1

Currenly I am looking to create an OpenBSD 6.0 pf based gateway. Based on what I read in the pf manual pages and OpenBSD pf FAQ, and some examples on the internet, I was able to configure a firewall. But I am not sure if I got it right:

## Macros
wan="WAN interface"
wan_ip="WAN IP address"
lan="LAN interface"
lan_ip="LAN IP address"
lan_nw="LAN network address with subnetmask"
man="management interface"
man_ip="management ip address"
lo="lo0"


## TABLES
table <spammers> persist file "/etc/spammers.txt"


## OPTIONS
set block-policy drop
# debug lvl: none - urgent - misc - loud
set debug none
set limit { frags 2000, states 20000, src-nodes 2000, tables 1000, table-entries 100000 }
set loginterface { $wan, $lan, $man }
set optimization normal
set reassemble yes
set ruleset-optimization none
set skip on $lo
set state-defaults pflow, no-sync
set state-policy if-bound


## TRAFFIC NORMALIZATION
scrub on $wan all reassemble tcp
scrub in on $wan all fragment reassemble max-mss 1440
scrub out on $wan all fragment reassemble random-id no-df
# For NFS
scrub in on $lan all no-df
scrub out on $lan all no-df
antispoof for { $lo, $wan, $lan, $man }


## QUEUEING RULES


## TRANSLATION RULES (NAT)
nat on $wan from $lan_nw to any -> $wan_ip

## FILTER RULES
# Block everything (inbound AND outbound on ALL interfaces) by default (catch-all)
block all
# Block everything comming from and to spam IP's
block in on $wan from <spammers> to any
block out on $wan from any to <spammers>
# Activate spoofing protection for all interfaces
block in on all from urpf-failed

# Default TCP policy
block return-rst in log on $wan proto TCP all
    pass in quick on $man proto TCP from any to $man_ip port 22 flags S/FSRA keep state

# Default UDP policy
block in log on $wan proto udp all
    # Provide NTP to LAN and mgmt network.
    pass in quick on $lan proto UDP from any to $lan_ip port 123
    pass in quick on $man proto UDP from any to $man_ip port 123

# Default ICMP policy
block in log on $wan proto icmp all
    pass in quick on $wan proto icmp from any to $wan_ip echoreq keep state

block out on $wan all
    pass out quick on $wan from $wan_ip to any keep state

Is this enough to create a hardened gateway router? Can someone review my configuration and give some feedback or pointers?

Baron van Neemweggen
  • 11
  • 4

1 Answers1

1

Your first scrub rule is redundant - you repeat the same effect with the next two rules.

Make your specific block rules quick, or else they can be overwritten by later rules. (Default is the last mentioned action, unless quick is given, which effectively breaks out of rule evaluation at that point). Especially with your initial "block" rule, everything that doesn't explicitly match will be blocked, so most of your following block rules are redundant.

When testing, use "log", and monitor the pflog0 interface. Also use verbose mode on pfctl's show rules (pfctl -vsr) to see match counts for the rules, to make sure they're actually doing something.

473183469
  • 1,360
  • 1
  • 12
  • 23
user398726
  • 11
  • 1