# # /etc/pf.conf - Built from the existing ones plus some new thinking. # # charliep 25-January-2008 Original creation. # # To do: # Consider 159.28.231.0/24 # Add RACs # Add hp and qp to same classes as hopper and quark # Add line that will allow more than just DNS from lovelace to quark, hopper.. # Add line that will allow lovelace to get to net (ports building). # How to handle forty-two, harden it? # ext_if = "{" bge0 bridge0 "}" int_if = "bge1" private_if = "sf0" earlham_ip = "159.28.0.0/16" cs_ip = "159.28.230.0/24" cs_public_ip = "159.28.231.0/24" cluster_ip = "159.28.234.0/24" stanford_ip = "171.0.0.0/8" quark = "159.28.230.3" hopper = "159.28.234.1" bobsced0 = "159.28.234.100" stewie = "159.28.230.34" caktus = "159.28.234.18" webpower = "159.28.234.8" dc = "{" 159.28.234.236 159.28.234.237 159.28.234.238 159.28.234.239 "}" smtp_servers = "{" $quark "}" ftp_servers = "{" $quark $hopper "}" ssh_servers = "{" $quark $hopper $caktus "}" dns_servers = "{" $quark $hopper "}" web_servers = "{" $quark $hopper $caktus $bobsced0 $webpower "}" read tables from files # # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. # scrub in all # # Default policy. # # May be required the first time this is tested. # # pass in all # pass out all # block in all block out all # * * * servers="{" $quark $quarkprime $shannon $backus $quark_rac $quarkprime_rac $hopper $hopperprime $c0 $b0 $gridgate $scs $fourty_two $bobsced0 $stewie $caktus $hp $webpower "}" web_servers = "{" $quark $quarkprime $hopper $hopperprime $babbage $c0 $b0 $gridgate $bobsced0 $stewie $caktus $hp $webpower $fourty_two "}" mail_servers = "{" $quark $quarkprime "}" ftp_servers = "{" $quark $quarkprime "}" should have hopper too # $hopper $hopperprime $hp "}" dns_servers = "{" $quark $quarkprime $hopper $hopperprime $hp "}" thin_clients= "{" wyse0.cs.earlham.edu. wyse1.cs.earlham.edu. wyse2.cs.earlham.edu. wyse3.cs.earlham.edu. "}" jabber_servers = "{" $shannon "}" squid_servers = "{" $shannon "}" # Tables: similar to macros, but more flexible for many addresses. #table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # # first is jim rogers home, second is ranch, third is skylar # table { 12.176.103.88, 12.176.103.94, 64.81.161.38 } table { 137.43.149.50, 67.82.36.0/24, 85.214.54.48, 69.88.3.104, 217.41.54.219, 81.168.180.146, 200.155.63.227, 200.172.166.2, 82.211.36.12, 195.3.195.54, 201.16.17.246, 212.120.191.42, 68.157.207.110, 86.99.154.1, 190.172.95.204, 210.81.170.155, 213.230.7.135, 88.191.57.15, 87.163.199.253 } # Options: tune the behavior of pf, default values are given. #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes #set fingerprints "/etc/pf.os" # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. #nat on $ext_if from $internal_net to any -> ($ext_if) # rdr: packets coming in on $ext_if with destination $external_addr:1234 will # be redirected to 10.1.1.1:5678. A state is created for such packets, and # outgoing packets will be translated as coming from the external address. #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678 # rdr outgoing FTP requests to the ftp-proxy #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # spamd-setup puts addresses to be redirected into table . #table persist #no rdr on { lo0, lo1 } from any to any #rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 # Filtering: the implicit first two rules are pass in all pass out all #pass out on $ext_if proto tcp from any to any modulate state flags S/SA #pass out on $ext_if proto { udp, icmp } from any to any keep state pass in quick on $ext_if from to $earlham_ip keep state pass in quick on $ext_if from $earlham_ip to $earlham_ip keep state block in quick log on $ext_if from to $earlham_ip # block all incoming packets but allow ssh, pass all outgoing tcp and udp # connections and keep state, logging blocked packets. #block in log all #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state #pass out on $ext_if proto { tcp, udp } all keep state # * * * SSH pass in log on $ext_if proto tcp from any to $earlham_ip port ssh keep state ( max-src-conn 20, max-src-conn-rate 5/10, overload flush) # Mail #pass in on $ext_if proto tcp from any to $mail_servers port { smtp pop3 imap submission imaps pop3s } keep state #pass in on $int_if proto tcp from any to any port { smtp pop3 imap submission imaps pop3s } keep state pass in on $ext_if proto tcp from any to $earlham_ip port smtp keep state ( max-src-conn 5, max-src-conn-rate 2/10, overload flush global) # Web #pass in on $ext_if proto { tcp, udp } from any to $web_servers port { http https } keep state #pass in on $int_if proto { tcp, udp } from any to any port { http https } keep state # Jabber #pass in on $ext_if proto { tcp, udp } from any to $jabber_servers port { jabber-client jabber-server } # Squid #pass in on $ext_if proto tcp from any to $squid_servers port 3128 # DNS #pass in quick proto { tcp, udp } from any to any port domain keep state #pass out quick proto { tcp, udp } from any to any port domain keep state pass in on $ext_if from any to $stewie pass in on $ext_if from any to $caktus pass in on $ext_if from $earlham_ip to any # everybody should be able to do ftp? this allows much more than ftp pass in on $ext_if proto { tcp, udp } from any port { ssh http https ftp ftp-data } to $ftp_servers # # Cluster stuff # block in log on $ext_if from any to $cluster_ip # DNS pass in quick proto { tcp, udp } from any to $hopper port domain keep state pass out quick proto { tcp, udp } from any to any port domain keep state # SSH pass in log on $ext_if proto tcp from any to $hopper port ssh keep state (max-src-conn 20, max-src-conn-rate 5/10, overload flush) # HTTP pass in on $ext_if proto { tcp, udp } from any to $hopper port { http https } keep state pass in on $ext_if proto { tcp, udp } from any to $bobsced0 port { http https } keep state #pass in on $ext_if from any to $hopper #pass in on $ext_if from any to $hopperprime #pass in on $ext_if from any to $hp #pass in on $ext_if proto { tcp, udp } from any to $bobsced0 port { http https } keep state #pass in on $ext_if from any to $webpower #pass in on $ext_if from any to $gridgate #pass in on $ext_if from any to $LittleFe #pass in on $ext_if proto { tcp, udp } from any port { ssh http https ftp ftp-data } to $dc pass in quick on $ext_if from to $earlham_ip # # this shouldn't be necessary with the quick whitelist rule above, or the one # way above. # pass in on $ext_if proto { tcp, udp } from to $cluster_ip port { http https } keep state # pass in on $ext_if proto tcp from any to $earlham_ip port ssh keep state ( max-src-conn 20, max-src-conn-rate 5/10, overload flush) # # xxx kludge alert # # This is temporary until we can craft a tighter rule that allows F@H/F@C # to communicate with Stanford's assignment servers. # pass in on $ext_if from $stanford_ip to $cluster_ip # Allow all connections from the private, 192.168 network. pass quick on $private_if keep state # Wyse block in log on $ext_if from { !$earlham_ip } to $thin_clients # pass incoming packets destined to the addresses given in table . #pass in on $ext_if proto { tcp, udp } from any to port 80 keep state # pass incoming ports for ftp-proxy #pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep state # Alternate rule to pass incoming ports for ftp-proxy # NOTE: Please see pf.conf(5) BUGS section before using user/group rules. #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state # assign packets to a queue. #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing