Материал из Wiki.X-news.org
Перейти к: навигация, поиск
#
#  pf.conf - Packet Filter Rules
#
# See PF.CONF(5)
#
# -------------------------------------------------------------------------
#Flag combinations
tcpInit="S/SAFR"
tcpAck="A/AR"
tcpReset="R/SFR"
# -------------------------------------------------------------------------
NET0_IF="sis0"
NET1_IF="sis1"
NET2_IF="sis2"
GIF0_IF="gif0"
# -------------------------------------------------------------------------
# NICs
NAT_NET0="69.20.159.164"
RAS_NET0="69.20.159.164"
CVS1_NET0="69.20.159.164"
MAIL_NET0="69.20.159.165"
WWW_NET0="69.20.159.166"
VPN_NET0="69.20.159.174"

NET1_NIC="192.168.0.1"
 
 NAT_NET2="63.228.245.159"
 RAS_NET2="63.228.245.159"
 CVS1_NET2="63.228.245.159"
 MAIL_NET2="63.228.245.160"
 WWW_NET2="63.228.245.162"
 VPN_NET2="63.228.245.163"
 VPN_NET0="69.20.159.174"
  
  TUNNEL_NET0="69.20.159.164"
  IPV6_GIF0="2001:470:1F01:FFFF::7DD"
  BROKER="2001:470:1F01:FFFF::7DC"
   
   # -------------------------------------------------------------------------
    
    GW_NET0="69.20.159.161"
    GW_NET2="63.228.245.1"
     
     # -------------------------------------------------------------------------
     # Hosts
     WWW="192.168.0.2"
     MAIL="192.168.0.4"
     MAIL2="192.168.0.4"
     PROXY="192.168.0.4"
     RAS="192.168.0.3"
     CVS1="192.168.0.6"
     VPNGATE="192.168.5.2"
     DNS_AUTHORATIVE="192.168.0.3"
     MOBILE="172.16.1.48/29"
      
      WWW6="2001:470:1F01:1106::2"
      RAS6="2001:470:1F01:1106::3"
      CVS16="2001:470:1F01:1106::6"
      NS1="2001:470:1F01:1106::3"
      NS2="2001:470:1F01:1106::4"
      MAIL6="2001:470:1F01:1106::4"
      PROXY6="2001:470:1F01:1106::4"
       
       # Nets
       SITE="192.168.0.0/24"
       SITE6="{2001:470:1f01:ffff::7dd/128, 2001:470:1F01:1106::/64}"
       DMZ6="2001:470:1F01:1106::/64"
       LINKLOCAL="fe80::/10"
       MULTICAST="ff02::/10"
       LOCAL6="{fec0::/10, fe80::/10}"
        
        ME6="2001:470:1F01:1106::1"
         
         # Subnets
         DMZ="192.168.0.0/24"
         INTERNAL="192.168.1.32/27"
          
          # These tcp ports are needed  by PROXY for external and LOCAL access
          PROXY_PORTS="{https, ntp, smtp, www, ftp, 1025><65535 }"
           
           # State Limit
           STATE_LIMIT="(source-track rule, max-src-nodes 75, max-src-states 3)"
            
            # Common prefixes
            NET0_IN ="pass in quick on sis0 reply-to (sis0 69.20.159.161)"
            NET2_IN ="pass in quick on sis2 reply-to (sis2 63.228.245.1)"
            NET0_OUT="pass out quick on sis0 route-to (sis0 69.20.159.161) inet proto"
            NET2_OUT="pass out quick on sis2 route-to (sis2 63.228.245.1) inet proto"
             
             # CVS users
             sedcvs1="199.209.144.236"
             sedsubnet="199.209.144.0/24"
             doris="68.33.123.214"
             table <cvsusers> const {$sedcvs1, $sedsubnet, $doris}
              
              # -------------------------------------------------------------------------
              #
              # Enforce section ordering rules
              #
              set require-order yes
              #
              # Drop by default
              #
              set block-policy drop
              #
              set loginterface sis0
               
               # No filtering on loopback
               set skip on lo0
               set skip on sis1
               set skip on sis3
                
                # -------------------------------------------------------------------------
                # Section: SCRUB
                #
                # "Scrubbing" is the normalization of packets so there are no ambiguities
                # in interpretation by the ultimate destination of the packet. The scrub
                # directive also reassembles fragmented packets, protecting some operating
                # systems from some forms of attack, and drops TCP packets that have invalid
                # flag combinations.
                #
                # Resolve overlapping IP fragments. Fragments are cached and reassembled by
                # pf before a packet is received by its destinations. This will protect
                # machines with less secure stacks behind it from fragmentation attacks.
                # Fragment reassembly is required by NAT
                scrub in on $NET0_IF all fragment reassemble
                scrub in on $NET2_IF all fragment reassemble
                scrub out on $NET0_IF all random-id fragment reassemble
                scrub out on $NET2_IF all random-id fragment reassemble
                 
                 # -------------------------------------------------------------------------
                 # Queueing
                 #
                 # enable queueing on the external interface to control traffic going to
                 # the Internet. use the priq scheduler to control only priorities. set
                 # the bandwidth to 2Mb to get the best performance out of the TCP
                 # ACK queue.
                 altq on $NET0_IF priq bandwidth 2Mb queue { std_out, tcp_out, udp_out, encap_out, isakmp_out, tcp_ack_out, icmp_out }
                 queue std_out priq(default)
                 queue tcp_out priority 2 priq(ecn)
                 queue encap_out priority 3
                 queue udp_out priority 4
                 queue isakmp_out priority 5
                 queue tcp_ack_out priority 6
                 queue icmp_out priority 7
                 altq on $NET2_IF priq bandwidth 1Mb queue { std_out2, tcp_out2, udp_out2, encap_out2, isakmp_out2, tcp_ack_out2, icmp_out2 }
                 queue std_out2 priq(default)
                 queue tcp_out2 priority 2 priq(ecn)
                 queue encap_out2 priority 3
                 queue udp_out2 priority 4
                 queue isakmp_out2 priority 5
                 queue tcp_ack_out2 priority 6
                 queue icmp_out2 priority 7
                 # -------------------------------------------------------------------------
                  
                  # -------------------------------------------------------------------------
                  # NAT
                  # Translate outgoing packets source addresss for all but external NIC address
                  #
                  # nat_rule       = [ "no" ] "nat" "on" ifspec  [ af ] [ protospec ] hosts
                  #                      [ "->" address [ portspec ] ]
                  nat on $NET0_IF inet from ! $NAT_NET0 to any -> $NAT_NET0
                  binat on $NET0_IF inet from $CVS1 to <cvsusers> -> $CVS1_NET0
                  binat on $NET0_IF inet from $RAS to !<cvsusers> -> $RAS_NET0
                  binat on $NET0_IF inet from $MAIL to any -> $MAIL_NET0
                  binat on $NET0_IF inet from $WWW to any -> $WWW_NET0
                  binat on $NET0_IF inet from $VPNGATE to any -> $VPN_NET0
                  #
                  nat on $NET2_IF inet from ! $NAT_NET2 to any -> $NAT_NET2
                  binat on $NET2_IF inet from $CVS1 to <cvsusers> -> $CVS1_NET2
                  binat on $NET2_IF inet from $RAS to !<cvsusers> -> $RAS_NET2
                  binat on $NET2_IF inet from $MAIL to any -> $MAIL_NET2
                  binat on $NET2_IF inet from $WWW to any -> $WWW_NET2
                  binat on $NET2_IF inet from $VPNGATE to any -> $VPN_NET2
                  # -------------------------------------------------------------------------
                   
                   # -------------------------------------------------------------------------
                    
                    # Default policy
                    # silently drop TCP non-SYN packets, the remaining ruleset only deals with
                    # TCP SYNs, which always create state when passed. the ruleset basically
                    # deals with 'connections', not packets, beyond this point.
                    #
                    block return-rst quick proto tcp all flags /S
                    block return-rst quick proto tcp all flags A/A
                     
                     #  Default behavior
                     #
                     block
                     block out log
                      
                      # -------------------------------------------------------------------------
                       
                       # pass ipv6 tunnel traffic
                       pass out quick on $NET0_IF inet proto ipv6 from $TUNNEL_NET0 to 64.71.128.83 keep state (other.multiple 86400) queue encap_out
                       $NET0_IN inet proto ipv6 from 64.71.128.83 to any  keep state (other.multiple 86400) queue encap_out
                       block out quick on $NET2_IF route-to (sis0 69.20.159.161) inet proto ipv6 from $TUNNEL_NET0 to 64.71.128.83
                       #pass quick proto etherip all
                        
                        #---------------------------------------------------------------------------
                        #
                        # NET0_IF out
                        #
                        # ICMP
                        $NET0_OUT icmp all keep state queue icmp_out
                        # UDP
                        $NET0_OUT udp from any to any port ntp keep state queue udp_out
                        $NET0_OUT udp from any to any port domain keep state (udp.first 120 udp.single 60 udp.multiple 120) queue udp_out
                        $NET0_OUT udp from any to any port isakmp keep state queue isakmp_out
                        $NET0_OUT udp from any to any port ipsec-nat-t keep state queue encap_out
                        # TCP
                        $NET0_OUT tcp from any to any  port ssh flags $tcpInit  keep state queue (tcp_out, tcp_ack_out)
                        $NET0_OUT tcp from any to any port domain flags $tcpInit keep state queue (tcp_out, tcp_ack_out)
                        $NET0_OUT tcp from any to any port domain flags $tcpInit keep state queue (tcp_out, tcp_ack_out)
                        $NET0_OUT tcp from any to any port ntp flags $tcpInit keep state queue (tcp_out, tcp_ack_out)
                        $NET0_OUT tcp from any to any port $PROXY_PORTS flags $tcpInit keep state queue (tcp_out, tcp_ack_out)
                        $NET0_OUT tcp from any to any port smtp flags $tcpInit keep state queue (tcp_out, tcp_ack_out)
                        $NET0_OUT tcp from any to any port imaps flags $tcpInit keep state queue (tcp_out, tcp_ack_out)
                        $NET0_OUT tcp from any to any port ldap flags $tcpInit  keep state queue (tcp_out, tcp_ack_out)
                        $NET0_OUT tcp from any to any port 5999 flags $tcpInit  keep state queue (tcp_out, tcp_ack_out)
                        # Special: Extensity access from maria
                        $NET0_OUT tcp from 192.168.1.38 to 63.163.12.87 port {10271, 10272, 7025} flags $tcpInit  keep state queue (tcp_out,  tcp_ack_out)
                        #
                        # Block and log anything that falls through
                        block return-rst  out log quick on $NET0_IF  inet proto tcp
                        block return-rst  out log quick on $NET0_IF  inet6 proto tcp
                        block return-icmp out log quick on $NET0_IF  inet proto udp
                        block return-icmp out log quick on $NET0_IF  inet6 proto udp
                        #
                        # Block (don't log) ipv6
                         
                          
                         #---------------------------------------------------------------------------
                         #
                         # NET0_IF in
                         #
                         # Silently block any packets from special use addresses (no return because address is probably spoofed)
                         block drop in quick on $NET0_IF from self to any
                         block drop in quick on $NET0_IF from $SITE to any
                         block drop in quick on $NET0_IF from any to $NET0_IF:broadcast
                         block drop in quick on $NET0_IF from any to 255.255.255.255
                         #   Silently block any NETBIOS stuff
                         block drop in quick on $NET0_IF proto udp from any to any port {netbios-ns, netbios-dgm, netbios-ssn }
                         block drop in quick on $NET0_IF proto tcp from any to any port {netbios-ns, netbios-dgm, netbios-ssn }
                         # Block auth with ICMP reset (needed for good mail server performance)
                         block return in  quick on $NET0_IF inet proto tcp from any to any port auth flags $tcpInit
                         block return in  quick on $NET0_IF inet6 proto tcp from any to any port auth flags $tcpInit
                         # ICMP
                         pass  in quick on $NET0_IF  inet proto icmp from any to any icmp-type {3, 4, 11, 12 }
                         $NET0_IN  inet proto icmp from any icmp-type 8 keep state (max 4)
                         # IPSEC
                         $NET0_IN  inet proto udp from any to $VPNGATE port isakmp keep state queue isakmp_out
                         $NET0_IN  inet proto udp from any to $VPNGATE port ipsec-nat-t keep state queue encap_out
                         # Pass redirected (NAT) services
                         $NET0_IN inet proto udp from any to $DNS_AUTHORATIVE port domain keep state queue udp_out
                          $NET0_IN inet proto tcp from any to $DNS_AUTHORATIVE port domain flags $tcpInit keep state queue (tcp_out, tcp_ack_out)
                          $NET0_IN inet proto tcp from <cvsusers> to $CVS1 port ssh flags $tcpInit keep state queue (tcp_out, tcp_ack_out)
                          block in quick on $NET0_IF inet proto tcp from any os "Linux" to $RAS port ssh
                          $NET0_IN inet proto tcp from any to $RAS port ssh flags $tcpInit keep state $STATE_LIMIT queue (tcp_out, tcp_ack_out)
                          $NET0_IN inet proto tcp from any to $WWW port www flags $tcpInit keep state $STATE_LIMIT queue (tcp_out, tcp_ack_out)
                          $NET0_IN inet proto tcp from any to $WWW port https flags $tcpInit keep state $STATE_LIMIT queue (tcp_out, tcp_ack_out)
                          $NET0_IN inet proto tcp from any to $MAIL port smtp flags $tcpInit keep state $STATE_LIMIT queue (tcp_out, tcp_ack_out)
                          #
                          # Block and log anything that falls through
                          block return-rst  in quick on $NET0_IF  inet proto tcp
                          block return-rst  in log quick on $NET0_IF  inet6 proto tcp
                          block return-icmp in quick on $NET0_IF  inet proto udp
                          block return-icmp in log quick on $NET0_IF  inet6 proto udp
                          #
                           
                           #---------------------------------------------------------------------------
                           #
                           # NET2_IF out
                           #
                           # ICMP
                           $NET2_OUT icmp all keep state queue icmp_out2
                           # UDP
                           $NET2_OUT udp from $VPNGATE to any port isakmp keep state queue isakmp_out2
                           $NET2_OUT udp from $VPNGATE to any port ipsec-nat-t keep state queue encap_out2
                           $NET2_OUT udp from any to any port ntp keep state queue udp_out2
                           $NET2_OUT udp from any to any port domain keep state (udp.first 120 udp.single 60 udp.multiple 120) queue udp_out2
                           # TCP
                           $NET2_OUT tcp from any to any  port ssh flags $tcpInit  keep state queue (tcp_out2, tcp_ack_out2)
                           $NET2_OUT tcp from any to any port domain flags $tcpInit keep state queue (tcp_out2, tcp_ack_out2)
                           $NET2_OUT tcp from any to any port domain flags $tcpInit keep state queue (tcp_out2, tcp_ack_out2)
                           $NET2_OUT tcp from any to any port ntp flags $tcpInit keep state queue (tcp_out2, tcp_ack_out2)
                           $NET2_OUT tcp from any to any port $PROXY_PORTS flags $tcpInit keep state queue (tcp_out2, tcp_ack_out2)
                           $NET2_OUT tcp from any to any port smtp flags $tcpInit keep state queue (tcp_out2, tcp_ack_out2)
                           $NET2_OUT tcp from any to any port imaps flags $tcpInit keep state queue (tcp_out2, tcp_ack_out2)
                           $NET2_OUT tcp from any to any port ldap flags $tcpInit  keep state queue (tcp_out2, tcp_ack_out2)
                           $NET2_OUT tcp from any to any port 5999 flags $tcpInit  keep state queue (tcp_out2, tcp_ack_out2)
                           # Special: Extensity access from maria
                           $NET2_OUT tcp from 192.168.1.38 to 63.163.12.87 port {10271, 10272, 7025} flags $tcpInit  keep state queue (tcp_out, tcp_ack_out)
                           #
                           # Block and log anything that falls through
                           block return-rst  out log quick on $NET2_IF  inet proto tcp
                           block return-rst  out log quick on $NET2_IF  inet6 proto tcp
                           block return-icmp out log quick on $NET2_IF  inet proto udp
                           block return-icmp out log quick on $NET2_IF  inet6 proto udp
                           #
                           # Block (don't log) ipv6
                           block out quick on $NET2_IF inet6
                            
                             
                             #---------------------------------------------------------------------------
                             #
                             # NET2_IF in
                             #
                             # Silently block any packets from special use addresses (no return because address is probably spoofed)
                             block drop in quick on $NET2_IF from self to any
                             block drop in quick on $NET2_IF from $SITE to any
                             block drop in quick on $NET2_IF from any to $NET2_IF:broadcast
                             block drop in quick on $NET2_IF from any to 255.255.255.255
                             #   Silently block any NETBIOS stuff
                             block drop in quick on $NET2_IF proto udp from any to any port {netbios-ns, netbios-dgm, netbios-ssn }
                             block drop in quick on $NET2_IF proto tcp from any to any port {netbios-ns, netbios-dgm, netbios-ssn }
                             # Block auth with ICMP reset (needed for good mail server performance)
                             block return in  quick on $NET2_IF inet proto tcp from any to any port auth flags $tcpInit
                             # ICMP
                             pass  in quick on $NET2_IF  inet proto icmp from any to any icmp-type {3, 4, 11, 12 }
                             $NET2_IN  inet proto icmp from any icmp-type 8 keep state (max 4)
                             # IPSEC
                             $NET2_IN  inet proto udp from any to $VPNGATE port isakmp keep state queue isakmp_out2
                             $NET2_IN  inet proto udp from any to $VPNGATE port ipsec-nat-t keep state queue encap_out2
                             # Pass redirected (NAT) services
                             $NET2_IN inet proto udp from any to $DNS_AUTHORATIVE port domain keep state queue udp_out2
                             $NET2_IN inet proto tcp from any to $DNS_AUTHORATIVE port domain flags $tcpInit keep state queue (tcp_out2, tcp_ack_out2)
                             # CVS access
                             $NET2_IN inet proto tcp from <cvsusers> to $CVS1 port ssh flags $tcpInit keep state queue (tcp_out2, tcp_ack_out2)
                             block in quick on $NET2_IF inet proto tcp from any os "Linux" to $RAS port ssh
                             $NET2_IN inet proto tcp from any to $RAS port ssh flags $tcpInit keep state $STATE_LIMIT queue (tcp_out2, tcp_ack_out2)
                             $NET2_IN inet proto tcp from any to $WWW port www flags $tcpInit keep state $STATE_LIMIT queue (tcp_out2, tcp_ack_out2)
                             $NET2_IN inet proto tcp from any to $WWW port https flags $tcpInit keep state $STATE_LIMIT queue (tcp_out2, tcp_ack_out2)
                             $NET2_IN inet proto tcp from any to $MAIL2 port smtp flags $tcpInit keep state $STATE_LIMIT queue (tcp_out2, tcp_ack_out2)
                             #
                             # Block anything that falls through
                             block return-rst  in quick on $NET2_IF  inet proto tcp
                             block return-rst  in quick on $NET2_IF  inet6 proto tcp
                             block return-icmp in quick on $NET2_IF  inet proto udp
                             block return-icmp in quick on $NET2_IF  inet6 proto udp
                             #
                             block in quick on $NET2_IF inet6
                              
                              #---------------------------------------------------------------------------
                              #
                              # GIF0_IF out
                              #
                              # We restrict on the other interfaces
                              pass  out  quick on $GIF0_IF inet6 proto ipv6-icmp from any to any keep state queue icmp_out allow-opts
                              pass  out  quick on $GIF0_IF inet6 proto udp from any to any port domain keep state (udp.first 120, udp.single 60, udp.multiple 120) queue udp_out
                              pass  out  quick on $GIF0_IF inet6 proto udp from any to any keep state queue udp_out
                              pass  out  quick on $GIF0_IF inet6 proto tcp from any to any flags $tcpInit keep state queue (tcp_out, tcp_ack_out)
                              pass  out  quick on $GIF0_IF inet6 all
                              #
                              block return-rst out  log on $GIF0_IF  inet6 proto tcp
                              block return-icmp out log on $GIF0_IF inet6 proto udp
                               
                               #---------------------------------------------------------------------------
                               #
                               # GIF0_IF in
                               #
                               # No spoofing
                               block drop in log quick on $GIF0_IF inet6 from 2001:470:1F01:1106::/64 to any
                               # Block auth with ICMP reset (needed for good mail server performance)
                               block return in  quick on $GIF0_IF inet6 proto tcp from any to any port auth flags $tcpInit
                               # ICMP
                               pass in quick on $GIF0_IF inet6 proto ipv6-icmp from any to $SITE6 icmp6-type echoreq keep state (max 8)
                               pass  in quick on $GIF0_IF  inet6 proto ipv6-icmp from any to $IPV6_GIF0 icmp6-type { neighbrsol, neighbradv, routersol, routeradv } keep state queue icmp_out allow-opts
                               # Pass access to servers
                               pass  in quick on $GIF0_IF inet6 proto udp from any to {$NS1, $NS2} port domain keep state queue udp_out
                               pass  in quick on $GIF0_IF inet6 proto tcp from any to {$NS1, $NS2} port domain flags $tcpInit keep state queue (tcp_out, tcp_ack_out)
                               pass  in quick on $GIF0_IF inet6 proto tcp from any to $WWW6 port www flags $tcpInit keep state $STATE_LIMIT queue (tcp_out, tcp_ack_out)
                               pass  in quick on $GIF0_IF inet6 proto tcp from any to $WWW6 port https flags $tcpInit keep state $STATE_LIMIT queue (tcp_out, tcp_ack_out)
                               pass  in quick on $GIF0_IF inet6 proto tcp from any to $MAIL6 port smtp flags $tcpInit keep state $STATE_LIMIT queue (tcp_out, tcp_ack_out)
                               #
                               block return-rst in  log on $GIF0_IF  inet6 proto tcp
                               block return-icmp in log on $GIF0_IF inet6 proto udp