tarballed
November 18th, 2004, 17:28
Hey everyone. Working on a personal setup at home that will have the following:

-OpenBSD 3.6 firewall
-DMZ setup, with a mail server running: postfix, cyrus-imapd, maybe webmail
-internal network behind it

Going over some of the other posts as well as reading up on the PF FAQ, been putting my rules together here. so far, this is what I have. I know im missing something(s), but this is a work in progress for me.

I'd appreciat the feedback on what I have so far.


ext_if="dc0"
int_if="int0"
DMZ="xl0"
mailserver="172.16.1.100"

#table <spamd> persist
#table <spamd-white> persist
table <unrouteable> { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16 }

#scrub the packets
scrub in $ext_if
scrub out on $ext_if all

#NAT and redirect port 25 to mailserver
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $ext_if inet proto tcp from any to $ext_if port 25 -> $mailserver

#Default blocks
block in $ext_if
block in quick on $ext_if from { <unroutable> }

#NO need for IPV6
block in log quick on inet6

#pass port 25 traffic to correct place
pass in on $ext_if inet proto tcp from any to $mailserver port 25 keep state

#pass out rules
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if protoc tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state


Granted, I still need to add things such as port 80 and 143 to the mail server.
I also need to setup PF to drop nmap type scans and other goodies.

Also looking into possibly using blacklists, whitelists and gretylists with spamd.
But for now, I am re-orienting myself with PF again.

i appreciate the help.

T.

SolarfluX
March 5th, 2005, 23:37
I also need to setup PF to drop nmap type scans and other goodies.No, you don't, since you're already using scrub. This takes care of them already.