Freebsd pf.conf

Posted: May 10, 2014 in Freebsd

Firewall Get from this website..

http://alpha.telemedellin.tv/public/pf.conf

Guide Only not for Production …

For using this please use your own brain..

###########################################

# Firewall on FreeBSD with PF: The OpenBSD Packet Filter
#
# How-tos: 
# FreeBSD http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook
# PF: The OpenBSD Packet Filter	http://www.openbsd.org/faq/pf/index.html
#
# Warning: When browsing the PF FAQ, please keep in mind that different versions of
# FreeBSD can contain different versions of PF. Currently, FreeBSD 8.X and prior is
# using the same version of PF as OpenBSD 4.1. FreeBSD 9.X and later is using the
# same version of PF as OpenBSD 4.5.

# Working with PF
#
# Use pfctl(8) to control PF. Below are some useful commands (be sure to review the pfctl(8) man page for all available options):
#   Command                          Purpose
# # pfctl -e                         Enable PF
# # pfctl -d                         Disable PF
# # pfctl -F all -f /etc/pf.conf     Flush all rules (nat, filter, state, table, etc.) and reload from the file /etc/pf.conf
# # pfctl -s [ rules | nat | state ] Report on the filter rules, nat rules, or state table
# # pfctl -vnf /etc/pf.conf          Check /etc/pf.conf for errors, but do not load ruleset

# Conexion Monopuesto:
# En este caso el router es simplemente utilizado como un Modem, ya que es el
# FreeBSD quien envia el usuario y la contrasena a nuestro ISP para solicitar
# conexion (esto genera la interface tun0 y se configura PPPoE en FreeBSD).
# En este caso ext_if = "tun0"
#
# The network is setup like this:
#
# ISP---ADSL---(ext_if)-[FreeBSD]-(int_if)---Suiche---LAN
#                           |    \
#                       (vpn_if)  '-(dmz_if)
#
# Conexion Multipuesto:
# En este caso es el router quien envia el nombre de usuario y la contrasena a
# nuestro ISP y los equipos conectados a este router lo utilizan como puerta
# de enlace (gateway) para obtener una salida a internet.
# En este caso ext_if = "bge0"
#
# The network is setup like this:
#
# ISP---ADSL---(ext_if)-[FreeBSD]-(int_if)---Suiche---LAN
#                           |    \
#                       (vpn_if)  '-(dmz_if)
#
# Fibra Optica
# En este caso al servidor le entra un pacth cord y la IP publica se le pone a
# la tarjeta de red del servidor.
#
# The network is setup like this:
#
# ISP----------(ext_if)-[FreeBSD]-(int_if)---Suiche---LAN
#                           |    \
#                       (vpn_if)  '-(dmz_if)
#
# Historial de cambios:
#
# * 2010-01-13	Se agrega esta seccion
# * 2010-09-12	Adaptacion para FreeBSD 8.2 y depuracion general
# * 2011-11-25	Depuracion general
# * 2012-02-15  Se abre el puerto TCP 554 RTSP para Livestream mobile
# * 2012-06-12	Depuracion general
# * 2012-08-10	Excepcion proxy Charlie (RobotOfima) y Streaming (Procaster)

#-------------------------------------------------------------------------------
# PF: List and Macros
#-------------------------------------------------------------------------------

logopt = "log"

# Interfaces
ext_if = "bge0"		# Internet Interface (bge0 o tun0)
int_if = "bge1"		# Network Interface  LAN
#dmz_if = "bge2"	# Network Interface  DMZ
vpn_if = "tap0"		# OpenVPN Interface

# External services
serv_tcp = "{ 5432, 667, 8000 }"
serv_udp = "{ 1194 }"

# Internal services
lanserv_tcp = "{ 21, 8021, 22, 37, 53, 80, 82, 84, 443, 110, 143, 995, 993, 25, 465, 518, \
	587, 1626, 1723, 2082, 2095, 8080, 8083, 4080, 8090,  8091, 8092, 7777, \
	5432, 5999, 9339, 1935, 3128, 3129, 6667, 8030, 8443, 993, 587, \
	3306, 7780, 7778, 81, 8001, 8099, 5900, 2628, 7781, 3493, 3551, 8443, \
	1025, 8060, 2083, 9091, 6969, 667, 8082, 11371, 8087, 5050, 2096, 4443, \
	8190, 9001, 5222, 5223, 5228, 9090, 48080, 18080, 22300, 8030, 554, \
	38080, 48780, 3389, 2880, 18091, 7003, 1688, 18087, 5001:5011, 5242, \
	4244, 1935, 8888, 8009, 8080, 3680, 8181, 10040, 7005, 1621, 2086, \
	4643, 2086, 2087, 8191, 8086, 8089, 8150, 8348, 8127, 8000 }"
lanserv_udp = "{ 53, 67, 68, 69, 123, 1194, 5060, 1770, 5243, 9785, 3690, 500, \
	4500, 10000, 4000, 4040, 8000, 8050 }"

# Samba service
# If you are setting up a firewall, you need to know what TCP and UDP ports to
# allow and block. Samba uses the following:
# Port 135/TCP - used by smbd loc-srv
# Port 137/UDP - used by nmbd netbios-ns
# Port 138/UDP - used by nmbd netbios-dgm
# Port 139/TCP - used by smbd netbios-ssn
# Port 445/TCP - used by smbd microsoft-ds # no se requiere y da error en logs
# Port 901/TCP - used by swat
smb_tcp = "{ loc-srv, netbios-ssn, swat, microsoft-ds }"
smb_udp = "{ netbios-ns, netbios-dgm }"

# P2P (firewall and p2p in same computer)
#
# Transmission Port: /usr/ports/net-p2p/transmission-daemon
# Transmission (tcp 51413 defaul or range 49152:65535)
rpc_port_tcp = "9091"                   # Control web http://<ipserver>:9091
peer_port_tcp = "51413"
peer_port_range_tcp = "{ 49152:65535 }"

# Externally permitted inbound icmp types
icmp_types = "echoreq"

# OS X Recovery (no pasa bien el proxy)
# http://support.apple.com/kb/HT5286
# $ host osrecovery.apple.com
# $ host oscdn.apple.com
osxrecovery = "{ 17.164.1.12, 200.31.210.11, 200.31.210.12 }"

#-------------------------------------------------------------------------------
# PF: Tables
#-------------------------------------------------------------------------------

# RFC 1918 addresses that just shouldn't be floating around the Internet, and 
# when they are, are usually trying to cause trouble 
table <priv_nets> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

#-------------------------------------------------------------------------------
# PF: Options
#-------------------------------------------------------------------------------

set block-policy return
set loginterface $ext_if
set optimization aggressive

# Every Unix system has a "loopback" interface. It's a virtual network interface that
# is used by applications to talk to each other inside the system. On OpenBSD, the 
# loopback interface is lo(4). It is considered best practice to disable all 
# filtering on loopback interfaces. Using set skip will accomplish this.
set skip on lo

#-------------------------------------------------------------------------------
# PF: Scrub (Packet Normalization)
#-------------------------------------------------------------------------------

#scrub all reassemble tcp no-df random-id	# Activa causa problemas en 8.2
#scrub all random-id fragment reassemble	# En pruebas en 8.2

#-------------------------------------------------------------------------------
# PF: Packet Queueing and Priorization
#-------------------------------------------------------------------------------

# http://www.openbsd.org/faq/pf/queueing.html#example2
# http://www.openbsd.org/faq/pf/es/queueing.html#example2

#-------------------------------------------------------------------------------
# PF: Netkwork Address Translation (NAT) and Packet Redirection
#-------------------------------------------------------------------------------

# Network address translation exception
#no nat on $ext_if from 192.168.16.8

# Network address translation
nat on $ext_if from !($ext_if) -> ($ext_if:0)

# OpenVPN
# NAT the VPN connections (for access to the remote secure networks)
nat on $vpn_if from !($ext_if) -> ($vpn_if:0)

# FTP-Proxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# Redirect ftp traffic to proxy (ftp-proxy)
#
# Install port: /usr/ports/ftp/ftp-proxy/
# Add to /etc/rc.conf the line:
# ftpproxy_enable="YES"
# Start the service with:
# # /etc/rc.d/ftp-proxy start
#
rdr pass on $int_if proto tcp from any to port ftp \
	-> 127.0.0.1 port ftp-proxy

# Others sites ( Noticias RPTV, Comision TV)
rdr pass on $int_if proto tcp from any to port { 24, 18124 } \
	-> 127.0.0.1 port ftp-proxy

# Exception for not Redirect to squid
no rdr on $int_if proto tcp from 192.168.31.35 to !$int_if port www	# Otro
no rdr on $int_if proto tcp from 192.168.16.7 to !$int_if port www	# Charlie
no rdr on $int_if proto tcp from 192.168.20.59 to !$int_if port www	# Procaster
#no rdr on $int_if proto tcp from 192.168.20.50 to !$int_if port www	# Nexio2
no rdr on $int_if proto tcp from 192.168.16.12 to !$int_if port www	# Core1 (Clima)
no rdr on $int_if proto tcp from 192.168.16.13 to !$int_if port www	# Core2 (Clima)

# OS X Recovery (no pasa bien el proxy)
no rdr on $int_if proto tcp from any to $osxrecovery

# Redirect and allow outgoing to WWW requests to the squid, but not from LAN to my server
#rdr pass on $int_if proto tcp from any to !$int_if port www \
	-> 127.0.0.1 port 3128

# Redirect and allow outgoing to WWW requests to the squid, but not from LAN to my server Squid 3.2
rdr pass on $int_if proto tcp from any to !$int_if port www \
	-> 127.0.0.1 port 3129

# Redirect and allow remote SIP with Panasonic (la planta no lo soporta los sip no conectan)
#rdr pass on $ext_if proto udp from any to port 5062 -> 192.168.20.31 \
	port 5062

# Redirect and allow remote administration with SSH
# Echo (ssh user@alpha.telemedellin.tv -p 2222)
rdr pass on $ext_if proto tcp from any to port 2222 -> 192.168.16.9 \
	port 22
# Delta (ssh user@alpha.telemedellin.tv -p 2223)
rdr pass on $ext_if proto tcp from any to port 2223 -> 192.168.16.8 \
	port 22
# smb-testdomain.com (ssh user@alpha.telemedellin.tv -p 2224)
rdr pass on $ext_if proto tcp from any to port 2224 -> 192.168.20.48 \
	port 22

# Redirect and allow remote administration with RealVNC
# Streaming
rdr pass on $ext_if proto tcp from any to port 5900 -> 192.168.20.40 \
	port 5900
# Charlie
rdr pass on $ext_if proto tcp from any to port 5901 -> 192.168.16.7 \
	port 5900
# Delta
#rdr pass on $ext_if proto tcp from any to port 5903 -> 192.168.16.8 \
	port 5900
# Echo
#rdr pass on $ext_if proto tcp from any to port 5904 -> 192.168.16.9 \
	port 5901

# HP Workstation xw8200 S/N: 2UA6321CL4
rdr pass on $ext_if proto tcp from any to port 5905 -> 192.168.20.66 \
	port 5900

# Algun equipo temporalmente (tcp y udp)
#rdr pass on $ext_if proto {tcp, udp} from any to port 58021 -> 192.168.16.96 \
	port 58021

# Redirect and allow remote administration whit web browser

# UPS Alphasys (puerto 80)
rdr pass on $ext_if proto tcp from any to port 81 -> 192.168.20.2 port 80

# UPS MinuteMan (puerto 82)
#rdr pass on $ext_if proto tcp from any to port 82 -> 192.168.16.251 port 82

# Control Encoder (puerto 80)
rdr pass on $ext_if proto tcp from any to port 83 -> 192.168.20.06 port 80

# Control Modulator (puerto 80)
rdr pass on $ext_if proto tcp from any to port 84 -> 192.168.20.05 port 80

# Control TANDBERG Encoder 8040
rdr pass on $ext_if proto tcp from any to port 85 -> 192.168.20.06 port 80

# Control TANDBERG 8092
rdr pass on $ext_if proto tcp from any to port 86 -> 192.168.16.193 port 80

#  TANDERG RX8200
rdr pass on $ext_if proto tcp from any to port 87 -> 192.168.16.191 port 80

# UPS APC SURT10000XLT-1TF10K
rdr pass on $ext_if proto tcp from any to port 88 -> 192.168.20.1 port 80

# Dell PowerEdge R610 iDRAC6
#rdr pass on $ext_if proto tcp from any to port 89 -> 192.168.16.179 port 80

# Dell PowerConnect 5424
rdr pass on $ext_if proto tcp from any to port 90 -> 192.168.18.10 port 80

# Circuito Camaras
#rdr pass on $ext_if proto tcp from any to port 91 -> 192.168.20.24 port 80

# TANDBERG Reciver
rdr pass on $ext_if proto tcp from any to port 92 -> 192.168.1.193 port 80

# Miranda Kaleido Model: X16-D S/N:086999-r45263010
rdr pass on $ext_if proto tcp from any to port 93 -> 192.168.1.170 port 80

# ECHO
rdr pass on $ext_if proto tcp from any to port 94 -> 192.168.1.180 port 80
# DarkStat
#rdr pass on $ext_if proto tcp from any to port 668 -> 192.168.1.180 port 667

# DELTA, sitio web
rdr pass on $ext_if proto tcp from any to port 95 -> 192.168.1.6 port 80

# Redirect and allow remote administration whit others

# Control HPA (puerto 2000)
rdr pass on $ext_if proto tcp from any to port 2000 -> 192.168.20.7 port 2000

# Camaras OLD (puerto 554:557)
#rdr pass on $ext_if proto tcp from any to port 554:557 -> 192.168.1.243 port 554:*

# Redireccion temporal para algun equipo
#rdr pass on $ext_if proto udp from any to port 1770 -> 192.168.1.165 port 1770

# Redireccion Escritorio Remoto Windows (Margarita Monsalve)
rdr pass on $ext_if proto tcp from any to port 3389 -> 192.168.20.62 port 3389

# examples
# Redirect range to one port... port 2000:2999 -> 4000
#rdr pass on $ext_if proto tcp from any to port 2000:2999 -> $host port 4000
# Redirect range to another range... port 2000 to 4000, 2001 to 4001,.. 2999 to 4999
#rdr pass on $ext_if proto tcp from any to port 2000:2999 -> $host port 4000:*

#-------------------------------------------------------------------------------
# PF: Packet Filtering
#-------------------------------------------------------------------------------

# Restrictive default rules
block all

# Block packets and reply with a TCP RST or ICMP Unreachable response
block return

# FTP-Proxy
# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"

# Blocking Spoofed Packets (Paquetes Falsificados)
antispoof quick for { lo0 $int_if }

#-------------------------------------------------------------------------------
# Filter rules for $ext_if inbound

# Toy with script kiddies scanning us (nmap os detection block)
block in $logopt quick proto tcp flags FUP/WEUAPRSF
block in $logopt quick proto tcp flags WEUAPRSF/WEUAPRSF
block in $logopt quick proto tcp flags SRAFU/WEUAPRSF
block in $logopt quick proto tcp flags /WEUAPRSF
block in $logopt quick proto tcp flags SR/SR
block in $logopt quick proto tcp flags SF/SF

# RFC 1918 addresses that just shouldn't be floating around the Internet, and
# when they are, are usually trying to cause trouble
block drop in on $ext_if from <priv_nets> to any

# Blocking some ip address in table
#block in quick on $ext_if from <blockedips>

# Allow permitted icmp (ping)
#pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state

# PF "Self-Protecting" an FTP Server (passive)
pass in on $ext_if proto tcp from any to any port { ftp, > 49151 } \
	keep state

# Special rule for http, https
pass in on $ext_if proto tcp from any to ($ext_if) port { http, https } \
	flags S/SA keep state \
	(max-src-conn-rate 100/30, overload <web-ddns> flush global)
# block the web-ddns bastards
block drop in quick on $ext_if from <web-ddns>

# Manipulating with pfctl
# pfctl -t web-ddns -T show
# pfctl -t web-ddns -T add 218.70.0.0/16
# pfctl -t web-ddns -T delete 218.70.0.0/16

# Allow remote administration with SSH (better use the option to down)
#pass in on $ext_if proto tcp from any to port ssh flags S/SA keep state

# Special rule for ssh http://johan.fredin.info/openbsd/block_ssh_bruteforce.html
pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
	flags S/SA keep state \
	(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
# block the ssh bruteforce bastards
block drop in quick on $ext_if from <ssh-bruteforce>

# Manipulating with pfctl
# pfctl -t ssh-bruteforce -T show
# pfctl -t ssh-bruteforce -T add 218.70.0.0/16
# pfctl -t ssh-bruteforce -T delete 218.70.0.0/16

# For security reasons always allow some ip address for administration
pass in on $ext_if proto tcp from 190.0.38.166 to port ssh \
	flags S/SA keep state

# serv_tcp
pass in on $ext_if proto tcp from any to any port $serv_tcp \
	flags S/SA keep state
# serv_udp
#pass in on $ext_if proto udp from any to any port $serv_udp

# P2P
#
# Transmission (tcp 51413 defaul or range 49152:65535)
pass in on $ext_if proto tcp from any to ($ext_if) port $rpc_port_tcp \
	flags S/SA keep state
pass in on $ext_if proto tcp from any to ($ext_if) port $peer_port_tcp \
	flags S/SA keep state
pass in on $ext_if proto tcp from any to ($ext_if) port $peer_port_range_tcp \
	flags S/SA keep state

# VPN connections inbound
pass in on $ext_if proto udp from any to port 1194 keep state
pass quick on $vpn_if

#-------------------------------------------------------------------------------
# Filter rules for $ext_if outbound

pass out on $ext_if keep state

block drop out on $ext_if from any to { <priv_nets>, <ssh-bruteforce> }

#-------------------------------------------------------------------------------
# Filter rules for $int_if inbound

# For testing purpose allow temporary connection to all ports from the LAN
#pass in on $int_if keep state

# Blocking some IP address, by example causing problems to squid
#block in quick on $int_if from 192.168.1.85

# Blocking some IP address, by example causing problems to DNS
#block in quick on $int_if from 192.168.1.172

# Allow temporary connection to all ports (TCP and UDP) upper to 1024 to some ip address
#pass in on $int_if proto { tcp, udp } from 192.168.20.58 to any port > 1024 \
	keep state
# Allow temporary connection to all ports (TCP and UDP) upper to 80 to some ip address M24
pass in on $int_if proto { tcp, udp } from 192.168.29.122 to any port > 80 \
	keep state

# Core1 y Core2 (TCP: 80, 443, 1270, 53  UDP: 1270, 53) (Clima)
pass in on $int_if proto { tcp, udp } from { 192.168.16.12, 192.168.16.13 } to any port > 80 \
	keep state

# Allow permitted icmp (ping) Traceroute/Tracert needed ping!
pass in on $int_if inet proto icmp all icmp-type $icmp_types keep state

# Allow ports needed by Traceroute/Tracert test
pass in on $int_if proto udp from any to any port 33433:33626

# Network time protocol
pass in on $int_if proto udp from any to any port ntp

# Icecast2 from lan
pass in on $int_if proto tcp from !($ext_if) to 192.168.16.1 port 8000 \
	keep state

# NTOP from lan
pass in on $int_if proto tcp from !($ext_if) to 192.168.16.1 port 3000 \
	keep state

# lanserv_tcp
pass in on $int_if proto tcp from !($ext_if) to any port $lanserv_tcp \
	keep state
# lanserv_udp
pass in on $int_if proto udp from !($ext_if) to any port $lanserv_udp

# Allow ports needed by Samba from LAN
pass in on $int_if proto tcp from !($ext_if) to any port $smb_tcp \
	keep state
pass in on $int_if proto udp from !($ext_if) to any port $smb_udp

# Allow ports needed by passive FTP server from LAN
# be careful with this line, if activated, all computers from the LAN could
# connect to ports above 49151, because the filter is applied in $int_if,
# pending a solution!
#pass in on $int_if proto tcp from !($ext_if) to $int_if port { ftp, > 49151 \
	} keep state

# FTPS UdeA (ftps = 990, ftps-data = 989 y > 1024)
pass in on $int_if proto tcp from any to 200.24.23.206 port { ftps, ftps-data, > 1024 } \
	keep state

# Permitimos los puertos de Aviwest a la LAN
pass in on $int_if proto tcp from !($ext_if) to any port 8888 \
	keep state
pass in on $int_if proto udp from !($ext_if) to any port 7900:7904

#-------------------------------------------------------------------------------
# Filter rules for $int_if outbound

pass out on $int_if keep state

#-------------------------------------------------------------------------------
# Filter rules for $dmz_if inbound

#-------------------------------------------------------------------------------
# Filter rules for $int_if_dmz outbound

#-------------------------------------------------------------------------------
# Filter rules for $vpn_if inbound
pass in on $vpn_if keep state

#-------------------------------------------------------------------------------
# Filter rules for $vpn_if outbound
pass out on $vpn_if keep state


# NOTAS:
#
# * El firewall en FreeBSD bloquea la entrada de todo por defecto.
# * FreeBSD puede salir a todo, excepto a algunas direcciones IPs listadas en:
#   <priv_nets> y <ssh-bruteforce>.
# * Las peticiones de FTP las resuelve el proxy ftp-proxy.
# * Las peticiones de WWW las resuelve el proxy Squid-cache.
# * El control para la LAN se hace en la $int_if
#
# Network UPS Tools requiere el puerto TCP 3493

# Nmap + PF http://forums.freebsd.org/showthread.php?t=3420
# Firewalls usually modify packets, hence nmap will not function properly. 
# Nmap relies on odd/strange packets. Firewalls don't like that. Turn the firewall 
# off when scanning.
# Nmap Changelog: http://nmap.org/changelog.html

# HOW-TOs:
#
# FTP-Proxy
# How-to: http://www.cyberciti.biz/faq/freebsd-opebsd-pf-firewall-ftp-configuration/
#
# Step # 1: Turn on ftp-proxy under FreeBSD
#
# Turn on ftp-proxy under FreeBSD
# Open /etc/rc.conf file under FreeBSD
# # vi /etc/rc.conf
# Append following line:
# ftpproxy_enable="YES"
#
# Step # 2: Configure pf and ftp-proxy
#
# Open your /etc/pf.conf file and add following into your NAT section:
# To activate it, put something like this in the NAT section of pf.conf:
# nat-anchor "ftp-proxy/*"
# rdr-anchor "ftp-proxy/*"
# rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port ftp-proxy
#
#   20 = ftp-data
#   21 = ftp
# 8021 = ftp-proxy
#
# All three rules required, even if your setup does not use NAT. Find your filtering
# rule and append the following rules:
# anchor "ftp-proxy/*"
# Save and close the file.
#
# Step # 3: Restart PF firewall
#
# Type the following command under FreeBSD:
# # /etc/rc.d/pf restart
#
# Step # 4: Start ftp-proxy
#
# Type the following command to start ftp-proxy under, FreeBSD:
# # /etc/rc.d/ftp-proxy start
#
# For view the connections, type the following command under FreeBSD:
# # sockstat -4 |grep ftp-proxy
# proxy    ftp-proxy  79457 3  tcp4   127.0.0.1:8021        *:*
#
# FTP SERVER PASV
# http://slacksite.com/other/ftp.html#passive
#
# Livestream Mobile
#
# TCP 554: RTSP, 
#
# Subvension (SVN) 3690 TCP/UDP
#
# List of TCP and UDP port numbers
# http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
#
# About FTPS
#
# http://www.ipv4security.com/packet_flow/ftp_over_ssl.html
# http://www.cyberciti.biz/tips/configure-vsfptd-secure-connections-via-ssl-tls.html
#
#  989 = ftps-data
#  990 = ftps

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s