Friday, September 27, 2013

setting packet firewall on freebsd

ref: http://blog.stevedoria.net/20050906/ingress-policing-with-linux-and-tc
ref: https://calomel.org/pf_config.html (

Ingress Policing with Linux and tc

linux penguinI am simply amazed at the things GNU/Linux can now do, especially with regard to IP networking. I use pf under OpenBSD, a Unix-like operating system that is not Linux, to keep untrusted wireless access traffic from my trusted wired network at home. Lately, I have been working with Linux operating systems in a corporate environment and needed packet policing. It feels good to be able to get similar features to a Cisco device without the need to make a 4500USD purchase.
An ingress policy can decrease the amount of incoming traffic, but it depends on well-behaved TCP/IP stacks and a transport protocol that supports throttling on the sending hosts. The following commands install an ingress queue to eth0 and applies a filter that applies a policy rate of 512kbit.
tc qdisc add dev eth0 handle ffff: ingress
tc filter add dev eth0 parent ffff: protocol ip prio 50 \
   u32 match ip src 0.0.0.0/0 police rate 256kbit \
   burst 10k drop flowid :1

tc qdisc add dev eth0 root tbf \
   rate 256kbit latency 25ms burst 10k

i'm not sure about this

#
### Calomel.org pf.conf
#
################ FreeBSD pf.conf ##########################
# Required order: options, normalization, queueing, translation, filtering.
# Note: translation rules are first match while filter rules are last match.
################ Macros ###################################

### Interfaces ###
 ExtIf ="mxge0"
 IntIf ="mxge1"

### Hosts ###
 Windows ="10.10.10.3"
 Xbox360 ="10.10.10.4"
 phone   ="10.10.10.5"
 WorkSsh ="123.123.123.123"

### Queues, States and Types ###
 IcmpPing ="icmp-type 8 code 0"
 SshQueue ="(ssh_bulk, ssh_login)"
 SynState ="flags S/SA synproxy state"
 TcpState ="flags S/SA modulate state"
 UdpState ="keep state"

### Stateful Tracking Options (STO) ###
 OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
 SmtpSTO ="(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
 SshSTO  ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload  flush global)"
 WebSTO  ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload  flush global)"

### Tables ###
 table  counters
 table  counters file "/somedir/block_permanent"
 table 

################ Options ######################################################
### Misc Options
 set skip on lo
 set debug urgent
 set block-policy drop
 set loginterface $ExtIf
 set state-policy if-bound
 set fingerprints "/etc/pf.os"
 set ruleset-optimization none

### Timeout Options
 set optimization normal
 set timeout { tcp.closing 60, tcp.established 7200}

################ Queueing ####################################################
# no quality of service (QOS) since it is not supported by the myricom 10gig
# mxge0 interface drivers and we would lose as much as 10% bandwidth anyways.
# for more information: https://calomel.org/pf_hfsc.html

################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize=Throughput
scrub out log on $ExtIf      all random-id set-tos 0x1c fragment reassemble
scrub     log on $ExtIf inet all reassemble tcp fragment reassemble

################ Translation #################################################
### NAT and Redirection rules are first match

# NAT with static NAT for the XBOX360
 nat on $ExtIf from $Xbox360       to any -> ($ExtIf) static-port
 nat on $ExtIf from $IntIf:network to any -> ($ExtIf)

# Apache or Nginx (external users to an internal server?)
 rdr on $ExtIf inet proto tcp from  !($ExtIf) to ($ExtIf) port https -> 10.10.10.100
 rdr on $ExtIf inet proto tcp from  !($ExtIf) to ($ExtIf) port http  -> 10.10.10.100

# OpenSMTPD or Postfix with Spamd 
 rdr on $ExtIf inet proto tcp from ! to ($ExtIf) port smtp -> 10.10.10.200 port spamd
 rdr on $ExtIf inet proto tcp from   to ($ExtIf) port smtp -> 10.10.10.250

# Openssh 
 rdr on $ExtIf inet proto tcp from $WorkSsh to ($ExtIf) port ssh -> lo0
 rdr on $IntIf inet proto tcp from $Windows to  $IntIf  port ssh -> lo0

# Apache or Nginx (internal webserver for the LAN to localhost?)
 rdr on $IntIf inet proto tcp from  !($IntIf) to ($IntIf) port http  -> lo0
 rdr on $IntIf inet proto tcp from  !($IntIf) to ($IntIf) port https -> lo0

# Bind or Unbound DNS for LAN machines
 rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port domain -> lo0

# Ntpd time server for the LAN
 rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port ntp -> lo0

# Anchors
 rdr-anchor "games"

# Ftp ( secure ftp-proxy for the internal LAN )
 nat-anchor "ftp-proxy/*"
 rdr-anchor "ftp-proxy/*"
 rdr pass on $IntIf proto tcp from $IntIf:network to any port 21 -> 127.0.0.1 port 8021

# DENY rouge redirection
 no rdr

################ Filtering ###################################################
# Rules are best (closest) match. Notice we optimized the rules so external
# interface parsing is first followed by the internal interface. 

### $ExtIf block abusive hosts in temp and perm tables
 block drop in  log quick on $ExtIf           from  to any
 block drop in  log quick on $ExtIf proto udp from  to any
 block drop in  log quick on $ExtIf proto tcp from  to any port != ssh

### $ExtIf default block with drop
 block drop in log on $ExtIf

### $ExtIf inbound
 pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to 10.10.10.100 port https $TcpState $WebSTO
 pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to 10.10.10.100 port www   $TcpState $WebSTO
 pass in log on $ExtIf inet proto tcp  from   to 10.10.10.250 port smtp  $TcpState $SmtpSTO
 pass in log on $ExtIf inet proto tcp  from ! to 10.10.10.200 port spamd $TcpState $SmtpSTO
 pass in log on $ExtIf inet proto tcp  from  $WorkSsh      to lo0 port ssh   $TcpState $SshSTO

### $ExtIf outbound
 pass out log on $ExtIf inet proto tcp  from ($ExtIf) to !($ExtIf) $TcpState $OpenSTO
 pass out log on $ExtIf inet proto udp  from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO
 pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO

### $IntIf default block with return (TCP reset)
 block return in log on $IntIf inet

### $IntIf inbound (restrict LAN clients to external machines here)
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to  any     port https  $TcpState $OpenSTO
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to  any     port www    $TcpState $OpenSTO
 pass in log on $IntIf inet proto tcp  from  $Windows       to  lo0     port ssh    $TcpState $OpenSTO
 pass in log on $IntIf inet proto udp  from  $IntIf:network to  lo0     port domain $UdpState $OpenSTO
 pass in log on $IntIf inet proto udp  from  $IntIf:network to  lo0     port ntp    $UdpState $OpenSTO
 pass in log on $IntIf inet proto icmp from  $IntIf:network to $IntIf  $IcmpPing   $UdpState $OpenSTO

### $IntIf ftp secure secure proxy for LAN 
 anchor "ftp-proxy/*" in on $IntIf inet proto tcp

### $IntIf outbound
 pass out log on $IntIf inet proto tcp  from $IntIf to $IntIf:network $TcpState
 pass out log on $IntIf inet proto udp  from $IntIf to $IntIf:network $UdpState
 pass out log on $IntIf inet proto icmp from $IntIf to $IntIf:network $UdpState

### Games ( Xbox 360, Xbox ONE, PS3, PS4 and PC )
 anchor "games"

############# END of FreeBSD pf.conf https://calomel.org #######################
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Related Posts Plugin for WordPress, Blogger...