DMZ type setup with a mail and webserver on the same box.


#Exteral network info
#IP - xx.xx.xx.xx
#Mask - xxx.xxx.xxx.xxx
#Gate - xxx.xxx.xxx.xxx
#DNS - xxx.xxx.xxx.xx

#
#Variables and declarations
#

ext_if="xl0"
ext_ip="xxx.xxx.xxx.xxx"
int_if="sis0"
int_ip="172.16.1.0/24"
optional="dc0"
opt_ip="192.168.1.0/24"
mailip="192.168.1.100"
websrv="192.168.1.100"

#
#Table setups
#

table <rfcstuff> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

#scrub packets

scrub in on $ext_if all fragment reassemble

#NAT Setup and rules and re-directs to DMZ

nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $ext_if inet proto { tcp, udp } from any to any port 80 -> $websrv
rdr on $ext_if inet proto { tcp, udp } from any to any port 25 -> $mailip

#Default block
block in on $ext_if all
block out all on $ext_if
block in log quick on $ext_if from <rfcstuff> to any
block out log quick on $ext-if from any to <rfcstuff>

#Pass out rules

#pass in rules for port 80 and 25
pass in on $ext_if inet proto tcp from any to $mailip port 25 keep state
pass in on $ext_if inet proto tcp from any to $websrv port 80 keep state

#pass out rules
pass out quick on $int_if from any to $int_if:network keep state
pass out quick on $ext_if proto tcp all modulate state flags S/SAFR
pass out quick on $ext_if proto { udp, icmp } all keep state

I know I missed something. I quickly whipped this together this afternoon and im looking to test here tonight or tomorrow.

Also, I like the idea of using tables and was thinking about maybe setting up something with a file and a list of my internal lan IP's. Seems like tables are a good way to go.

I'd also like to try the antispoof rule as well. Anyone used that before?

Cheers.

tarballed

In regards to tables (really digging the use of tables) is there much of a performance difference between using 'constr' and putting the IP's directly in the table (in pf.conf) over using a specified file? I like the idea of creating tables and directing them to a file. I can then use pfctl to add IP's on the fly.

Much of a performance difference? Or just personal preference.

Lastly, with 'antispoof' im assuming that should go after the default blocks?

I'll update my rules and post later. Have a few things i'd like to add.

Ok, here is a bit more. Trying to add a few things as well as specify a few more ports on my mail/web server for webmail and stuff.

Here it is. Let me know what I need to change or what I have wrong.


#Variables and declarations
#

ext_if="xl0"
ext_ip="xxx.xxx.xxx.xxx"
int_if="sis0"
int_ip="172.16.1.0/24"
optional="dc0"
opt_ip="192.168.1.0/24"
mailip="192.168.1.100"
websrv="192.168.1.100"


#
#Table setups
#
table <rfcstuff> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

#Default policy
set block-policy drop


#scrub packets
scrub in on $ext_if all fragment reassemble
scrub out on $int_if all random-id


#NAT Setup and rules and re-directs to DMZ
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $ext_if inet proto { tcp, udp } from any to any port { 80, 443 } -> $websrv
rdr on $ext_if inet proto { tcp, udp } from any to any port { 25, 143, 993 } -> $mailip

#ANTI-Spoof rules
antispoof quick for $int_if inet


#Default block
block in on $ext_if all
block out all on $ext_if
block in log quick on $ext_if from <rfcstuff> to any
block out log quick on $ext-if from any to <rfcstuff>


#Pass out rules
#pass in rules for port 80 and 25
pass in on $ext_if inet proto tcp from any to $mailip port 25 modulate state flags S/SA
pass in on $ext_if inet proto tcp from any to $websrv port { 80, 443, imap, imaps } modulate state flags S/SA

#pass out rules
pass in on $int_if from $int_if:network to any
pass out quick on $int_if from any to $int_if:network keep state
pass out quick on $ext_if proto tcp all modulate state flags S/SA
pass out quick on $ext_if proto { udp, icmp } all keep state

I probably could combine the redirects and pass in lines and make it all one line. Might be the better way to go.

I'm also strongly considering using a file for my table setups as I like that option a bit better.

Blewh.....had some typos. Fixed them and added a few other options.

I think where im slightly confused is on my passing out rules. Any suggestions there?


#Variables and declarations
#

ext_if="xl0"
ext_ip="66.93.33.252"
int_if="sis0"
int_ip="172.16.1.0/24"
optional="dc0"
opt_ip="192.168.1.0/24"
mailip="192.168.1.100"
websrv="192.168.1.100"


#
#Table setups
#
table <rfcstuff> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

#Default policy
set block-policy drop


#scrub packets
scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all random-id fragment reassemble


#NAT Setup and rules and re-directs to DMZ
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $ext_if inet proto { tcp, udp } from any to any port { 80, 443 } -> $websrv
rdr on $ext_if inet proto { tcp, udp } from any to any port { 25, 143, 993 } -> $mailip

#ANTI-Spoof rules
antispoof quick for $int_if inet


#Default block
block in on $ext_if all
block out on $ext_if all
block in log quick on $ext_if from <rfcstuff> to any
block out log quick on $ext_if from any to <rfcstuff>


#Pass out rules
#pass in rules for port 80 and 25
pass in on $ext_if inet proto tcp from any to $mailip port 25 modulate state flags S/SA
pass in on $ext_if inet proto tcp from any to $websrv port { 80, 443, imap, imaps } modulate state flags S/SA

#pass out rules
pass in on $int_if from $int_if:network to any
pass out quick on $int_if from any to $int_if:network keep state
pass out quick on $ext_if proto tcp all modulate state flags S/SA
pass out quick on $ext_if proto { udp, icmp } all keep state


Quick side note: Anyone have any recommendations, hardware wise, for a OpenBSD PF firewall that will support 120 users? I'm planning on using altq and specifically defining services that are allowed to go outbound (80, 443, nntp).

Thanks

I was going to mention those typos...

As far as tables, the benefit of having tables in the pf.conf is you only need to look at one place. But if you have lots of stuff going in a table, that can be a drag. You imply that you can't have a table in pf.conf that can have hosts added to it later via pfctl, but that's only true if the table is declared const. I put small, mostly static tables in pf.conf and otherwise use include files. In some cases, including makes it easier, like if rules are different on various firewalls but tables are the same, just scp the table files. Performance difference between having external table includes is negligible and only counts during initialization.

Concerning hardware, amount of traffic (in packets per sec and total bandwidth) is probably more relevant than total users. What quantity of traffic do you expect?

I was going to mention those typos...

As far as tables, the benefit of having tables in the pf.conf is you only need to look at one place. But if you have lots of stuff going in a table, that can be a drag. You imply that you can't have a table in pf.conf that can have hosts added to it later via pfctl, but that's only true if the table is declared const. I put small, mostly static tables in pf.conf and otherwise use include files. In some cases, including makes it easier, like if rules are different on various firewalls but tables are the same, just scp the table files. Performance difference between having external table includes is negligible and only counts during initialization.

Concerning hardware, amount of traffic (in packets per sec and total bandwidth) is probably more relevant than total users. What quantity of traffic do you expect?

Thanks frisco. i appreciate it.

As far as the amount of traffic, i'll have to do some calculatting. I should mention that I might run squid.

Thinking about bandwidth, lets see, will have a full T-1 and I would guess maybe varying traffic in 400kb/s to 1mg?