Jump to content
CvGaming

Brandvägg med OpenBSD (från 2008)


HardmanCummings
 Share

Recommended Posts

Satt o kollade igenom en äldre backup disk, så fann jag min tidigare brandväggs config. Minnen från förr, men jag tror att möjligen det finns folk som vill leka med OpenBSD istället för linux, så jag bjuder på mitt script för de som vill :)

 

pf.conf

### Start ###

 

#-> Net Interfaces
lo = lo0
int = sis0
ext = sis1
dmz = sis2
 
#-> Netz
bfnet = "10.10.10.0/24"
bfdmz = "10.110.110.0/24"
 
#-> Hosts
bftv     = "10.10.10.10"
bfweb    = "10.110.110.10"
 
#-> Ports
potv     = "{ 9000 }"                  # Misc
poweb    = "{ 80, 443 }"               # Web server            
 
 
#-> Reserved Networks
reserved = " { 0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8,
            169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
            224.0.0.0/3, 255.255.255.255 } "
 
#-> PF Settings
set limit { states 20000, frags 20000 }
set block-policy drop
set optimization aggressive
scrub in on $ext all
 
#-> NAT Rules
nat on $ext inet from $bfnet to any -> ($ext)
nat on $ext inet from $bfdmz to any -> ($ext)
 
#-> Port Forwards
rdr on $ext proto { tcp, udp } from any to ($ext) port $potv -> $bftv
rdr on $ext proto { tcp, udp } from any to ($ext) port $poweb -> $bfweb
rdr on $ext proto tcp from any to ($ext) port 2001 -> $bfweb port ssh
 
rdr on $int proto { tcp, udp } from $bfnet to $ext port $poweb -> $bfweb
no nat on $int proto { tcp, udp } from $bfnet to $dmz
nat on $int proto { tcp, udp } from $bfnet to $bfweb port $poweb -> $dmz
 
pass quick on $lo all
antispoof for { $lo, $int, $ext, $dmz }
pass quick on { $int, $dmz } all
block in quick on $ext from $reserved to any
block in on $ext all
block out quick on $ext inet from ! ($ext) to any
 
pass in on $ext inet proto icmp all icmp-type 8 code 0 keep state
 
pass in log quick on $ext proto tcp from any to any port 22 flags S/SA keep state
pass in quick on $ext proto { tcp, udp } from any to any port $poweb keep state
pass in quick on $ext proto { tcp, udp } from any to any port $potv keep state
pass in quick on $ext proto { tcp, udp } from any to any port 2001 keep state
 
pass out on $ext proto {tcp, udp, icmp} all keep state
 
### end ###
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.