Building Firewalls With OpenBSD And PF, 2nd Edition (2003)
.pdfAppendix C
Rule Templates
for
Typical Firewall ConŒgurations
The following are starting points for Œrewall rulesets implementing Œrewall designs described in Chapter 2, Firewall Designs.
C.1 Bastion Host
A bastion host is a lone host connected to the Internet or a LAN. It is running pf(4) for protection from the external threats and does not allow any inbound connections unless they are in response to its own outbound connections. An example of a bastion host would be a machine connected to the Internet via a xDSL modem.
#Macros
#ext_if -- the interface to the outside world ext_if="ne0"
#Options
set require-order yes set block-policy drop set optimization normal set loginterface none
#Normalize packets scrub in all
scrub out all
#Filter packets
#block all incoming connections sent from the outside
288 Appendix C: Rule Templates for Typical Firewall ConŒgurations
#log all blocked packets block in log all
#pass all connections originating from the screened
#host
pass out quick on $ext_if inet \
from ($ext_if) to any flags S/SA keep state
# anitspoof rule on the external interface antispoof for $ext_if
C.2 Bastion Host II (Some Access Allowed)
A bastion host in this example is a lone host connected to the Internet or a LAN. It is running pf(4) for protection from the external threats and does allow some inbound connections. An example of this kind of a bastion host would be a WWW and mail server connected to the Internet via an xDSL modem. SSH connections are allowed for administrative purposes.
#Macros
#ext_if -- the interface to the outside world ext_if="ne0"
#Options
set require-order yes set block-policy drop set optimization normal set loginterface none
#Normalize packets scrub in all
scrub out all
#Filter packets
#block all incoming connections sent from the outside
#log all blocked packets
block in log all
#pass all connections originating from the bastion
#host
pass out quick on $ext_if inet \
from ($ext_if) to any flags S/SA keep state
289
# pass all connections originating from external hosts to port 80 (WWW) on the bastion host
pass in quick on $ext_if inet proto tcp \ from ($ext_if) \
to ($ext_if) port 80 \ flags S/SA synproxy state
# pass all connections originating from external hosts to port 22 (SSH) on the bastion host
pass in quick on $ext_if inet proto tcp \ from ($ext_if) \
to ($ext_if) port 22 \ flags S/SA synproxy state
# pass all connections originating from external hosts to port 25 (SMTP) on the bastion host
pass in quick on $ext_if inet proto tcp \ from ($ext_if) \
to ($ext_if) port 25 \ flags S/SA synproxy state
# anitspoof rule on the external interface antispoof for $ext_if
C.3 Screened Host/LAN (Public IP Addresses)
A screened host or LAN is a setup with the Œrewall host (the machine running pf(4)) sitting between the outside world and the screened hosts. In this example, the Œrewall's external and private interfaces are assumed to have public IP addresses. The private hosts are also assumed to have public IP addresses. No inbound connections are allowed unless they are in response to the outbound connections from the screened LAN or the Œrewall itself. The Œrewall doubles as a router. An example of such setup would be a private network with no external access allowed.
#Macros
#ext_if -- the interface to the outside world ext_if="ne0"
#prv_if -- the interface to the private hosts prv_if="ne1"
#prv_hosts -- the list of addresses of hosts on the
#screened LAN
290 Appendix C: Rule Templates for Typical Firewall ConŒgurations
prv_hosts = "{x.x.x.1, x.x.x.10, x.x.x.5}"
# Options
set require-order yes set block-policy drop set optimization normal set loginterface none
#Normalize packets scrub in all
scrub out all
#Filter packets
#block all incoming connections sent from the outside
#log all blocked packets
block in log all
#pass all connections originating from the firewall and
#the screened LAN
pass out quick on $ext_if inet \
from ($ext_if) to any flags S/SA modulate state
# pass all connections originating from the screened LAN
pass in quick on $prv_if inet from $prv_hosts to any flags S/SA
#anitspoof rule on the external interface antispoof for $ext_if
#anitspoof rule on the private interface antispoof for $prv_if
C.4 Screened LAN (Some Access Allowed)
A screened host or LAN is a setup with the Œrewall host (the machine running pf(4)) sitting between the outside world and the screened hosts. In this example, the Œrewall's external and private interfaces are assumed to have public IP addresses. The private hosts are also assumed to have public IP addresses. Some inbound connections are allowed. The Œrewall doubles as a router. An example of such network would be a company network with a WWW and mail servers opened to the world and external SSH connections allowed for administrative purposes.
# Macros
291
#ext_if -- the interface to the outside world ext_if="ne0"
#prv_if -- the interface to the private hosts prv_if="ne1"
#prv_hosts -- the list of addresses of hosts on the
#screened LAN
prv_hosts = "{x.x.x.1, x.x.x.10, x.x.x.5}"
#prv_www -- the address of host running the HTTP server prv_www = "x.x.x.1"
#prv_smtp -- the address of host running the SMTP server prv_smtp = "x.x.x.10"
#Options
set require-order yes set block-policy drop set optimization normal set loginterface none
#Normalize packets scrub in all
scrub out all
#block all incoming connections sent from the outside
#log all blocked packets
block in log all
#pass all connections originating from the firewall
#and the screened LAN
pass out quick on $ext_if inet \
from ($ext_if) to any flags S/SA modulate state
# pass all connections originating from the screened LAN
pass in quick on $prv_if inet from $prv_hosts to any flags S/SA
# pass all connections originating from external hosts to port 80 (WWW) on one of the internat hosts
pass in quick on $ext_if inet proto tcp \ from ($ext_if) \
to $prv_www port 80 \ flags S/SA synproxy state
# pass all connections originating from external hosts to port 22 (SSH) on all internal hosts
292 Appendix C: Rule Templates for Typical Firewall ConŒgurations
pass in quick on $ext_if inet proto tcp \ from ($ext_if) \
to $prv_ad port 22 \ flags S/SA synproxy state
# pass all connections originating from external hosts to port 25 (SMTP) on one of the internal hosts
pass in quick on $ext_if inet proto tcp \ from ($ext_if) \
to $prv_smtp port 25 \ flags S/SA synproxy state
#anitspoof rule on the external interface antispoof for $ext_if
#anitspoof rule on the private interface antispoof for $prv_if
C.5 NAT + Screened LAN
This conŒguration is similar to a screened LAN with public IP addresses, but only the external interface on the Œrewall has a public IP address. Private hosts have private IP addresses. No inbound connections are passed unless they are in response to outbound connections from the Œrewall or the screened LAN. The Œrewall doubles as a router. An example of such conŒguration would be a private network hidden behind a single IP address.
#Macros
#ext_if -- the interface to the outside world ext_if="ne0"
#prv_if -- the interface to the private hosts prv_if="ne1"
#prv_hosts -- the list of addresses of hosts on the
#screened LAN
prv_hosts = "{192.168.1.1, 192.168.1.10, 10.3.1.5}"
# Options
set require-order yes set block-policy drop set optimization normal set loginterface none
293
#Normalize packets scrub in all
scrub out all
#Translate packets
nat on $ext_if inet proto {tcp, udp} \ from $prv_hosts to any -> ($ext_if)
#Filter packets
#block all incoming connections sent from the outside
#log all blocked packets
block in log all
#pass all connections originating from the firewall pass out quick on $ext_if \
from ($ext_if) to any flags S/SA modulate state
#pass all connections originating from the screened LAN pass in quick on $prv_if from $prv_hosts to any flags S/SA
#anitspoof rule on the external interface
antispoof for $ext_if
# anitspoof rule on the private interface antispoof for $prv_if
C.6 NAT + Screened LAN + DMZ
An extension of NAT + Screened LAN, this conŒguration allows external connections to be passed into a separate DMZ segment where publicly accessibile servers reside.
#Macros
#ext_if -- the interface to the outside world ext_if="ne0"
#prv_if -- the interface to the private hosts prv_if="ne1"
#dmz_if -- the interface to the DMZ dmz_if="ne2"
#prv_hosts -- the list of addresses of hosts on the
#screened LAN
prv_hosts = "{192.168.1.1, 192.168.1.10, 10.3.1.5}"
294 Appendix C: Rule Templates for Typical Firewall ConŒgurations
#dmz_hosts -- the list of addresses of hosts in the
#DMZ
dmz_hosts = "{192.168.2.1/32, 192.168.2.2/32, 192.168.2.3}"
#dmz_www -- the address of the WWW server in the DMZ dmz_www = "192.168.2.1/32"
#dmz_smtp -- the address of the SMTP server in the DMZ dmz_smtp = "192.168.2.2/32"
#dmz_dns -- the address of the DNS server in the DMZ dmz_dns = "192.168.2.3/32"
#Options
set require-order yes set block-policy drop set optimization normal set loginterface none
#Normalize packets scrub in all
scrub out all
#Translate packets
#nat for the private hosts
nat on $ext_if inet from $prv_hosts to any -> ($ext_if)
# nat for the DMZ hosts
nat on $ext_if inet from $dmz_hosts to any -> ($ext_if)
#redirect connections to port 80 (HTTP) to DMZ rdr on $ext_if inet proto tcp \
from any to ($ext_if) port 80 -> $dmz_www
#redirect connections to port 25 (SMTP) to DMZ rdr on $ext_if inet proto tcp \
from any to ($ext_if) port 25 -> $dmz_smtp
#redirect connections to port 53 (DNS) to DMZ rdr on $ext_if inet proto {tcp, udp} \
from any to ($ext_if) port 53 (DNS) -> $dmz_dns
#Filter packets
#block all incoming connections sent from the outside
#log all blocked packets
block in log all
# pass all connections originating from the firewall
295
pass out quick on $ext_if inet \
from ($ext_if) to any flags S/SA modulate state
#pass all connections originating from the screened LAN pass in quick on $prv_if from $prv_hosts to any flags S/SA
#pass all connections originating from the DMZ
pass in quick on $dmz_if from $dmz_hosts to any flags S/SA
#pass all connections to the WWW host in the DMZ pass in on $ext_if from any to $dmz_www \
port 80 flags S/SA synproxy state
#pass all connections to the SMTP host in the DMZ pass in on $ext_if from any to $dmz_smtp \
port 25 flags S/SA synproxy state
#pass all connections to the DNS host in the DMZ pass in on $ext_if from any to $dmz_dns \
port 53 flags S/SA keep state
#anitspoof rule on the external interface antispoof for $ext_if
#anitspoof rule on the private interface antispoof for $prv_if
C.7 Invisible Bridge
An invisible bridge is a host with no IP addresses assigned to it. Its general conŒguration is similar to the screened host/LAN setup, but the invisibility means that it cannot be easily hacked (there's no address to send malicious packets to).
#Macros
#ext_if -- the interface to the outside world ext_if="ne0"
#prv_if -- the interface to the private hosts prv_if="ne1"
#prv_hosts -- the list of addresses of hosts on the
#screened LAN
prv_hosts = "{x.x.x.1, x.x.x.10, x.x.x.5}"
# Options
set require-order yes set block-policy drop
296 Appendix C: Rule Templates for Typical Firewall ConŒgurations
set optimization normal set loginterface none
#Normalize packets scrub in all
scrub out all
#Filter packets
#block all incoming connections sent from the outside
#log all blocked packets
block in log on $ext_if all
#pass all connections originating from the screened LAN pass out quick on $ext_if inet \
from $prv_hosts to any flags S/SA modulate state
#anitspoof rule on the external interface
antispoof for $ext_if
# anitspoof rule on the private interface antispoof for $prv_if