# # /etc/pf.conf # # NFS, TFTP, NIS/YP あたりの RPC を使う物って、 # セキュリティも何も無く、ほとんど全部のポートを開けなきゃならん……。 # # # Misc. Knowledge # # rdr : dst-IP を変換。 # nat : NAPT を行う(src-IP と src-Port を変換)。 # nat static-port : NAT を行う(src-IP を変換)。 # binat : NAT と rdr を行う(src-IP/dst-IP を変換)。 # # Filtering Flow # in_if( scrub -> rdr -> binat -> block/pass in ) # -> out_if( binat -> nat -> block/pass out ) # らしい。 # rdr は input_if で働き、nat は output_if で働く。 # rdr on $input_if # nat on $output_if # tag/tagged の処理順がはっきりしない。 # in では rdr の tag のみ付く? # out では nat の tag が優先? # # macro や table の名称は 20文字までらしい。 # # # enable/disable PF # pfctl -e # pfctl -d # # check syntax # pfctl -nf /etc/pf.conf # # reload configuration # pfctl -f /etc/pf.conf # # show statictics # pfctl -sn NAT # pfctl -sr Filter # pfctl -ss State-Table # pfctl -si Status # pfctl -sa ALL # # # show last log # tcpdump -n -e -ttt -r /var/log/pflog # # show current log # tcpdump -n -e -ttt -i pflog0 # # # other settings # /etc/sysctl.conf # net.inet.ip.forwarding=1 # net.inet6.ip6.forwarding=1 (if using IPv6) # /etc/rc.conf # pf=YES # /etc/inetd.conf for FTP-proxy # 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n -m 60001 -M 60999 # # # log を syslogd へ出力する方法(OpenBSD 4.0 以降の場合) # 1) /etc/pflogrotate を作成 # #!/bin/sh -- # # /etc/pflogrotate # # # CAT=/bin/cat # DATE=/bin/date # LS=/bin/ls # CUT=/usr/bin/cut # TAIL=/usr/bin/tail # CP=/bin/cp # MV=/bin/mv # RM=/bin/rm # KILL=/bin/kill # LOGGER=/usr/bin/logger # SLEEP=/bin/sleep # # # PID=/var/run/pflogd.pid # PFLOG=/var/log/pflog # PFLOG_OLD=/var/log/pflog_tmp # LOGFILE=/var/log/pflog.raw # TCPDUMP=/usr/sbin/tcpdump # LOG_TAG=pf # LOG_PRI=local0.info # # # $KILL -ALRM $($CAT $PID) # $SLEEP 10 # if [ -f $PFLOG -a $($LS -l $PFLOG | $CUT -d " " -f 8) -gt 24 ]; then # # # # Move raw data # if [ -e $LOGFILE -a $($LS -l $LOGFILE | $CUT -d " " -f 8) -gt 24 ]; then # $TAIL -c +25 $PFLOG >> $LOGFILE # else # $CP -p $PFLOG $LOGFILE # fi # $MV $PFLOG $PFLOG_OLD # $KILL -HUP $($CAT $PID) # # # # Convert raw to cooked # $TCPDUMP -n -e -ttt -s 1600 -r $PFLOG_OLD 2>&1 | $LOGGER -t $LOG_TAG -p $LOG_PRI # $RM $PFLOG_OLD # # # fi # # [ End of File ] # 2) sudo touch /var/log/pflog.txt # 3) sudo chown root:wheel /var/log/pflog.txt # 4) sudo chmod 0600 /var/log/pflog.txt # 5) /etc/syslog.conf に追加 # local0.info /var/log/pflog.txt # 6) (必要な場合)/etc/hosts に syslogger 追加(必要な場合) # 7) (必要な場合)/etc/syslog.conf に追加 # local0.info @syslogger # 8) /etc/newsyslog.conf 変更 # /var/log/pflog.raw 640 30 * $D0 ZB # /var/log/pflog.txt 640 30 * $D0 Z # 9) kill -HUP $(cat /var/run/syslog.pid) # 10) sudo crontab -u root -e で追加 # SHELL=/bin/sh # PATH=/bin:/sbin:/usr/bin:/usr/sbin # HOME=/var/log # 0-59/1 * * * * /bin/sh /etc/pflogrotate # # log を syslogd へ出力する方法(OpenBSD 3.9 以前の場合) # 1) 空ユーザ pflogger 作成 # 2) /etc/pflogrotate 作成 # #!/bin/sh - # # /etc/pflogrotate # FILE=/home/pflogger/pflog5min.$(/bin/date "+%Y%m%d%H%M") # /bin/kill -ALRM $(/bin/cat /var/run/pflogd.pid) # if [ $(/bin/ls -l /var/log/pflog | /usr/bin/cut -d " " -f 8) -gt 24 ]; then # /bin/mv /var/log/pflog $FILE # /sbin/chown pflogger $FILE # /bin/kill -HUP $(/bin/cat /var/run/pflogd.pid) # fi # 3) /home/pflogger/pfl2sysl 作成 # #!/bin/sh - # # /home/pflogger/pfl2sysl # for logfile in /home/pflogger/pflog5min* ; do # # /usr/sbin/tcpdump -n -e -ttt -r $logfile | /usr/bin/logger -t pf -p local0.info # /usr/local/bin/tethereal -r $logfile | /usr/bin/logger -t pf -p local0.info # /bin/rm $logfile # done # 4) sudo touch /var/log/pflog.txt # 5) sudo chown root:wheel /var/log/pflog.txt # 6) sudo chmod 0600 /var/log/pflog.txt # 7) /etc/syslog.conf に追加 # local0.info /var/log/pflog.txt # 8) (必要な場合)/etc/hosts に syslogger 追加(必要な場合) # 9) (必要な場合)/etc/syslog.conf に追加 # local0.info @syslogger # 10) /etc/newsyslog.conf 変更 # #/var/log/pflog 600 3 250 * ZB /var/run/pflogd.pid # /var/log/pflog.txt 600 7 * 24 # 11) kill -HUP $(cat /var/run/syslog.pid) # 12) crontab -u root -e で2行追加 # # rotate pf log file every 5 minutes # 0-59/5 * * * * /bin/sh /etc/pflogrotate # 13) crontab -u pflogger -e で2行追加 # # feed rotated pflog file(s) to syslog # 0-59/5 * * * * /bin/sh /home/pflogger/pfl2sysl # # # 参考 # PF: The OpenBSD Packet Filter # http://www.openbsd.org/faq/pf/ # http://www.openbsd.org/faq/pf/ja/ # HRK's OpenBSD Memo - PF: OpenBSDパケットフィルタを設定する # http://www.ne.jp/asahi/diver/hrk/openbsd/pf.html # http://hrk.nendo.net/openbsd/pf.html # kAnAi P@Ge hacking with unix OpenBSD pf IMPLIMENTATION NOTE # http://www4.big.or.jp/~kanai/unix/pf.txt # # # 0.0.0.0/8 : RFC1700 This Network # 10.0.0.0/8 : RFC1918 private -> DMZ # 14.0.0.0/8 : RFC1700 Public Data networks # 127.0.0.0/8 : RFC1700 loopback # 169.254.0.0/16 : RFC3330 APIPA # 172.16.0.0/12 : RFC1918 private -> External-LAN # 192.168.0.0/16 : RFC1918 private -> Internal-LAN # 224.0.0.0/4 : RFC3171 Multicast # 240.0.0.0/4 : RFC3330 Reserved # 255.255.255.255 : RFC1812 IP limited broadcast # # # Type ICMP # 0: echorep Echo Reply # 1 Unassigned # 2 Unassigned # 3: unreach Destination Unreachable # Codes # 0: net-unr Net Unreachable # 1: host-unr Host Unreachable # 2: proto-unr Protocol Unreachable # 3: port-unr Port Unreachable # 4: needfrag Fragmentation Needed and Don't Fragment was Set # 5: srcfail Source Route Failed # 6: net-unk Destination Network Unknown # 7: host-unk Destination Host Unknown # 8: isolate Source Host Isolated # 9: net-prohib Communication with Destination Network is Administratively Prohibited # 10: host-prohib Communication with Destination Host is Administratively Prohibited # 11: net-tos Destination Network Unreachable for Type of Service # 12: host-tos Destination Host Unreachable for Type of Service # 13: filter-prohib Communication Administratively Prohibited # 14: host-preced Host Precedence Violation # 15: cutoff-preced Precedence cutoff in effect # 4: squench Source Quench # 5: redir Redirect # 0: redir-net Redirect Datagram for the Network (or subnet) # 1: redir-host Redirect Datagram for the Host # 2: redir-tos-net Redirect Datagram for the Type of Service and Network # 3: redir-tos-host Redirect Datagram for the Type of Service and Host # 6: althost Alternate Host Address # 7 Unassigned # 8: echoreq Echo # 9: routeradv Router Advertisement # 0: normal-adv Normal router advertisement # 16: common-adv Does not route common traffic # 10: routersol Router Solicitation # 11: timex Time Exceeded # 0: transit Time to Live exceeded in Transit # 1: reassemb Fragment Reassembly Time Exceeded # 12: paramprob Parameter Problem # 0: badhead Pointer indicates the error # 1: optmiss Missing a Required Option # 2: badlen Bad Length # 13: timereq Timestamp # 14: timerep Timestamp Reply # 15: inforeq Information Request # 16: inforep Information Reply # 17: maskreq Address Mask Request # 18: maskrep Address Mask Reply # 19 Reserved (for Security) # 20-29 Reserved (for Robustness Experiment) # 30: trace Traceroute # 31: dataconv Datagram Conversion Error # 32: mobredir Mobile Host Redirect # 33: ipv6-where IPv6 Where-Are-You # 34: ipv6-here IPv6 I-Am-Here # 35: mobregreq Mobile Registration Request # 36: mobregrep Mobile Registration Reply # 37 Domain Name Request # 38 Domain Name Reply # 39: skip SKIP # 40: photuris Photuris # 0: unknown-ind Bad SPI # 1: auth-fail Authentication Failed # 2: decrypt-fail Decompression Failed # 3 Decryption Failed # 4 Need Authentication # 5 Need Authorization # # # #route 520/udp router routed # RIP #smtps 465/tcp # smtp protocol over TLS/SSL (was ssmtp) #squid 3128/tcp # SQUID gateway service #delegate 8080/tcp # DELEGATE gateway service #cvsup 5999/tcp # CVSup file transfer/John Polstra/FreeBSD #pgpkeyserver 11371/tcp # PGP/GPG public keyserver #print-srv 170/tcp # Network PostScript # # # *** DEFINITIONS *** # # # +++ MACRO +++ # # IF lo_if = "lo0" int_if = "em0" # # Ellipsis #PI = "pass in quick" PIint = "pass in quick on" $int_if " " #PI4 = "pass in quick inet proto" PIint4 = "pass in quick on" $int_if "inet proto" #PlI = "pass in log quick" PlIint = "pass in log quick on" $int_if " " #PlI4 = "pass in log quick inet proto" PlIint4 = "pass in log quick on" $int_if "inet proto" #PO = "pass out quick" POint = "pass out quick on" $int_if " " #PO4 = "pass out quick inet proto" POint4 = "pass out quick on" $int_if "inet proto" #PlO = "pass out log quick" PlOint = "pass out log quick on" $int_if " " #PlO4 = "pass out log quick inet proto" PlOint4 = "pass out log quick on" $int_if "inet proto" # # # +++ ADDRESS TABLE +++ # table const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } # Local table const { 169.254.0.0/16 } # APIPA # # Attached IP-address for Myself table { $int_if } table { $int_if, 192.168.7.255, 255.255.255.255 } # # Connected IP-address table { 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3, \ 10.0.0.0/8, \ 169.254.0.0/16 } table { x.x.0.0/16, 172.16.0.0/12, \ 10.x.x.0/23, 10.21.x.0/23, \ 192.168.0.0/21, !$int_if } table { x.x.0.0/16, 172.16.0.0/12, \ 10.x.x.0/23, 10.21.x.0/23, \ 192.168.0.0/21, !$int_if, \ 224.0.1.1 } table { x.x.x.96/30, 172.21.x.96/27, \ 192.168.0.0/21, !$int_if } table { 192.168.0.0/21 } table { 192.168.0.0/24, \ !192.168.0.1, !$int_if, \ !192.168.0.192/30 } table { 192.168.0.0/24 } # # Connected Broadcast-IP-address table { 192.168.7.255, 192.168.255.255, 255.255.255.255 } # # Special IP table { 172.21.x.100/30 } table { 192.168.0.192/30 } # table { \ 172.21.x.96/30, \ 192.168.0.1 \ } table { \ 172.21.x.96/30, \ 192.168.0.1, \ 192.168.0.192/30 \ } table { \ 224.0.0.22 \ } table { \ 239.255.255.250, \ 224.0.0.2, \ 224.0.0.9, \ 224.0.0.22 \ } table { \ 224.0.0.2 \ } # # DoS Filtering Table table persist # table persist table persist # table persist table persist table persist table persist table persist table persist table persist table persist table persist table persist table persist # ssh_service = "{ ssh, rsync }" www_service = "{ http, https }" proxy_service = "{ 3128, 8080, 8081 }" # 2ext_state_max = "(max-src-conn-rate 50/10)" 2exttcp_state_max = "(max-src-conn-rate 50/10)" 2extssh_state_max = "(max-src-conn-rate 2/2)" 2extproxy_state_max = "(max-src-conn-rate 500/10)" # def_state_limit = "(max-src-conn-rate 50/10, \ overload flush global)" deftcp_state_limit = "(max-src-conn-rate 50/10, \ overload flush global)" # ssh_state_limit = "(max-src-conn-rate 2/2, \ overload flush)" # # # +++ PORT +++ # PORT_IPMSG = "2425" allow_ext_squid_tcp = "{ 3128, 8080, 8081 }" # # allowed output # TCP:514 syslog # TCP:9100 color printer # TCP:2809 OMNI Naming Service (omniORB:CORBA) # UDP:2425 IP-Messenger(ipmsg) allow_output_tcp = "{ \ domain, whois, ntp, \ kerberos, kerberos-adm, \ ssh, rsync, \ telnet, 6660:6669, \ smtp, 465, submission, \ pop3, pop3s, \ http, https, 3128, 8080, \ 11371, 5999, \ 170, printer, 9100, \ 514, \ 2809 \ }" allow_output_udp = "{ \ echo, \ isakmp, \ kerberos, kpasswd, \ domain, ntp, bootpc, syslog, \ tftp, \ 2425 \ }" allow_output_icmp = "{ \ unreach, echoreq, echorep, timex \ squench, paramprob \ }" # # allowed input allow_input_tcp = "{ \ domain, ntp, \ kerberos, kerberos-adm, \ ssh, rsync, \ smtp, 465, submission, \ pop3, pop3s, \ http, https, 3128, 8080, \ 11371, 5999, \ 170, printer, 9100 \ }" allow_input_udp = "{ \ isakmp, \ kerberos, kpasswd, \ domain, ntp, bootps, \ tftp, \ 2425 \ }" allow_input_icmp = "{ \ unreach, echoreq, echorep, timex \ squench, paramprob \ }" # allow_syslog_tcp = "{ 514 }" allow_syslog_udp = "{ 514 }" # # PortRange rdrPort = "1:64543" TrustedPort = "< 1024" DefaultPort = ">= 1024" DefaultPort_OBSD = "1024:49151" EphemeralPort_OBSD = "49152:65535" #DefaultPort_Linux = "32768:61000" DefaultPort_Fedora = "1024:5000" #DefaultPort_FBSD = "1024:5000" #DefaultPort_Sol = "32768:65535" DefaultPort_MSW = "1024:5000" EphemeralPort_MAC = "49152:65535" FTPdata = "64544:65535" # # OS #PREFER_OS ="{ Linux, FreeBSD, NetBSD, OpenBSD, Solaris }" # # # *** RULES *** # # # === OPTION === # # default value #set timeout { interval 30, frag 10 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set limit { states 100000, frags 15000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes # # 遅延の大きいネットワーク向け set optimization high-latency # タイムアウトを倍に延長 set timeout { udp.first 180, udp.single 90, udp.multiple 120 } # デフォルト挙動:黙って破棄。 set block-policy drop # # # SCRUB # # フラグメント化されたパケットの再構成を行い、 # 正しくないフラグの組み合せを持つTCPパケットを破棄する。 # 「強く推奨される」 # 但し、若干の遅延が発生する為、 # 一部の OS の通信や、一部の OS の NFS、 # 即時性が要求される通信(NetworkGame,Streaming,IP-telephone)などで # 致命的な支障が発生する。 # scrub in on $int_if all no-df random-id fragment reassemble scrub out all random-id fragment crop scrub all reassemble tcp # Linux の TCP/IP プロトコルスタックは腐っているので、 # no-df random-id を付けないと通信できなくなる。特に Linux の NFS。 # # なんか、 # 前方記述が優先 # host/port ルール無視 # に思えるんだが…… # ## NFS server #scrub in on $int_if inet proto udp \ # from port $TrustedPort to port sunrpc \ # no-df fragment crop #scrub in on $int_if inet proto udp \ # from port $TrustedPort to port nfsd \ # no-df fragment crop #scrub in on $int_if inet proto tcp \ # from port $TrustedPort to port nfsd \ # no-df fragment crop #scrub in on $int_if inet proto udp \ # from port $TrustedPort to port $TrustedPort \ # no-df fragment crop #scrub in on $int_if inet proto tcp \ # from port $TrustedPort to port $TrustedPort \ # no-df fragment crop ## #scrub out on $int_if inet proto udp \ # from port sunrpc to port $TrustedPort \ # no-df fragment crop #scrub out on $int_if inet proto udp \ # from port nfsd to port $TrustedPort \ # no-df fragment crop #scrub out on $int_if inet proto tcp \ # from port nfsd to port $TrustedPort \ # no-df fragment crop #scrub out on $int_if inet proto udp \ # from port $TrustedPort to port $TrustedPort \ # no-df fragment crop #scrub out on $int_if inet proto tcp \ # from port $TrustedPort to port $TrustedPort \ # no-df fragment crop ## ## NFS client #scrub out on $int_if inet proto udp \ # from port $TrustedPort to port nfsd \ # no-df fragment crop #scrub out on $int_if inet proto tcp \ # from port $TrustedPort to port nfsd \ # no-df fragment crop ## #scrub in on $int_if inet proto udp \ # from port nfsd to port $TrustedPort \ # no-df fragment crop #scrub in on $int_if inet proto tcp \ # from port nfsd to port $TrustedPort \ # no-df fragment crop ## #scrub proto tcp all reassemble tcp # TCPタイムスタンプを「散らす」 #scrub in all fragment reassemble # フラグメント再構成を行う #scrub out all random-id # IP識別フィールドを「散らす」 #scrub all ## # # QUEUEING # altq on $lo_if cbq bandwidth 800Mb \ queue { default_lo } queue default_lo bandwidth 100% priority 2 qlimit 512 \ cbq(default borrow ecn) # altq on $int_if hfsc bandwidth 800Mb \ queue { own2int, ret2out, ssh, default_int } queue default_int bandwidth 1% priority 1 qlimit 10 \ hfsc(default realtime 0% linkshare 1% upperlimit 80%) queue own2int bandwidth 30% priority 3 qlimit 50 \ hfsc(realtime 5% linkshare 25% upperlimit 80%) queue ret2out bandwidth 30% priority 2 qlimit 50 \ hfsc(realtime 5% linkshare 25% upperlimit 80%) queue ssh bandwidth 30% \ hfsc(realtime 6% linkshare 24% upperlimit 80%) \ { ssh_int, ssh_ext } queue ssh_int bandwidth 50% \ hfsc(realtime 10% linkshare 40%) \ { ssh_int_b, ssh_int_p } queue ssh_int_b bandwidth 45% qlimit 50 priority 4 \ hfsc(realtime 10% linkshare 35%) queue ssh_int_p bandwidth 45% qlimit 50 priority 6 \ hfsc(realtime 10% linkshare 35%) queue ssh_ext bandwidth 50% \ hfsc(realtime 10% linkshare 40%) \ { ssh_ext_b, ssh_ext_p } queue ssh_ext_b bandwidth 45% qlimit 50 priority 3 \ hfsc(realtime 10% linkshare 35%) queue ssh_ext_p bandwidth 45% qlimit 50 priority 5 \ hfsc(realtime 10% linkshare 35%) # # # === NAT/NAPT/rdr === # 127.0.0.1 宛のリダイレクトは拒絶しているので注意。 # # spamd # #rdr pass on $ext_if proto tcp from to port smtp \ # -> $ext_if port spamd #rdr pass on $ext_if proto tcp from ! to port smtp \ # -> $ext_if port spamd # # # === FILTER === # # # +++ Base Policy +++ # # --- Default Rule --- # block drop log all pass quick on $lo_if all # # --- Marked Hosts --- # block drop log quick all tagged BAD_HOSTS block drop log quick from # block drop log quick from block drop log quick from block drop log quick from block drop log quick from block drop log quick from block drop log quick from block drop log quick from block drop log quick from block drop log quick from block drop log quick inet proto tcp from to any port $ssh_service block drop log quick inet proto tcp from to any port $www_service # anchor snort2pf anchor "snort2pf/*" all # # # +++ INPUT +++ # # --- INPUT BLOCK without LOGGING --- # # rfc3330 block drop in quick from # # --- INPUT BLOCK with LOGGING --- # # NULL/DISCARD block drop in log quick proto { tcp, udp } from any port { 0, discard } block drop in log quick proto { tcp, udp } to any port { 0, discard } # # Blocked IP block drop in log quick on $int_if from block drop in log quick from to ! # # --- INPUT PASS with LOGGING --- # # # --- INPUT PASS without LOGGING --- # # NTP-broadcast/NIS/NFS from Myself $PIint from to \ queue ret2out # # DHCP/BOOTP $PIint4 udp \ from 0.0.0.0 port bootpc to 255.255.255.255 port bootps \ queue ret2out $PIint4 udp \ from port bootpc to 255.255.255.255 port bootps \ queue ret2out $PIint4 udp \ from port $DefaultPort_MSW to 255.255.255.255 port bootps \ queue ret2out # DHCP for AirStation Initial-IP $PIint4 udp \ from 1.1.1.1 port bootpc to 255.255.255.255 port bootps \ queue ret2out # # --- AntiSpoof --- # # IP 横取り antispoof log quick for $lo_if antispoof log quick for $int_if # # IP 詐称 block in log quick from 0.0.0.0 #block in log quick on $int_if from ! block in log quick on $int_if from # # --- INPUT BLOCK without LOGGING --- # # RIP block drop in quick on $int_if inet proto udp \ from port router to port router # # SNMP block drop in quick on $int_if inet proto udp \ from port $DefaultPort to port snmp # # MultiCast # http://www.iana.org/assignments/multicast-addresses # 224.0.0.1 to all host # 224.0.0.2 to all router # 224.0.0.5 to all OSPFv2 router # 224.0.0.6 to all OSPFv2 router # 224.0.0.9 RIPv2 # 224.0.0.12 DHCP server / Relay agent # igmp 224.0.0.2 ? MSWIN host enter/leave notification ? # igmp 224.0.0.9 ? MSWIN routing information ? # igmp 224.0.0.22 MSWIN membership report ? # igmp 239.255.255.250 ROOTER UPnP nreport # icmp 224.0.0.2 ? MSWIN host enter/leave notification ? # udp 224.0.1.1:123 NTP # udp 239.255.255.250:1900 Microsoft Windows UPnP SSDP:Discover # udp 224.0.1.43:161 nwn-discovery # udp 239.255.255.253:427 SLP - Service Location Protocol # udp :1346 -> 229.55.150.208:1345 Norton "Ghost" disk duplication software # udp :42 -> 224.0.1.24:42 Microsoft WINS # -> MSWIN ESSIDSET.EXE AirStation Discovery # -> RFC 無視の独自拡張っぽい。 # -> http://www26.tok2.com/home/sasbeach/treebbs/wforum.cgi?mode=allread&no=4381&page=0 # udp 224.0.0.251:5353 mDNS - Multicast DNS, iTunes # udp :402 -> 225.1.2.3:402 Altris Deployment Server/Solution, Altris Local Recovery #block drop in quick on $int_if proto igmp from 255.150.211.191 to 224.0.0.2 # ??? block drop in quick on $int_if proto igmp from to block drop in quick on $int_if proto icmp from to $PIint4 udp from port $DefaultPort to 224.0.1.1 port ntp \ keep state $def_state_limit queue ret2out block drop in quick on $int_if proto udp from port $DefaultPort to 239.255.255.250 port 1900 block drop in quick on $int_if proto udp from port router to 224.0.0.9 port router block drop in quick on $int_if proto udp from port $DefaultPort_MSW to 224.0.1.43 port snmp block drop in quick on $int_if proto udp from port 5353 to 224.0.0.251 port 5353 block drop in quick on $int_if proto udp from port $DefaultPort_MSW to 224.0.0.251 port 5353 block drop in quick on $int_if proto udp from port 402 to 225.1.2.3 port 402 # # NETBIOS Broadcast block drop in quick on $int_if proto udp \ from port netbios-ns \ to port netbios-ns block drop in quick on $int_if proto udp \ from port $DefaultPort_Fedora \ to port netbios-ns block drop in quick on $int_if proto udp \ from port netbios-dgm \ to port netbios-dgm # # NETBIOS Name Query over DNS block drop in quick on $int_if proto udp \ from port netbios-ns \ to port domain # # MS-Windows Remote Assistant block drop in quick on $int_if proto udp \ from port $DefaultPort_MSW \ to port 38293 # # AirStation Setting block drop in quick on $int_if proto udp \ from port $DefaultPort_MSW \ to 255.255.255.255 port 22359 block drop in quick on $int_if proto udp \ from port 22359 \ to 255.255.255.255 port $DefaultPort_MSW # # AirStation SSID Scan? block drop in quick on $int_if proto udp \ from port $DefaultPort_MSW \ to 255.255.255.255 port 22616 block drop in quick on $int_if proto udp \ from port 22616 \ to 255.255.255.255 port $DefaultPort_MSW # # AirStation EthernetConverterMode Setting block drop in quick on $int_if proto udp \ from port $DefaultPort_MSW \ to 255.255.255.255 port 4000 block drop in quick on $int_if proto udp \ from port 4000 \ to 255.255.255.255 port $DefaultPort_MSW # # AirPort EthernetConverterMode? block drop in quick on $int_if proto udp \ from port 65 \ to 255.255.255.255 port 65 block drop in quick on $int_if proto udp \ from port $DefaultPort_MSW \ to 255.255.255.255 port 65 # # IP-Messenger $POint4 udp from port $DefaultPort \ to port $PORT_IPMSG \ tag IPMSG keep state \ $2ext_state_max queue own2int $PIint4 udp tagged IPMSG keep state \ $def_state_limit queue ret2out $PIint4 udp from port $DefaultPort \ to port $PORT_IPMSG keep state \ $def_state_limit queue ret2out # # FU-SE-N-SHI (MS-Windows) block in quick on $int_if proto udp \ from port 59630 \ to 255.255.255.255 port 59630 # # --- INPUT BLOCK with LOGGING --- # # - IP base filtering - # # Broadcast 無視 block drop in log quick to 255.255.255.255 # YP が Broadcast 必須なんだわさ #block drop in quick on $int_if to # # 踏台禁止 block drop in log quick on $int_if from to ! # # - PORT base filtering - # # IDENT block drop in quick proto tcp to any port ident # # NETBIOS block drop in log quick proto { tcp, udp } \ from any port { netbios-ns, netbios-dgm, netbios-ssn, microsoft-ds } block drop in log quick proto { tcp, udp } \ to any port { netbios-ns, netbios-dgm, netbios-ssn, microsoft-ds } # # --- INPUT PASS with LOGGING --- # # # --- INPUT PASS without LOGGING --- # # # # +++ OUTPUT +++ # # 自身からの詐称 src-IP の送信禁止 block drop out log quick on $int_if from ! # # 自身からの Broadcast 送信禁止と返送 # YP が Broadcast 必須なんだわさ #block return out log quick on $int_if from to # # 取り敢えず Broadcast 送信禁止 # YP が Broadcast 必須なんだわさ #block out log quick on $int_if to # # 自身からの dst-IP 間違いの送信禁止と返送 #block return out log quick on $int_if from to ! #block out log quick on $int_if to ! block return out log quick on $int_if from to block out log quick on $int_if to # # # *** for TEST only *** # ##pass out log on $int_if proto tcp all flags S/AUPRS modulate state ##pass out log on $int_if proto udp all keep state ##pass out log on $int_if inet proto icmp all keep state # ##pass out log on $int_if proto tcp \ ## from any port $TrustedPort to any port $TrustedPort \ ## flags S/AUPRS modulate state ##pass out log on $int_if proto udp \ ## from any port $TrustedPort to any port $TrustedPort \ ## keep state # ##pass in log on $int_if proto tcp all flags S/SRPAUEW modulate state ##pass in log on $int_if proto udp all keep state ##pass in log on $int_if inet proto icmp all keep state # ##pass in log on $int_if proto tcp \ ## from any port $TrustedPort to any port $TrustedPort \ ## flags S/SRPAUEW keep state ##pass in log on $int_if proto udp \ ## from any port $TrustedPort to any port $TrustedPort \ ## keep state # # # +++ Proxy +++ # # *Sample* #$PIint4 tcp tagged SYSLOG flags S/SRPAUEW keep state \ # $deftcp_state_limit queue ret2out #$PIint4 udp tagged SYSLOG keep state \ # $def_state_limit queue ret2out # # # +++ Rules for Myself +++ # # # Myself -> LAN # # # proxy $POint4 tcp from to port $allow_ext_squid_tcp \ flags S/AUPRS modulate state \ $2extproxy_state_max queue own2int # # SSH $POint4 tcp from to port $ssh_service \ flags S/AUPRS modulate state \ $2extssh_state_max queue ( ssh_int_b, ssh_int_p ) # # default $POint4 tcp from to port $allow_output_tcp \ flags S/AUPRS modulate state \ $2exttcp_state_max queue own2int $POint4 udp from to port $allow_output_udp \ keep state \ $2ext_state_max queue own2int $POint4 icmp from to icmp-type $allow_output_icmp \ keep state \ $2ext_state_max queue own2int # $POint4 tcp from to port $allow_out2lan_tcp \ flags S/AUPRS modulate state \ $2exttcp_state_max queue own2int $POint4 udp from to port $allow_out2lan_udp \ keep state \ $2ext_state_max queue own2int $POint4 icmp from to icmp-type $allow_out2lan_icmp \ keep state \ $2ext_state_max queue own2int # # # Myself -> FTP-Proxy # controle connection $POint4 tcp from port { $DefaultPort_OBSD, $EphemeralPort_OBSD } \ to port ftp \ flags S/AUPRS modulate state \ $2exttcp_state_max queue own2int # data connection (active mode) $PIint4 tcp from port $FTPdata \ to port { $DefaultPort_OBSD, $EphemeralPort_OBSD } \ flags S/SRPAUEW keep state \ $deftcp_state_limit queue ret2out # data connection (passive mode) $POint4 tcp from port { $DefaultPort_OBSD, $EphemeralPort_OBSD } \ to port $FTPdata \ flags S/AUPRS modulate state \ $2exttcp_state_max queue own2int # # # Myself -> WAN or extLAN # # # SSH $PlOint4 tcp from to port $ssh_service \ flags S/AUPRS modulate state \ $2extssh_state_max queue ( ssh_int_b, ssh_int_p ) # # CVS # cvsup.jp.openbsd.org 211.14.6.243 2001:2f0:104:1:210:f3ff:fe03:5280 # IPv6 を持っているので、名前で書くとこける。 table { \ 211.14.6.243 \ } $PlOint4 tcp from to port 5999 \ flags S/AUPRS modulate state \ $2extproxy_state_max queue own2int # # block return out log quick on $int_if from to ! block out log quick on $int_if to ! # # # LAN -> Myself # # # loghost $PIint4 tcp from to port $allow_syslog_tcp \ user root flags S/AUPRS keep state \ $deftcp_state_limit queue ret2out $PIint4 udp from to port $allow_syslog_udp \ user root keep state \ $def_state_limit queue ret2out # # SSH $PIint4 tcp from to port $ssh_service \ flags S/SRPAUEW keep state \ $ssh_state_limit queue ( ssh_int_b, ssh_int_p ) # # default $PIint4 tcp from to port $allow_input_tcp \ flags S/SRPAUEW keep state \ $deftcp_state_limit queue ret2out $PIint4 udp from to port $allow_input_udp \ keep state \ $def_state_limit queue ret2out $PIint4 icmp from to icmp-type $allow_input_icmp \ keep state \ $def_state_limit queue ret2out # # # WAN or extLAN -> Myself # # # DNS $PlIint4 tcp from to port domain \ flags S/SRPAUEW keep state \ $deftcp_state_limit queue ret2out # $PlIint4 udp from to port domain \ keep state \ $def_state_limit queue ret2out $PlIint4 udp from to port domain \ keep state \ $def_state_limit queue ret2out # block in log quick on $int_if from block in log quick on $int_if from ! # # # INT -> Myself # # # NFS server $PIint4 udp from port $TrustedPort to port sunrpc \ user _portmap keep state \ $def_state_limit queue ret2out $PIint4 tcp from port $TrustedPort to port nfsd \ user root flags S/SRPAUEW keep state \ $deftcp_state_limit queue ret2out $PIint4 udp from port $TrustedPort to port nfsd \ user root keep state \ $def_state_limit queue ret2out $PIint4 tcp from port $TrustedPort to port $TrustedPort \ user root flags S/SRPAUEW keep state \ $deftcp_state_limit queue ret2out $PIint4 udp from port $TrustedPort to port $TrustedPort \ user root keep state \ $def_state_limit queue ret2out # # NFS client $POint4 tcp from port $TrustedPort to port nfsd \ user root flags S/AUPRS keep state \ $2exttcp_state_max queue own2int $POint4 udp from port $TrustedPort to port nfsd \ user root keep state \ $2ext_state_max queue own2int # # # TFTP server $POint4 udp from port $DefaultPort to port $DefaultPort \ user _tftpd keep state \ $2ext_state_max queue own2int # # FTP server # (Active Mode) $POint4 tcp from port ftp-data to port $DefaultPort \ user _ftp flags S/AUPRS keep state \ $2exttcp_state_max queue own2int # (Passive Mode) $PIint4 tcp from port $DefaultPort to port $EphemeralPort_OBSD \ user _ftp flags S/SRPAUEW keep state \ $deftcp_state_limit queue ret2out # # # NIS/YP server $PIint4 udp from to port sunrpc \ user _portmap keep state \ $def_state_limit queue ret2out $POint4 udp from port sunrpc to \ user _portmap keep state \ $2ext_state_max queue own2int $PIint4 udp from to \ user root keep state \ $def_state_limit queue ret2out $PIint4 tcp from to \ user root flags S/SRPAUEW keep state \ $deftcp_state_limit queue ret2out # # NIS/YP client $POint4 udp from to port sunrpc \ user _portmap keep state \ $2ext_state_max queue own2int $PIint4 udp from port sunrpc to \ user _portmap keep state \ $def_state_limit queue ret2out $POint4 udp from to \ user root keep state \ $2ext_state_max queue own2int $POint4 tcp from to \ user root flags S/AUPRS keep state \ $2exttcp_state_max queue own2int # # # omniORB(CORBA) OMNI Name Service $PIint4 tcp from port $DefaultPort to port 2809 \ user > 1000 flags S/FSRPAUEW keep state \ $deftcp_state_limit queue ret2out $PIint4 tcp from port $DefaultPort to port $DefaultPort_OBSD \ user orb flags S/FSRPAUEW keep state \ $deftcp_state_limit queue ret2out $POint4 tcp from port $DefaultPort_OBSD to port $DefaultPort \ user orb flags S/FSRPAUEW keep state \ $2exttcp_state_max queue own2int # # A thin veneer of patch for omniORB's compatibility problem. $PIint4 tcp from port $DefaultPort to port 2809 \ user > 1000 flags F/FSRUEW \ queue ret2out $PIint4 tcp from port $DefaultPort to port 2809 \ user > 1000 flags P/SRPUEW \ queue ret2out block return-rst out quick on $int_if inet proto tcp \ from port 2809 to port $DefaultPort \ user > 1000 flags F/FSRPUEW block return-rst out quick on $int_if inet proto tcp \ from port $DefaultPort_OBSD to port $DefaultPort \ user orb flags F/FSRPUEW # # NTTCP - Network Benchmark Test $PIint4 tcp from port $DefaultPort to port 5037 \ user > 1000 flags S/FSRPAUEW keep state \ $deftcp_state_limit queue ret2out $PIint4 tcp from port $DefaultPort to port 5038 \ user > 1000 flags S/FSRPAUEW keep state \ $deftcp_state_limit queue ret2out $PIint4 udp from port $DefaultPort to port 5037 \ user > 1000 keep state \ $def_state_limit queue ret2out $PIint4 udp from port $DefaultPort to port 5038 \ user > 1000 keep state \ $def_state_limit queue ret2out $POint4 tcp from port $DefaultPort to port 5037 \ user > 1000 flags S/FSRPAUEW keep state \ $2exttcp_state_max queue own2int $POint4 tcp from port $DefaultPort to port 5038 \ user > 1000 flags S/FSRPAUEW keep state \ $2exttcp_state_max queue own2int $POint4 udp from port $DefaultPort to port 5037 \ user > 1000 keep state \ $2ext_state_max queue own2int $POint4 udp from port $DefaultPort to port 5038 \ user > 1000 keep state \ $2ext_state_max queue own2int # # NETPERF - Network Benchmark Test $PIint4 tcp from port $DefaultPort to port 12865 \ user > 1000 flags S/FSRPAUEW keep state \ $deftcp_state_limit queue ret2out $PIint4 udp from port $DefaultPort to port 12865 \ user > 1000 keep state \ $def_state_limit queue ret2out $POint4 tcp from port $DefaultPort to port 12865 \ user > 1000 flags S/FSRPAUEW keep state \ $2exttcp_state_max queue own2int $POint4 udp from port $DefaultPort to port 12865 \ user > 1000 keep state \ $2ext_state_max queue own2int # # Allow Default-Port for Permitted user $PlOint4 udp from port $DefaultPort_OBSD to port $DefaultPort \ group users keep state \ $2ext_state_max queue own2int $PlIint4 udp from port $DefaultPort to port $DefaultPort_OBSD \ group users keep state \ $def_state_limit queue ret2out $PlOint4 tcp from port $DefaultPort_OBSD to port $DefaultPort \ group users flags S/FSRPAUEW keep state \ $2exttcp_state_max queue own2int $PlIint4 tcp from port $DefaultPort to port $DefaultPort_OBSD \ group users flags S/FSRPAUEW keep state \ $deftcp_state_limit queue ret2out # # [ End of File ]