Learning how to pf "right" P2

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Learning how to pf "right" P2

Dennis Steinkamp
Hey there,

so now i reached chapter 7 of the book and from reading through the different chapters in it, i came up with
the following little Pf Script. (still work in progress of course^^)

# --------------
ext_if = "vlan100" # External interface macro
int_if = "vlan200" # Internal interface macro
int_net = $int_if:network # Internal network macro
icmp_types = "echoreq"
# -------------
table <aliens> {,, \
       ,, \
       ,, \
       , }
# -----------------
a.) block all  # Default block in/out rule
b.) set skip on lo  # Skip any filtering on loopback
c.) match out on egress inet from $int_net nat-to egress # NAT from $int_net to $ext_if (ext_if=egress)
d.) pass inet proto icmp from $int_net icmp-type $icmp_types # Pass icmp traffic (echoreq) from $int_net
e.) pass in on $int_if from $int_net to any # Pass traffic from $int_net coming in on $int_if to any (Pass to firewall itself)
f.) pass out on egress from egress to any # Pass traffic from $ext_if (extif_egress) going out on $ext_if to any
# (Pass to the "world" outside of the firewall itself)
g.) block in quick on $ext_if from <aliens> to any # Block private address space coming in on $ext_if to any
h.) block out quick on $ext_if from any to <aliens> # Block from any going out on $ext_if to private address space
i.) antispoof for $ext_if # Enable antispoof on $ext_if
j.) antispoof for $int_if  # Enable antispoof on $int_if

What i want to accomplish is rather easy i suppose.
Block everything by default and just let my OpenBSD machine act as a gateway for my $int_net.
No services need to be reachable from the "outside world", even no ssh.
Apart from that, its just about taking a few security measures as recommended by the book (so far) and mentioned here on the mailing list.
Of course i got a few questions to ask, as you probably could have guessed already ;)

My questions are:

1.) Does it make sense to make use of rules g-h while at the same time enabling antispoofing in i-j?
As far as my understanding goes g-h and i-j are more or less trying to achieve the same thing, aren`t they?

2.) I would like to add packet prioritization to the existing rulset for certain client machines like for example:
All internet related traffic for client A should be proritized over internet related traffic for client B.
I assume i can do this by refering to the ip address of the client in a rule and then set prio accordingly.
Another approach would be to create different vlan interfaces and assign all traffic coming in on that interface with different priorities globally. In the scenario above for $int_if i would have to set prio x on rule e.) to prioritize traffic globally, is that correct? (that would include traffic that needs to cross between interfaces/subnets also right?)
Doing it on the IP address of the client machine doesn`t seem very clever because, even though they could be  assigned statically by DHCP, they are easy to set manually.

3.) How do i scrub with Pf in OpenBSD 5.7?
The book says match in all scrub (no-df max-mss 1440) but i don`t understand the mss 1440.
I am on a ADSL2 (PPPoE) connection 16Mbps DS/1.8Mbps US)

Thank you again for your time and of course i am always interested how to improve my ruleset if any of the stuff above seems bogus. :)