) Services |
|
|
block out on $ext_if inet6 proto {tcp, udp} \ from ($ext_if) \
to any port 22
#-- block connections from external hosts to the bastion host
#on port 22 (SSH)
#note: you need two rules to block IPv4 and IPv6 packets, if
#you use the ($ext_if) notation instead of the numeric
#address, and the $ext_if interface has both IPv4 and
#IPv6 addresses.
block in on $ext_if inet proto {tcp, udp} \ from any \
to ($ext_if) port 22
block in on $ext_if inet6 proto {tcp, udp} \ from any \
to ($ext_if) port 22
#### Screened Host/LAN ####
#the firewall has public IP addresses assigned to its
#interfaces, the private hosts also have public IP addresses
#macros for the screened host/LAN:
#ext_if -- the name of the interface connecting the firewall
#to external hosts, the Internet, the outside world ext_if = "ne1"
#prv_if -- the name of the interface connecting the firewall
#to the private (internal) host(s)
prv_if = "ne1"
#filtering rules for the screeened host(s):
#-- allow connections from the private host(s) to external
#hosts on port 22 (SSH)
#note: private hosts can connect to the firewall's port 22
#too
pass in on $prv_if inet proto tcp \ from $prv_if:network port > 1023 \ to any port 22
pass out on $ext_if inet proto tcp \ from $prv_if:network port > 1023 \ to any port 22 \
flags S/SA modulate state
# -- allow connections from external hosts to the private
279
#host(s) on port 22 (SSH)
pass in on $ext_if inet proto tcp \ from any port > 1023 \
to $prv_if:network port 22 flags S/SA modulate state
pass out on $prv_if inet proto tcp \ from any port > 1023 \
to $prv_if:network port 22
#-- block connections from the private host(s) to external
#hosts on port 22 (SSH), also block connections to port 22
#on the firewall host
#note: you need two rules to block IPv4 and IPv6 packets, if
#you use the :network notation instead of the numeric
#address, and the $ext_if interface has both IPv4 and
#IPv6 addresses.
block in on $prv_if inet proto {tcp, udp} \ from $prv_if:network \
to any port 22
block in on $prv_if inet6 proto {tcp, udp} \ from $prv_if:network \
to any port 22
#-- block connections from external hosts to the private
#host(s) on port 22 (SSH)
#note: you need two rules to block IPv4 and IPv6 packets, if
#you use the :network notation instead of the numeric
#address, and the $ext_if interface has both IPv4 and
#IPv6 addresses.
block |
in on $ext_if |
inet proto {tcp, udp} \ |
from |
any \ |
|
to $prv_if:network |
port 22 |
|
block |
in on $ext_if |
inet6 proto {tcp, udp} \ |
from |
any \ |
|
to $prv_if:network |
port 22 |
|
#-- allow connections from external hosts to the firewall
#on port 22 (SSH)
pass in on $ext_if inet proto tcp \ from any port > 1023 \
to ($ext_if) port 22 flags S/SA modulate state
280 |
Appendix B: Rules for Popular (and Less Popular) Services |
|
|
pass out on $prv_if inet proto tcp \ from any port > 1023 \
to ($ext_if) port 22
#-- block connections from external hosts to the firewall
#on port 22 (SSH)
#note: you need two rules to block IPv4 and IPv6 packets, if
#you use the ($ext_if) notation instead of the numeric
#address, and the $ext_if interface has both IPv4 and
#IPv6 addresses.
block in on $ext_if inet proto {tcp, udp} \ from any \
to ($ext_if) port 22
block in on $ext_if inet6 proto {tcp, udp} \ from any \
to ($ext_if) port 22
#-- allow connections from the private hosts to the firewall
#on port 22 (SSH)
pass in on $prv_if inet proto tcp \ from $prv_if:network port > 1023 \ to ($prv_if) port 22
flags S/SA modulate state
#-- block connections from private hosts to the firewall
#on port 22 (SSH)
#note: you need two rules to block IPv4 and IPv6 packets, if
#you use the ($ext_if) notation instead of the numeric
#address, and the $ext_if interface has both IPv4 and
#IPv6 addresses.
block in on $prv_if inet proto {tcp, udp} \ from $prv_if:network \
to ($prv_if) port 22
block in on $prv_if inet6 proto {tcp, udp} \ from $prv_if:network \
to ($prv_if) port 22
#### Invisible Bridge ####
#the firewall has no IP addresses assigned to its
#interfaces, the private hosts have public IP addresses
#macros for the screened host/LAN:
281
#ext_if -- the name of the interface connecting the firewall
#to external hosts, the Internet, the outside world ext_if = "ne1"
#prv_if -- the name of the interface connecting the firewall
#to the private (internal) host(s)
prv_if = "ne1"
#prv_ad -- the addresses of the private hosts prv_ad = "{x.x.x.a, x.x.x.b, ...}"
#filtering rules for the screeened host(s):
#-- allow connections from the private host(s) to external
#hosts on port 22 (SSH)
pass out on $ext_if inet proto tcp \ from $prv_ad port > 1023 \
to any port 22 \
flags S/SA modulate state
#-- allow connections from external hosts to the private
#host(s) on port 22 (SSH)
pass in on $ext_if inet proto tcp \ from any port > 1023 \
to $prv_ad port 22
flags S/SA modulate state
#-- block connections from the private host(s) to external
#hosts on port 22 (SSH)
#note: you need two rules to block IPv4 and IPv6 packets, if
#you use the :network notation instead of the numeric
#address, and the $ext_if interface has both IPv4 and
#IPv6 addresses.
block out on $ext_if inet proto {tcp, udp} \ from $prv_ad \
to any port 22
block out on $ext_if inet6 proto {tcp, udp} \ from $prv_ad \
to any port 22
#-- block connections from external hosts to the private
#host(s) on port 22 (SSH)
#note: you need two rules to block IPv4 and IPv6 packets, if
#you use the :network notation instead of the numeric
#address, and the $ext_if interface has both IPv4 and
282 |
Appendix B: Rules for Popular (and Less Popular) Services |
|
|
#IPv6 addresses.
block in on $ext_if inet proto {tcp, udp} \ from any \
to $prv_ad port 22
block in on $ext_if inet6 proto {tcp, udp} \ from any \
to $prv_ad port 22
#### NAT + Screened Host/LAN ####
#the firewall has public a IP addresse assigned to its
#external interface, the private hosts also have no public IP addresses
#macros for the screened host/LAN:
#ext_if -- the name of the interface connecting the firewall
#to external hosts, the Internet, the outside world ext_if = "ne1"
#prv_if -- the name of the interface connecting the firewall
#to the private (internal) host(s)
prv_if = "ne1"
#NAT rules for the NAT + Screened Host/LAN setup:
#-- NAT connections from the private host(s) to external
#hosts on port 22 (SSH)
nat on $ext_if inet proto tcp \ from $prv:network port > 1023 \ to any port 22 \
-> ($ext_if)
#filtering rules for the NAT + Screened Host/LAN setup:
#-- allow connections from the private host(s) to external
#hosts on port 22 (SSH)
pass out on $ext_if inet proto tcp \ from $prv_if:network port > 1023 \ to any port 22 \
flags S/SA modulate state
#-- allow connections from external hosts to the firewall
#on port 22 (SSH)
pass in on $ext_if inet proto tcp \ from any port > 1023 \
to ($ext_if) port 22 flags S/SA modulate state
283
#-- block connections from external hosts to the firewall
#on port 22 (SSH)
#note: you need two rules to block IPv4 and IPv6 packets, if
#you use the ($ext_if) notation instead of the numeric
#address, and the $ext_if interface has both IPv4 and
#IPv6 addresses.
block in on $ext_if inet proto {tcp, udp} \ from any \
to ($ext_if) port 22
block in on $ext_if inet6 proto {tcp, udp} \ from any \
to ($ext_if) port 22
#-- allow connections from the private hosts to the firewall
#on port 22 (SSH)
pass in on $prv_if inet proto tcp \ from $prv_if:network port > 1023 \ to ($prv_if) port 22
flags S/SA modulate state
#-- block connections from private hosts to the firewall
#on port 22 (SSH)
#note: you need two rules to block IPv4 and IPv6 packets, if
#you use the ($ext_if) notation instead of the numeric
#address, and the $ext_if interface has both IPv4 and
#IPv6 addresses.
block in on $prv_if inet proto {tcp, udp} \ from $prv_if:network \
to ($prv_if) port 22
block in on $prv_if inet6 proto {tcp, udp} \ from $prv_if:network \
to ($prv_if) port 22
B.4 Adapting the Template for Other Services
You can use the rules presented in the previous section for other TCP-based protocols. In most cases, all you have to so is change the port number from 22 to something else:
ƒAuth (auth, port 113)
ƒHyperText Transfer Protocol (www port 80)
ƒHyperText Transfer Protocol Proxy (no single name or port, typically
284 |
Appendix B: Rules for Popular (and Less Popular) Services |
|
|
8008, 8080)
ƒInternet Message Access Protocol, v2 (imap, port 143)
ƒInternet Message Access Protocol, v3 (imap3, port 220)
ƒLightweight Directory Access Protocol (ldap3, port 389)
ƒLightweight Directory Access Protocol over SSL (ldap3, port 636)
ƒLine Printer Spooler (LPD) (printer, port 515)
ƒIMAP over TLS/SSL (imaps, 993)
ƒMicrosoft Global Catalog (msft-gc, port 3268)
ƒMicrosoft Global Catalog with LDAP/SSL (msft-gc-ssl, port 3269)
ƒMySQL (mysql, port 3306)
ƒIMAP over TLS/SSL (imaps, 993)
ƒIRC Server (irc-serv, 529)
ƒPostgreSQL (postgresql, port 5432)
ƒPost OfŒce Protocol, v2 (pop2, port 109)
ƒPost OfŒce Protocol, v3 (pop3, port 110)
ƒPost OfŒce Protocol, v3 over TLS/SSL (pop3s, port 995)
ƒQuickTime (rtsp port 554, 7070)
ƒRealAudio (rtsp port 554, 7070)
ƒSecure HyperText Transfer Protocol (https port 443)
ƒSimple Mail Transfer Protocol (smtp, port 25)
ƒUsenet News Transfer Protocol (nntp, port 119)
ƒWHOIS (whois, port 43) Š allow only connections to external hosts, do not run whois services on your network.
ƒX Font Service (font-service, port 7100)
ƒX Window Server (x11, port 6000-6063) Š use tunnellng to secure this service.
All rules are for IPv4 trafŒc (inet), if you want to adapt them to IPv6 trafŒc, either change inet to inet6 (if you don't want to pass/block IPv4 packets), or duplicate them changing inet to inet6.
When you want to adapt these rules to services that use TCP and UDP, simply copy the relevant pass rule and change proto tcp to proto udp and change modulate state to keep state. This will be needed in the case of Domain Name System (domain, port 53), which uses both TCP and UDP.
Should you want to adapt these rules to services that use UDP and not TCP, change proto tcp to proto udp and change modulate state to keep state in the. the relevant pass rule. This trick will work for the
285
Network Time Protocol (ntp, port 123), Trivial FTP (tftp, port 69), Simple Network Management Protocol (snmp port 161, snmp-trap port 162), and the X Display Management Control Protocol (xdmcp port 177).
Block rules can remain unchanged, unless you want to make them more speciŒc, in which case you need to delete either tcp or udp as needed.
286