> This sounds good.
> But my openBSD is working like a router.
> If I remove the rule pass in quick on $int_if I will have a lot of pcs
> that cannot access other subnets.
> Do u know what protocol I must allow to routes work?
>
> thankssssssss
>
> -----Mensagem original-----
> De: cgc [mailto:cgc@lemon-computing.com]
> Enviada em: quarta-feira, 15 de outubro de 2008 15:49
> Para: Ricardo Augusto de Souza
> Cc:
misc@openbsd.org
> Assunto: Re: RES: Filtering outgoing connections in pf
>
> let me give you an example, if you just want 10.10.0.0/16 to have port 80
> access then you need 3 rules:
>
> #the nat
> nat on $ext_if from 10.10.0.0/16 to any port 80 -> ($ext_if)
>
> #allow through $int_if
> pass in quick on $int_if proto tcp from 10.10.0.0/16 to any port 80
>
> #and finally allow through $ext_if
> pass out quick on $ext_if proto tcp from ($ext_if) to any
>
> You can lock $ext_if down to just port 80 but the point is $int_if is
> where
> you do the filtering for 10.10.0.0/16
>
> Correct me if I am wrong.
>
> Regards,
>
> Charlie
>
> On Wed, 15 Oct 2008 14:44:43 -0300, "Ricardo Augusto de Souza"
> <ricardo.souza@cmtsp.com.br> wrote:
>> Is is possible filter outgoing packets in $ext_if even doing NAT?
>> I mean, after nat on $ext_if from 10.10.0.0/16 to any -> ($ext_if) all
>> packets from 10.10.0.0/16 will be translated to $ext_if.
>> I wish I could filter 10.10.0.0/16 packets in $ext_if.
>>
>> Is is possible?
>>
>> Thanks
>> -----Mensagem original-----
>> De:
owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] Em nome de
>> Ricardo Augusto de Souza
>> Enviada em: quarta-feira, 15 de outubro de 2008 13:01
>> Para:
misc@openbsd.org
>> Assunto: Filtering outgoing connections in pf
>>
>> Hi,
>>
>>
>>
>> I AM confused with some PF rules.
>>
>> I am trying to allow just some ports to my local users.
>>
>> I am using block out on $ext_if but I think I would be able to choose
>> ports my lan users will access with rule
>>
>> Pass out on $ext_if proto tcp from 10.10.0.0/16 to any port { 80, 25,
>> 110 } keep state .
>>
>>
>>
>> It seems to be ok, but I had to add this rule: Pass out on $ext_if
> from
>> $ext_if to any ( without this rule my box cannot connect to the
>> internet ). With this rule, All users can connect to any out port.
>>
>>
>>
>> Question: What is the right way to have my box at the internet and my
>> users can only access that selected ports?
>>
>>
>>
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>>
>> My pf.conf:
>>
>>
>>
>> set loginterface xl1
>>
>> set skip on lo0
>>
>> scrub in
>>
>>
>>
>> set require-order yes
>>
>> set state-policy if-bound
>>
>>
>>
>> altq on xl1 priq bandwidth 50Kb queue { q_pri, q_def }
>>
>> queue q_pri priority 7
>>
>> queue q_def priority 1 priq(default)
>>
>>
>>
>>
>>
>> # interface externa WAN
>>
>> ext_if="xl1"
>>
>> # interface interna LAN
>>
>> int_if="xl0"
>>
>> # interface MPLS
>>
>> mpls_if ="bge0"
>>
>> #interfaces VPn tuneis
>>
>> vpn_if ="{ tun0, tun1, tun2, tun3, tun4 }"
>>
>> vpn_net ="{ 10.10.9.0/26 }"
>>
>> #Default GW
>>
>> gw="200.162.41.33"
>>
>>
>>
>> table <badsites> persist file "/etc/badsites.txt"
>>
>> winupdate = "{ 65.54.87.0/24 } "
>>
>>
>>
>>
>>
>> ############
>>
>> # Variaveis
>>
>> ##########
>>
>>
>>
>> #################
>>
>> #1 - Redirecionamento ambiente de homologocao
>>
>> ###############
>>
>> ws_ip = "{ 10.10.100.21 }"
>>
>> ws_ports = "{ 8101, 8102, 8103 }"
>>
>>
>>
>> ####################################
>>
>> #2- Variaveis uteis
>>
>> ################################
>>
>> lan = "{ 10.10.0.0/16 }"
>>
>> cmt_lan = "{ 10.10.0.0/24 }"
>>
>> ti_lan = "{ 10.10.20.0/26 }"
>>
>> call_center_lan = "{ 10.10.60.0/26 }"
>>
>> rede_mpls = "{ 10.100.0.0/16 }"
>>
>> ip_admin = "{ 10.10.20.100 }"
>>
>> msn = "207.46.0.0/16"
>>
>>
>>
>> # portas
>>
>>
>>
>> portas_saida_tcp = " {25, 80, 110,443 }"
>>
>> portas_saida_udp = " { 53, 443 }"
>>
>> portas_entrada_tcp = " { 22,1981, 810} "
>>
>> portas_entrada_udp = " { 1194 }"
>>
>> ip_rose = " { 10.10.0.56 } "
>>
>> porta_rose = " { 2631 } "
>>
>> oracle_desenv = "{ 10.10.100.13, 10.10.100.14 }"
>>
>> ips_adm_ext = "{ 189.33.76.0/26 } "
>>
>>
>>
>> #teste internet lojas MPLS
>>
>> rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 3128 ->
>> $int_if port 3128
>>
>>
>>
>> #redirect para servidor NTP
>>
>> rdr pass on $mpls_if inet proto udp from $rede_mpls to $mpls_if port
> 123
>> -> 10.10.100.254 port 123
>>
>>
>>
>> #redirect para os servidores do DTC enviarem email pelo sol
>>
>> rdr pass on $mpls_if inet proto tcp from $rede_mpls to $mpls_if port 25
>> -> 10.10.0.2 port 25
>>
>> nat on $int_if from any to 10.10.0.2 -> $int_if
>>
>>
>>
>>
>>
>> # squid trasparente
>>
>> rdr pass on $int_if inet proto tcp from $lan to any port 80 -> $int_if
>> port 3128
>>
>>
>>
>> rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1521 ->
>> 10.10.100.13 port 1521
>>
>> rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1522 ->
>> 10.10.100.14 port 1521
>>
>> nat on $int_if from any to $oracle_desenv port 1521 -> $int_if
>>
>>
>>
>>
>>
>> # redirecionamento para lan, foi necessario fazer nat tb.
>>
>> rdr pass on $ext_if inet proto tcp from any to $ext_if port $ws_ports
> ->
>> $ws_ip
>>
>> nat on $int_if from any to $ws_ip -> $int_if
>>
>>
>>
>>
>>
>> #################
>>
>> ##### NAT ######
>>
>> #################
>>
>>
>>
>> #nat para dar acesso a internet para a lan
>>
>> nat on $ext_if from $lan to !($ext_if) -> $ext_if
>>
>> nat on $mpls_if from $lan to any -> $mpls_if
>>
>>
>>
>>
>>
>> # bloqueia a entrada de tudo e saida de tudo
>>
>> block in on $ext_if
>>
>>
>>
>> #regras de entrada
>>
>>
>>
>> # libera entrada de tudo na interface interna
>>
>> pass in on $int_if proto udp from $lan to $int_if port 53
>>
>> pass in on $int_if from any to $lan modulate state
>>
>> pass in on $int_if from $rede_mpls to $lan modulate state
>>
>>
>>
>> #liberar acesso rede mpls
>>
>> pass in quick on $mpls_if from any to any
>>
>> #pass in quick on $mpls_if from $rede_mpls to any
>>
>>
>>
>> # libera a entrada na interface externa
>>
>> pass in quick on $ext_if proto tcp from any to $ext_if port
>> $portas_entrada_tcp keep state
>>
>> pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports
>> keep state
>>
>> pass in quick on $ext_if proto udp from any to $ext_if port
>> $portas_entrada_udp keep state
>>
>> pass in quick on $ext_if proto tcp from any to $int_if port 443 flags
>> S/SAFR keep state (max 256)
>>
>>
>>
>> #VPN
>>
>> pass in quick on $ext_if proto tcp from any to $ext_if port = 1723
>> modulate state
>>
>> pass in quick on $ext_if proto gre from any to $ext_if keep state
>>
>> pass out quick on $ext_if proto gre from $ext_if to any keep state
>>
>> pass in quick on $vpn_if all
>>
>> pass out quick on $vpn_if all
>>
>>
>>
>> pass in quick on $int_if from $vpn_net to any modulate state
>>
>> pass in quick on $mpls_if from $vpn_net to any modulate state
>>
>>
>>
>>
>>
>> # regras de saida
>>
>> antispoof quick for { lo $int_if }
>>
>> pass out on $int_if from any to $lan keep state
>>
>> pass out on $mpls_if from $mpls_if to any modulate state
>>
>> #####
>>
>> # proibe todo o trafego de saida
>>
>> block out on $ext_if
>>
>> #pass out on $ext_if from $ext_if to any modulate state
>>
>>
>>
>> pass out quick on $ext_if proto tcp from any to any port
>> $portas_saida_tcp modulate state queue (q_def, q_pri)
>>
>> pass out quick on $ext_if proto tcp from $ip_rose port 1024:65535 to
>> 200.201.174.0/24 port { 80, 2631 } modulate state
>>
>>
>>
>> #libera acesso total para os administradores
>>
>> #pass out on $ext_if from $ip_admin to any modulate state
>>
>>
>>
>> pass out on $ext_if proto tcp from $ext_if to any modulate state
> flags
>> S/SA
>>
>> pass out on $ext_if proto { udp, icmp } all keep state
>>
>>
>>
>> # block msn
>>
>> pass out quick inet proto tcp from $ip_admin to $msn port { 80, 1863 }
>>
>> block out quick proto tcp from any to $msn port { 80, 1863 }
>>
>> #block acesso a estes sites
>>
>> block out on $ext_if from any to <badsites>
>>
>> block out on $ext_if from any to $winupdate
>
