######################################################################## # DoppelGanger OpenBSD PF Firewall # # Version 4.1 Final # # Copyright (C) 2006 DoppelGanger # # Bugs & Comments to: www.amado.ws/contactus.html # # # #This program is free software; you can redistribute it and/or # #modify it under the terms of the GNU General Public License # #as published by the Free Software Foundation; either version 2 # #of the License, or (at your option) any later version. # # # #This program is distributed in the hope that it will be useful, # #but WITHOUT ANY WARRANTY; without even the implied warranty of # #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # #GNU General Public License for more details. # # # # RTFM PLEASE # # # ######################################################################## #Set the external and internal nic designations, #Please change to match your system ext_if="em0" #Change to match internal network ip range internal_net = "{ 10.0.0.0/8 }" #Designate tcp service ports to be used by servers tcp_services = "{ 22, 80, 443, 993, 995, 23815 }" #Subnet Systems ADD AN IP ADDR server="IP ADDRESS" #Unroutable Traffic Domains bad_ips = "{ 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, \ 240.0.0.0/4, 0.0.0.0/32, 255.255.255.255/32, 192.168.0.0/24 }" #Allowed TCP Ports For Regular Traffic tcp_nor = "{ www, https, smtp, imap, imaps, bootps, bootpc, domain, \ ftp, pop3, ntp, pop3s, rsync, 5190, 6667, 6881 }" #Allowed UDP Ports For Regualr Traffic udp_nor = "{ domain, ntp }" #######################Tables################################ #Table for ssh bruteforce attack table persist #####Default Block Policy, AntiSpoof, Packet Normalization## set optimization aggressive set block-policy return # don't filter on the loopback interface set skip on lo0 scrub in no-df min-ttl 24 max-mss 1492 fragment reassemble scrub out no-df random-id min-ttl 24 max-mss 1492 fragment reassemble ######Packet Queueing and Prioritization################# altq on em0 cbq bandwidth 100Mb queue { ssh, std, tcp_ack_out } #change to match external interface queue ssh bandwidth 66% cbq(default borrow ecn) { ssh_login, ssh_bulk } queue ssh_login bandwidth 25% priority 5 cbq(borrow ecn) queue ssh_bulk bandwidth 75% cbq(borrow ecn) queue std bandwidth 27% priority 3 cbq(borrow ecn) queue tcp_ack_out bandwidth 7% priority 4 cbq(borrow ecn) ######################################################### #####Filter Rules########################################## ##Default Block Policy, AntiSpoof########################## block in from no-route block in log on $ext_if block out antispoof quick for {$ext_if} ####LAN Traffic############################################ #Allow Internal network Traffic pass in on $int_if from $internal_net modulate state pass out on $int_if from $internal_net modulate state pass on $int_if modulate state #Block Unrouteable Packets block in log quick on $ext_if from $bad_ips ### IN RULES############################################### #Allow service ports for servers pass in on $ext_if proto tcp to port $tcp_services modulate \ state queue (ssh, std) #Bruteforce Protection pass in on $ext_if proto tcp from any to any port { ssh, 23815 } modulate state \ (max-src-conn 15, max-src-conn-rate 5/3, \ overload flush global) queue (ssh, std) ### END of IN RULES######################################## ### OUT RULES############################################## # Pass (Allow) UDP/TCP OUT and keep state pass out on $ext_if proto udp keep state queue std pass out on $ext_if proto tcp modulate state queue \ (tcp_ack_out, std) #####Only Allow Certain Ports TCP/UDP OUT#################### #pass out on $ext_if inet proto tcp to port $tcp_nor modulate state #pass out on $ext_if proto udp to port $udp_nor keep state ### END of OUT RULES######################################### ###DEBUG FIREWALL USING TCPDUMP TO VIEW BLOCKED PACKETS###### ####tcpdump -nettti pflog0############### ####tcpdump -vvvtttr /var/log/pflog###### ####pfctl -g -s rules#################### ####pfctl -sr############################