IP Address:
PUBLIC
10.10.10.50 (xl0)
10.10.10.51 (alias)
10.10.10.52 (alias)
10.10.10.53 (alias)
10.10.10.54 (alias)
10.10.15.1 (xl3)
PRIVATE
172.16.100.1 (xl1)
172.16.103.1 (xl2)
Partition Information
/ 4000M
Firewall Configuration
1. Edit sysctl.conf file (/etc), set net.inet.ip.forwarding=1 to activate IP forwarding.
2. Edit rc.conf file (/etc), set pf = YES to enable packet filtering.
3. Reboot server to activate OpenBSD packet filtering.
4. Create pf.conf file (/etc)
a. Pfctl –e à enable packet filtering
b. Pfctl –d à disable packet filtering
c. Pfctl –f /etc/pf.conf à load pf.conf file
d. Pfctl –sa à show everything it can show re pf
Interface Cards
Ethernet Interface (xl0) -> 10.10.10.51
10.10.10.51 (alias)
(xl1) à 172.16.100.1
(xl2) à 172.16.103.1
(xl3) à 10.10.15.1
Current Packet Filter (PF) Configuration
# PF RULES#Joseph Abasolo
#11/26/11
# PLEASE ADD COMMENT AFTER EACH EDIT
# JFA / Change RADIUS Ip Redirection from 10.10.10.51 to 10.10.10.51 / 112611
#
#
#Interfaces
ext_if="xl0"
ext_if2="xl1"
ext_if3="xl2"
ext_if4="xl3"
#Private LAN / Networks
lan_net="172.16.100.0/24"
lan_net2="172.16.103.0/24"
lan_net3="203.177.43.1/29"
#Internal Servers
radius="172.16.100.11"
INT_DMZ_SV01="172.16.100.12"
INT_DMZ_SV02="172.16.100.13"
isp_clients="{X.X.X.X}"
GW_FW="{ Y.Y.Y.Y}"
Dedic_IP="B.B.B.B"
#TCP/UDP services
#tcp_services="{21,22,25,80,110,113,123,443,1812}"
tcp_services="{21,25,80,110,1812,6667,9999}"
udp_services="{1645,1646,6667,9999}"
#options
set loginterface $ext_if
#scrub all incoming packets
#scrub in all
#NAT / Redirection
nat on xl0 from $lan_net to any -> xl0
nat on xl2 from 172.16.103.4 to any -> xl0
nat on xl2 from 172.16.103.5 to any -> xl0
#############################
# RADIUS PACKET REDIRECTION #
############################
#Singtel / Viettel / Indotel / Epsilon
#rdr on xl0 proto udp from $isp_clients to 10.10.10.51 port 1645 -> $radius port 1645
#rdr on xl0 proto udp from $isp_clients to 10.10.10.51 port 1646 -> $radius port 1646
rdr on xl0 proto udp from $isp_clients to 10.10.10.51 port 1645 -> $radius port 1645
rdr on xl0 proto udp from $isp_clients to 10.10.10.51 port 1646 -> $radius port 1646
#PCCW_PR
rdr on xl3 proto udp from cli.ent.ip.add to 10.10.15.1 port 1645 -> $radius port 1645
rdr on xl3 proto udp from cli.ent.ip.add to 10.10.15.1 port 1646 -> $radius port 1646
#PCCW_BK
rdr on xl0 proto udp from cli.ent.ip.add to 10.10.10.51 port 1645 -> $radius port 1645
rdr on xl0 proto udp from cli.ent.ip.add to 10.10.10.51 port 1646 -> $radius port 1646
#ANY (for TESTING PURPOSES)
#rdr on xl0 proto udp from any to 10.10.10.51 port 1645 -> $radius port 1645
#rdr on xl0 proto udp from any to 10.10.10.51 port 1646 -> $radius port 1646
#############################
# END OF RADIUS CONFIG #
############################
# INT_DMZ_SV01MAILER REDIRECTION (SMTP)
rdr on xl0 proto tcp from any to 10.10.10.51 port 25 -> $INT_DMZ_SV01 port 25
rdr on xl0 proto tcp from any to 10.10.10.51 port 80 -> $INT_DMZ_SV01 port 80
rdr on xl0 proto tcp from any to 10.10.10.51 port 110 -> $INT_DMZ_SV01 port 110
rdr on xl0 proto tcp from any to 10.10.10.51 port 1812 -> $INT_DMZ_SV01 port 1812
#RADIUS (WWW)
rdr on xl0 proto tcp from any to 10.10.10.52 port 80 -> $radius port 80
rdr on xl0 proto tcp from any to 10.10.10.52 port 21 -> $radius port 21
rdr on xl0 proto tcp from any to 10.10.10.52 port 22 -> $radius port 22
rdr on xl0 proto tcp from any to any port 49152:65535 -> $radius port 49152:65535
#PROXY SERVER (FIREWALL ITSELF)
rdr on xl2 proto tcp from $lan_net2 to any port www -> 127.0.0.1 port 8888
#HOSTING / (FTP,SMTP,WEB)
rdr on xl0 proto tcp from any to 10.10.10.51 port 21 -> $INT_DMZ_SV02 port 21
rdr on xl0 proto tcp from any to any port 49152:65535 -> $INT_DMZ_SV02 port 49152:65535
rdr on xl0 proto tcp from any to 10.10.10.51 port 25 -> $INT_DMZ_SV02 port 25
rdr on xl0 proto tcp from any to 10.10.10.51 port 80 -> $INT_DMZ_SV02 port 80
#Redirection SSH
rdr on xl0 proto tcp from any to 10.10.10.51 port 22 -> $INT_DMZ_SV02 port 22
rdr on xl0 proto tcp from any to 10.10.10.51 port 6667 -> $INT_DMZ_SV02 port 6667
rdr on xl0 proto udp from any to 10.10.10.51 port 9999 -> $INT_DMZ_SV02 port 9999
###############################
## FILTER RULZ STARTS HERE ##
##############################
block in log on xl0 all
block out log on xl0 all
#allow loopback
pass quick on lo0 all
#IN RULEZ
pass in on $ext_if proto tcp from any to any port $tcp_services keep state
pass in on $ext_if proto udp from any to any port {domain,ntp} keep state
#allow ssh (remote access)
pass in on xl0 proto tcp from $GW_FW to any port ssh keep state
pass in on xl0 proto tcp from $Dedic_IP to any port ssh keep state
pass out on xl0 proto tcp from any to any port ssh keep state
#FTP for HostFree
pass in on $ext_if proto tcp from any to any port > 49151 keep state
pass out quick on xl1 proto tcp from any to $HostFree port 21 keep state
pass out quick on xl1 proto tcp from any to $radius port 21 keep state
pass out quick on xl1 proto tcp from any to $radius port > 49151 keep state
#allow RADIUS Packets (in/out) from Viettel to APC-SG-01
pass in on $ext_if proto udp from any to $lan_net port $udp_services keep state
pass out on $ext_if proto udp from any to $lan_net port $udp_services keep state
#allow RADIUS Packets (in/out) from Singtel to APC-SG-02
pass in on $ext_if4 proto udp from any to $lan_net port $udp_services keep state
pass out on $ext_if4 proto udp from any to $lan_net port $udp_services keep state
#allow ICMP IN
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
#OUT RULEZ
#allow ICMP OUT
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
#allow all TCP/UDP OUT
pass out on $ext_if proto tcp all keep state
pass out on $ext_if proto udp all keep state
Abit of Open BSD skill I learned and implemented :D
0 comments:
Post a Comment