login
Login / Register
Header Space

 
 

Home » Mailing list archives » openbsd-misc » 2007 » March » 5

New-bie pf rules question

Score:
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Ramdas <ramdas.phutane@...>
To: <misc@...>
Subject: New-bie pf rules question
Date: Monday, March 5, 2007 - 9:28 am

Hi Group,

I have a server with two lan cards both with valid ips . One interface
(fxp1) is patched behind a CISCO PIX Firewall & Other outside firewall
(fxp0)

I want that there should be no greylisting/filtering on fxp1 (I have
the related ports opened in the PIX) & it should be enabled only for
fx0.

The server will be used as Mail server.

Please help. I want to check if the below rules are correct.
My Pf rules are as follows:
----
# PF Conf
# ###########
# Macros
#############

# internal and external network interfaces
int_if = "fxp0"
ext_if = "fxp1"

# Internal servers
mail_host = "a.b.c.d"

icmp_types = "{ echoreq, unreach }"
tcp_services = "{110,143,80 }"

# We should never see these coming from the Internet .
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
        10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
        0.0.0.0/8, 240.0.0.0/4 }"

# options
set block-policy return
set loginterface $ext_if

# Scrub
scrub in all

#################
# Spamd
#################

# grey host list
table <spamd> persist
# White host list
table <spam-white> persist
# This whitelist we are maintaining
table <whitelist> persist file "/etc/whitelist.txt"

# Send whitelisted hosts to the actual mail server

rdr on $ext_if proto tcp from <whitelist> to \
        $ext_if port smtp -> $mail_host port smtp

# send all suspects to the spamd daemon
rdr pass on $ext_if inet proto tcp from <spamd> to \
        $ext_if port smtp -> 127.0.0.1 port 8025
rdr pass on $ext_if inet proto tcp from !<spamd-white> to \
        $ext_if port smtp -> 127.0.0.1 port 8025


# Send whitelisted hosts to the actual mail server
rdr on $ext_if proto tcp from <spamd-white> to \
        $ext_if port smtp -> $mail_host port smtp

# #############
# Filter Rules
# #############

block all
set skip on lo0

antispoof for $ext_if
antispoof for $int_if

# Martians
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

# Allow ping and path MTU discovery
pass in inet proto icmp all icmp-type $icmp_types keep state

# Allow incoming Smtp & Pop connection
pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state


# For spamdlog to update the whitelists
# don't need to log static whitelist
pass in quick on $ext_if inet proto tcp from <whitelist> \
        to port smtp flags S/SA keep state
pass in log quick on $ext_if inet proto tcp from <spamd-white> \
        to port smtp flags S/SA keep state

# Allow anything from the internal network out onto the Internet
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

pass quick on $int_if
----

One more question I want to ask is that will it be ok to enable
multicost routing on this server. Or is it that I need to add more
rules  to the above for it to work with Multicost routing.

Thanx & Regards
Ram
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
New-bie pf rules question, Ramdas, (Mon Mar 5, 9:28 am)

Mail archive search
Enter your search terms.
Optionally limit your search to a specific mailing list.
advanced
Colocation donated by:
Who's online
There are currently 3 users and 1026 guests online.

Online users

Syndicate
Syndicate content
© 2007 KernelTrap.  |  Powered by Drupal.  |  Legal statement.
speck-geostationary