Firewall Get from this website..
http://alpha.telemedellin.tv/public/pf.conf
Guide Only not for Production …
For using this please use your own brain..
###########################################
# Firewall on FreeBSD with PF: The OpenBSD Packet Filter # # How-tos: # FreeBSD http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook # PF: The OpenBSD Packet Filter http://www.openbsd.org/faq/pf/index.html # # Warning: When browsing the PF FAQ, please keep in mind that different versions of # FreeBSD can contain different versions of PF. Currently, FreeBSD 8.X and prior is # using the same version of PF as OpenBSD 4.1. FreeBSD 9.X and later is using the # same version of PF as OpenBSD 4.5. # Working with PF # # Use pfctl(8) to control PF. Below are some useful commands (be sure to review the pfctl(8) man page for all available options): # Command Purpose # # pfctl -e Enable PF # # pfctl -d Disable PF # # pfctl -F all -f /etc/pf.conf Flush all rules (nat, filter, state, table, etc.) and reload from the file /etc/pf.conf # # pfctl -s [ rules | nat | state ] Report on the filter rules, nat rules, or state table # # pfctl -vnf /etc/pf.conf Check /etc/pf.conf for errors, but do not load ruleset # Conexion Monopuesto: # En este caso el router es simplemente utilizado como un Modem, ya que es el # FreeBSD quien envia el usuario y la contrasena a nuestro ISP para solicitar # conexion (esto genera la interface tun0 y se configura PPPoE en FreeBSD). # En este caso ext_if = "tun0" # # The network is setup like this: # # ISP---ADSL---(ext_if)-[FreeBSD]-(int_if)---Suiche---LAN # | \ # (vpn_if) '-(dmz_if) # # Conexion Multipuesto: # En este caso es el router quien envia el nombre de usuario y la contrasena a # nuestro ISP y los equipos conectados a este router lo utilizan como puerta # de enlace (gateway) para obtener una salida a internet. # En este caso ext_if = "bge0" # # The network is setup like this: # # ISP---ADSL---(ext_if)-[FreeBSD]-(int_if)---Suiche---LAN # | \ # (vpn_if) '-(dmz_if) # # Fibra Optica # En este caso al servidor le entra un pacth cord y la IP publica se le pone a # la tarjeta de red del servidor. # # The network is setup like this: # # ISP----------(ext_if)-[FreeBSD]-(int_if)---Suiche---LAN # | \ # (vpn_if) '-(dmz_if) # # Historial de cambios: # # * 2010-01-13 Se agrega esta seccion # * 2010-09-12 Adaptacion para FreeBSD 8.2 y depuracion general # * 2011-11-25 Depuracion general # * 2012-02-15 Se abre el puerto TCP 554 RTSP para Livestream mobile # * 2012-06-12 Depuracion general # * 2012-08-10 Excepcion proxy Charlie (RobotOfima) y Streaming (Procaster) #------------------------------------------------------------------------------- # PF: List and Macros #------------------------------------------------------------------------------- logopt = "log" # Interfaces ext_if = "bge0" # Internet Interface (bge0 o tun0) int_if = "bge1" # Network Interface LAN #dmz_if = "bge2" # Network Interface DMZ vpn_if = "tap0" # OpenVPN Interface # External services serv_tcp = "{ 5432, 667, 8000 }" serv_udp = "{ 1194 }" # Internal services lanserv_tcp = "{ 21, 8021, 22, 37, 53, 80, 82, 84, 443, 110, 143, 995, 993, 25, 465, 518, \ 587, 1626, 1723, 2082, 2095, 8080, 8083, 4080, 8090, 8091, 8092, 7777, \ 5432, 5999, 9339, 1935, 3128, 3129, 6667, 8030, 8443, 993, 587, \ 3306, 7780, 7778, 81, 8001, 8099, 5900, 2628, 7781, 3493, 3551, 8443, \ 1025, 8060, 2083, 9091, 6969, 667, 8082, 11371, 8087, 5050, 2096, 4443, \ 8190, 9001, 5222, 5223, 5228, 9090, 48080, 18080, 22300, 8030, 554, \ 38080, 48780, 3389, 2880, 18091, 7003, 1688, 18087, 5001:5011, 5242, \ 4244, 1935, 8888, 8009, 8080, 3680, 8181, 10040, 7005, 1621, 2086, \ 4643, 2086, 2087, 8191, 8086, 8089, 8150, 8348, 8127, 8000 }" lanserv_udp = "{ 53, 67, 68, 69, 123, 1194, 5060, 1770, 5243, 9785, 3690, 500, \ 4500, 10000, 4000, 4040, 8000, 8050 }" # Samba service # If you are setting up a firewall, you need to know what TCP and UDP ports to # allow and block. Samba uses the following: # Port 135/TCP - used by smbd loc-srv # Port 137/UDP - used by nmbd netbios-ns # Port 138/UDP - used by nmbd netbios-dgm # Port 139/TCP - used by smbd netbios-ssn # Port 445/TCP - used by smbd microsoft-ds # no se requiere y da error en logs # Port 901/TCP - used by swat smb_tcp = "{ loc-srv, netbios-ssn, swat, microsoft-ds }" smb_udp = "{ netbios-ns, netbios-dgm }" # P2P (firewall and p2p in same computer) # # Transmission Port: /usr/ports/net-p2p/transmission-daemon # Transmission (tcp 51413 defaul or range 49152:65535) rpc_port_tcp = "9091" # Control web http://<ipserver>:9091 peer_port_tcp = "51413" peer_port_range_tcp = "{ 49152:65535 }" # Externally permitted inbound icmp types icmp_types = "echoreq" # OS X Recovery (no pasa bien el proxy) # http://support.apple.com/kb/HT5286 # $ host osrecovery.apple.com # $ host oscdn.apple.com osxrecovery = "{ 17.164.1.12, 200.31.210.11, 200.31.210.12 }" #------------------------------------------------------------------------------- # PF: Tables #------------------------------------------------------------------------------- # RFC 1918 addresses that just shouldn't be floating around the Internet, and # when they are, are usually trying to cause trouble table <priv_nets> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } #------------------------------------------------------------------------------- # PF: Options #------------------------------------------------------------------------------- set block-policy return set loginterface $ext_if set optimization aggressive # Every Unix system has a "loopback" interface. It's a virtual network interface that # is used by applications to talk to each other inside the system. On OpenBSD, the # loopback interface is lo(4). It is considered best practice to disable all # filtering on loopback interfaces. Using set skip will accomplish this. set skip on lo #------------------------------------------------------------------------------- # PF: Scrub (Packet Normalization) #------------------------------------------------------------------------------- #scrub all reassemble tcp no-df random-id # Activa causa problemas en 8.2 #scrub all random-id fragment reassemble # En pruebas en 8.2 #------------------------------------------------------------------------------- # PF: Packet Queueing and Priorization #------------------------------------------------------------------------------- # http://www.openbsd.org/faq/pf/queueing.html#example2 # http://www.openbsd.org/faq/pf/es/queueing.html#example2 #------------------------------------------------------------------------------- # PF: Netkwork Address Translation (NAT) and Packet Redirection #------------------------------------------------------------------------------- # Network address translation exception #no nat on $ext_if from 192.168.16.8 # Network address translation nat on $ext_if from !($ext_if) -> ($ext_if:0) # OpenVPN # NAT the VPN connections (for access to the remote secure networks) nat on $vpn_if from !($ext_if) -> ($vpn_if:0) # FTP-Proxy nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" # Redirect ftp traffic to proxy (ftp-proxy) # # Install port: /usr/ports/ftp/ftp-proxy/ # Add to /etc/rc.conf the line: # ftpproxy_enable="YES" # Start the service with: # # /etc/rc.d/ftp-proxy start # rdr pass on $int_if proto tcp from any to port ftp \ -> 127.0.0.1 port ftp-proxy # Others sites ( Noticias RPTV, Comision TV) rdr pass on $int_if proto tcp from any to port { 24, 18124 } \ -> 127.0.0.1 port ftp-proxy # Exception for not Redirect to squid no rdr on $int_if proto tcp from 192.168.31.35 to !$int_if port www # Otro no rdr on $int_if proto tcp from 192.168.16.7 to !$int_if port www # Charlie no rdr on $int_if proto tcp from 192.168.20.59 to !$int_if port www # Procaster #no rdr on $int_if proto tcp from 192.168.20.50 to !$int_if port www # Nexio2 no rdr on $int_if proto tcp from 192.168.16.12 to !$int_if port www # Core1 (Clima) no rdr on $int_if proto tcp from 192.168.16.13 to !$int_if port www # Core2 (Clima) # OS X Recovery (no pasa bien el proxy) no rdr on $int_if proto tcp from any to $osxrecovery # Redirect and allow outgoing to WWW requests to the squid, but not from LAN to my server #rdr pass on $int_if proto tcp from any to !$int_if port www \ -> 127.0.0.1 port 3128 # Redirect and allow outgoing to WWW requests to the squid, but not from LAN to my server Squid 3.2 rdr pass on $int_if proto tcp from any to !$int_if port www \ -> 127.0.0.1 port 3129 # Redirect and allow remote SIP with Panasonic (la planta no lo soporta los sip no conectan) #rdr pass on $ext_if proto udp from any to port 5062 -> 192.168.20.31 \ port 5062 # Redirect and allow remote administration with SSH # Echo (ssh user@alpha.telemedellin.tv -p 2222) rdr pass on $ext_if proto tcp from any to port 2222 -> 192.168.16.9 \ port 22 # Delta (ssh user@alpha.telemedellin.tv -p 2223) rdr pass on $ext_if proto tcp from any to port 2223 -> 192.168.16.8 \ port 22 # smb-testdomain.com (ssh user@alpha.telemedellin.tv -p 2224) rdr pass on $ext_if proto tcp from any to port 2224 -> 192.168.20.48 \ port 22 # Redirect and allow remote administration with RealVNC # Streaming rdr pass on $ext_if proto tcp from any to port 5900 -> 192.168.20.40 \ port 5900 # Charlie rdr pass on $ext_if proto tcp from any to port 5901 -> 192.168.16.7 \ port 5900 # Delta #rdr pass on $ext_if proto tcp from any to port 5903 -> 192.168.16.8 \ port 5900 # Echo #rdr pass on $ext_if proto tcp from any to port 5904 -> 192.168.16.9 \ port 5901 # HP Workstation xw8200 S/N: 2UA6321CL4 rdr pass on $ext_if proto tcp from any to port 5905 -> 192.168.20.66 \ port 5900 # Algun equipo temporalmente (tcp y udp) #rdr pass on $ext_if proto {tcp, udp} from any to port 58021 -> 192.168.16.96 \ port 58021 # Redirect and allow remote administration whit web browser # UPS Alphasys (puerto 80) rdr pass on $ext_if proto tcp from any to port 81 -> 192.168.20.2 port 80 # UPS MinuteMan (puerto 82) #rdr pass on $ext_if proto tcp from any to port 82 -> 192.168.16.251 port 82 # Control Encoder (puerto 80) rdr pass on $ext_if proto tcp from any to port 83 -> 192.168.20.06 port 80 # Control Modulator (puerto 80) rdr pass on $ext_if proto tcp from any to port 84 -> 192.168.20.05 port 80 # Control TANDBERG Encoder 8040 rdr pass on $ext_if proto tcp from any to port 85 -> 192.168.20.06 port 80 # Control TANDBERG 8092 rdr pass on $ext_if proto tcp from any to port 86 -> 192.168.16.193 port 80 # TANDERG RX8200 rdr pass on $ext_if proto tcp from any to port 87 -> 192.168.16.191 port 80 # UPS APC SURT10000XLT-1TF10K rdr pass on $ext_if proto tcp from any to port 88 -> 192.168.20.1 port 80 # Dell PowerEdge R610 iDRAC6 #rdr pass on $ext_if proto tcp from any to port 89 -> 192.168.16.179 port 80 # Dell PowerConnect 5424 rdr pass on $ext_if proto tcp from any to port 90 -> 192.168.18.10 port 80 # Circuito Camaras #rdr pass on $ext_if proto tcp from any to port 91 -> 192.168.20.24 port 80 # TANDBERG Reciver rdr pass on $ext_if proto tcp from any to port 92 -> 192.168.1.193 port 80 # Miranda Kaleido Model: X16-D S/N:086999-r45263010 rdr pass on $ext_if proto tcp from any to port 93 -> 192.168.1.170 port 80 # ECHO rdr pass on $ext_if proto tcp from any to port 94 -> 192.168.1.180 port 80 # DarkStat #rdr pass on $ext_if proto tcp from any to port 668 -> 192.168.1.180 port 667 # DELTA, sitio web rdr pass on $ext_if proto tcp from any to port 95 -> 192.168.1.6 port 80 # Redirect and allow remote administration whit others # Control HPA (puerto 2000) rdr pass on $ext_if proto tcp from any to port 2000 -> 192.168.20.7 port 2000 # Camaras OLD (puerto 554:557) #rdr pass on $ext_if proto tcp from any to port 554:557 -> 192.168.1.243 port 554:* # Redireccion temporal para algun equipo #rdr pass on $ext_if proto udp from any to port 1770 -> 192.168.1.165 port 1770 # Redireccion Escritorio Remoto Windows (Margarita Monsalve) rdr pass on $ext_if proto tcp from any to port 3389 -> 192.168.20.62 port 3389 # examples # Redirect range to one port... port 2000:2999 -> 4000 #rdr pass on $ext_if proto tcp from any to port 2000:2999 -> $host port 4000 # Redirect range to another range... port 2000 to 4000, 2001 to 4001,.. 2999 to 4999 #rdr pass on $ext_if proto tcp from any to port 2000:2999 -> $host port 4000:* #------------------------------------------------------------------------------- # PF: Packet Filtering #------------------------------------------------------------------------------- # Restrictive default rules block all # Block packets and reply with a TCP RST or ICMP Unreachable response block return # FTP-Proxy # We need to have an anchor for ftp-proxy anchor "ftp-proxy/*" # Blocking Spoofed Packets (Paquetes Falsificados) antispoof quick for { lo0 $int_if } #------------------------------------------------------------------------------- # Filter rules for $ext_if inbound # Toy with script kiddies scanning us (nmap os detection block) block in $logopt quick proto tcp flags FUP/WEUAPRSF block in $logopt quick proto tcp flags WEUAPRSF/WEUAPRSF block in $logopt quick proto tcp flags SRAFU/WEUAPRSF block in $logopt quick proto tcp flags /WEUAPRSF block in $logopt quick proto tcp flags SR/SR block in $logopt quick proto tcp flags SF/SF # RFC 1918 addresses that just shouldn't be floating around the Internet, and # when they are, are usually trying to cause trouble block drop in on $ext_if from <priv_nets> to any # Blocking some ip address in table #block in quick on $ext_if from <blockedips> # Allow permitted icmp (ping) #pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state # PF "Self-Protecting" an FTP Server (passive) pass in on $ext_if proto tcp from any to any port { ftp, > 49151 } \ keep state # Special rule for http, https pass in on $ext_if proto tcp from any to ($ext_if) port { http, https } \ flags S/SA keep state \ (max-src-conn-rate 100/30, overload <web-ddns> flush global) # block the web-ddns bastards block drop in quick on $ext_if from <web-ddns> # Manipulating with pfctl # pfctl -t web-ddns -T show # pfctl -t web-ddns -T add 218.70.0.0/16 # pfctl -t web-ddns -T delete 218.70.0.0/16 # Allow remote administration with SSH (better use the option to down) #pass in on $ext_if proto tcp from any to port ssh flags S/SA keep state # Special rule for ssh http://johan.fredin.info/openbsd/block_ssh_bruteforce.html pass in on $ext_if proto tcp from any to ($ext_if) port ssh \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global) # block the ssh bruteforce bastards block drop in quick on $ext_if from <ssh-bruteforce> # Manipulating with pfctl # pfctl -t ssh-bruteforce -T show # pfctl -t ssh-bruteforce -T add 218.70.0.0/16 # pfctl -t ssh-bruteforce -T delete 218.70.0.0/16 # For security reasons always allow some ip address for administration pass in on $ext_if proto tcp from 190.0.38.166 to port ssh \ flags S/SA keep state # serv_tcp pass in on $ext_if proto tcp from any to any port $serv_tcp \ flags S/SA keep state # serv_udp #pass in on $ext_if proto udp from any to any port $serv_udp # P2P # # Transmission (tcp 51413 defaul or range 49152:65535) pass in on $ext_if proto tcp from any to ($ext_if) port $rpc_port_tcp \ flags S/SA keep state pass in on $ext_if proto tcp from any to ($ext_if) port $peer_port_tcp \ flags S/SA keep state pass in on $ext_if proto tcp from any to ($ext_if) port $peer_port_range_tcp \ flags S/SA keep state # VPN connections inbound pass in on $ext_if proto udp from any to port 1194 keep state pass quick on $vpn_if #------------------------------------------------------------------------------- # Filter rules for $ext_if outbound pass out on $ext_if keep state block drop out on $ext_if from any to { <priv_nets>, <ssh-bruteforce> } #------------------------------------------------------------------------------- # Filter rules for $int_if inbound # For testing purpose allow temporary connection to all ports from the LAN #pass in on $int_if keep state # Blocking some IP address, by example causing problems to squid #block in quick on $int_if from 192.168.1.85 # Blocking some IP address, by example causing problems to DNS #block in quick on $int_if from 192.168.1.172 # Allow temporary connection to all ports (TCP and UDP) upper to 1024 to some ip address #pass in on $int_if proto { tcp, udp } from 192.168.20.58 to any port > 1024 \ keep state # Allow temporary connection to all ports (TCP and UDP) upper to 80 to some ip address M24 pass in on $int_if proto { tcp, udp } from 192.168.29.122 to any port > 80 \ keep state # Core1 y Core2 (TCP: 80, 443, 1270, 53 UDP: 1270, 53) (Clima) pass in on $int_if proto { tcp, udp } from { 192.168.16.12, 192.168.16.13 } to any port > 80 \ keep state # Allow permitted icmp (ping) Traceroute/Tracert needed ping! pass in on $int_if inet proto icmp all icmp-type $icmp_types keep state # Allow ports needed by Traceroute/Tracert test pass in on $int_if proto udp from any to any port 33433:33626 # Network time protocol pass in on $int_if proto udp from any to any port ntp # Icecast2 from lan pass in on $int_if proto tcp from !($ext_if) to 192.168.16.1 port 8000 \ keep state # NTOP from lan pass in on $int_if proto tcp from !($ext_if) to 192.168.16.1 port 3000 \ keep state # lanserv_tcp pass in on $int_if proto tcp from !($ext_if) to any port $lanserv_tcp \ keep state # lanserv_udp pass in on $int_if proto udp from !($ext_if) to any port $lanserv_udp # Allow ports needed by Samba from LAN pass in on $int_if proto tcp from !($ext_if) to any port $smb_tcp \ keep state pass in on $int_if proto udp from !($ext_if) to any port $smb_udp # Allow ports needed by passive FTP server from LAN # be careful with this line, if activated, all computers from the LAN could # connect to ports above 49151, because the filter is applied in $int_if, # pending a solution! #pass in on $int_if proto tcp from !($ext_if) to $int_if port { ftp, > 49151 \ } keep state # FTPS UdeA (ftps = 990, ftps-data = 989 y > 1024) pass in on $int_if proto tcp from any to 200.24.23.206 port { ftps, ftps-data, > 1024 } \ keep state # Permitimos los puertos de Aviwest a la LAN pass in on $int_if proto tcp from !($ext_if) to any port 8888 \ keep state pass in on $int_if proto udp from !($ext_if) to any port 7900:7904 #------------------------------------------------------------------------------- # Filter rules for $int_if outbound pass out on $int_if keep state #------------------------------------------------------------------------------- # Filter rules for $dmz_if inbound #------------------------------------------------------------------------------- # Filter rules for $int_if_dmz outbound #------------------------------------------------------------------------------- # Filter rules for $vpn_if inbound pass in on $vpn_if keep state #------------------------------------------------------------------------------- # Filter rules for $vpn_if outbound pass out on $vpn_if keep state # NOTAS: # # * El firewall en FreeBSD bloquea la entrada de todo por defecto. # * FreeBSD puede salir a todo, excepto a algunas direcciones IPs listadas en: # <priv_nets> y <ssh-bruteforce>. # * Las peticiones de FTP las resuelve el proxy ftp-proxy. # * Las peticiones de WWW las resuelve el proxy Squid-cache. # * El control para la LAN se hace en la $int_if # # Network UPS Tools requiere el puerto TCP 3493 # Nmap + PF http://forums.freebsd.org/showthread.php?t=3420 # Firewalls usually modify packets, hence nmap will not function properly. # Nmap relies on odd/strange packets. Firewalls don't like that. Turn the firewall # off when scanning. # Nmap Changelog: http://nmap.org/changelog.html # HOW-TOs: # # FTP-Proxy # How-to: http://www.cyberciti.biz/faq/freebsd-opebsd-pf-firewall-ftp-configuration/ # # Step # 1: Turn on ftp-proxy under FreeBSD # # Turn on ftp-proxy under FreeBSD # Open /etc/rc.conf file under FreeBSD # # vi /etc/rc.conf # Append following line: # ftpproxy_enable="YES" # # Step # 2: Configure pf and ftp-proxy # # Open your /etc/pf.conf file and add following into your NAT section: # To activate it, put something like this in the NAT section of pf.conf: # nat-anchor "ftp-proxy/*" # rdr-anchor "ftp-proxy/*" # rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port ftp-proxy # # 20 = ftp-data # 21 = ftp # 8021 = ftp-proxy # # All three rules required, even if your setup does not use NAT. Find your filtering # rule and append the following rules: # anchor "ftp-proxy/*" # Save and close the file. # # Step # 3: Restart PF firewall # # Type the following command under FreeBSD: # # /etc/rc.d/pf restart # # Step # 4: Start ftp-proxy # # Type the following command to start ftp-proxy under, FreeBSD: # # /etc/rc.d/ftp-proxy start # # For view the connections, type the following command under FreeBSD: # # sockstat -4 |grep ftp-proxy # proxy ftp-proxy 79457 3 tcp4 127.0.0.1:8021 *:* # # FTP SERVER PASV # http://slacksite.com/other/ftp.html#passive # # Livestream Mobile # # TCP 554: RTSP, # # Subvension (SVN) 3690 TCP/UDP # # List of TCP and UDP port numbers # http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers # # About FTPS # # http://www.ipv4security.com/packet_flow/ftp_over_ssl.html # http://www.cyberciti.biz/tips/configure-vsfptd-secure-connections-via-ssl-tls.html # # 989 = ftps-data # 990 = ftps