[CALUG] PF presentation

Jason Dixon jason at dixongroup.net
Thu Feb 9 10:12:37 CST 2006


I'd like to thank Erin for inviting me out last night and everyone  
who was able to attend.  I've given the slides to Erin to post up on  
the website.  In the meantime, I forgot to actually show a fully  
working ruleset example!  :)

Here is a small ruleset you might use in a home network or small  
business.

#
# Here we have a network with 2 external addresses (200.0.0.9, .10)
# and one internal web/mailserver (192.168.0.10).  The server is
# mapped to the external address 200.0.0.10 as an alias (fxp0:1)
# using a binat translation rule.
#
# We are also doing spam tarpitting with OpenBSD's spamd (8),
# and blocking brute-force ssh attempts.
#
#
ext_if="fxp0"
int_if="fxp1"
server_ext="200.0.0.10"
server_int="192.168.0.10"

table <spamd> persist
table <spamd-white> persist
table <ssh_zombies> persist

set skip on { lo $int_if }

scrub in

nat on $ext_if from !($ext_if) -> ($ext_if:0)
binat on $ext_if from $server_int to any -> $serverext
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $ext_if proto tcp from <spamd> to port smtp \
	-> 127.0.0.1 port spamd
rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
	-> 127.0.0.1 port spamd


block in
block in drop quick from <ssh_zombies>
pass out keep state

antispoof quick for { lo $int_if }

#
# Limit num of conns per source to 100
# Rate-limit number of conns to 5 in a 60-second span
# Puts offendors into the <ssh_zombies> table and kills all their states
#
pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep  
state \
	(max-src-conn 10, max-src-conn-rate 5/60, overload <ssh_zombies>  
flush global)

#
# Allow inbound SMTP
#
pass in on $ext_if proto tcp to $server_int port smtp flags S/SA keep  
state

#
# Limit num of states this rule can create to 200
# Limit state creation based on states created by this rule only
# Limit max num of nodes that can simultaneously create state to 100
# Limit max num of simultaneous states per source address to 3
#
pass in on $ext_if proto tcp to $server_int port { http https } flags  
S/SA keep state \
	(max 200, source-track rule, max-src-nodes 100, max-src-states 3)

#
# EOF
#


--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net





More information about the lug mailing list