Packet Filter para OpenBSD 4.7

Hola que tal?

Les comparto mi packet filter ojala que les sea de utilidad, si tienen alguna corrección se los agradecería.

####### Configuración de las tarjetas de red #########
ext_if = "em0"
int_if = "rl0"

citrix = "100.1.1.220"

cache_srv = "127.0.0.1"
cache_port = "3128"

###### Identificación del servicio que brindan ########
internet = "em0"
local = $int_if:network

###### Tablas para evitar ataques SSH ########
table persist

##### Lista de protocolos permitidos ########

servicio_tcp = "{53,75,www,https,ftp,ftp-data,22,110,587,8443,19638,83,50,500,4500,1494,80,443,3389}"
servicio_icmp= "{echoreq}"
servicio_dhcp= "{bootps,bootpc,67,68}"

##### Opciones de packet filter ########
set block-policy drop
set limit states 10000
set limit frags 10000
set optimization aggressive
set require-order yes
set limit { states 10000, frags 10000, src-nodes 1000 }
#set timeout { frag 10 }
#set timeout { tcp.first 30, tcp.opening 30, tcp.established 3600 }
#set timeout { tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
#set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
#set timeout { icmp.first 3, icmp.error 3}
#set timeout { adaptive.start 8000, adaptive.end 14000 }
set debug urgent
set skip on lo0
set loginterface $ext_if
##### Normalización de paquetes ########

match in all scrub (no-df)

################################################################
######### REDIRECCION DE PUERTOS

match in log on egress inet proto tcp from any to any port 80 rdr-to $citrix
match in log on egress inet proto tcp from any to any port 1494 rdr-to $citrix
match in log on egress inet proto tcp from any to any port 85 rdr-to $citrix
match in log on egress inet proto tcp from any to any port 2598 rdr-to $citrix
match in log on egress inet proto tcp from any to any port 8080 rdr-to $citrix
match in log on egress inet proto tcp from any to any port 3389 rdr-to $citrix

#### Administración del ancho de banda ########
##### Se realiza NAT de la red interna a la externa ########
##### Habilitar FTP proxy #######
match out on $ext_if from !($ext_if) nat-to ($ext_if)

anchor "ftp-proxy/*"
pass in on $ext_if proto tcp from any to any port 21 rdr-to 127.0.0.1 port 8021

##### La politica por defecto todo bloquea ########
block all
block quick inet6 all
block return-rst in log inet proto tcp from any to any
block return-icmp in log inet proto udp from any to any

##### Empezamos abrir los puertos para lo necesario ########

##### Bloqueamos los hosts que esten en la tabla ########
block in log quick from

# Habilitar si tienen configurado SQUID
#pass in quick on $int_if proto tcp from $int_if:network to any port www \
#rdr-to 127.0.0.1 port $cache_port

#### Permitimos el paso de ciertos paquetes icmp ########
pass inet proto icmp all icmp-type $servicio_icmp

##### pass proto tcp to any port $servicio_tcp ########
pass quick proto {tcp udp} to any port domain
pass quick proto tcp to any port $servicio_tcp
pass quick proto tcp to any port $servicio_dhcp

antispoof for $ext_if
antispoof for $int_if


Livecd OpenBSD

Cree un livecd con OpenBSD y te permite configurar un firewall con un pequeño script

Archivo pf.conf con HSFC

####### Configuración de las tarjetas de red            #########
ext_if   = “dc0″
int_if   = “rl0″

######  Identificación del servicio que brindan         ########
internet = “dc0″
local    = $int_if:network

######  Tablas para evitar ataques SSH                  ########
table <bloquear_ssh> persist

#####   Lista de protocolos permitidos                  ########

servicio_tcp = “{www,https,ftp,ftp-data,2083,2096}”
servicio_icmp= “{echoreq}”
servicio_dhcp= “{bootps,bootpc}”

#####   Opciones de packet filter                       ########
set block-policy drop
set limit states 10000
set limit frags 10000
set optimization aggressive
set require-order yes

set limit { states 10000, frags 10000, src-nodes 1000 }
set timeout { frag 10 }
set timeout { tcp.first 30, tcp.opening 30, tcp.established 3600 }
set timeout { tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { icmp.first 3, icmp.error 3}
set timeout { adaptive.start 8000, adaptive.end 14000 }

set debug urgent
set skip on lo0
set loginterface $ext_if

#####   Normalización de paquetes                       ########
scrub all

####    Administración del ancho de banda               ########

altq on $ext_if bandwidth 1000Kb hfsc queue { ack, dns, ssh, bulk }
queue ack        bandwidth 80% priority 7 qlimit 500 \
hfsc (ecn realtime 58%  upperlimit 60%)
queue dns        bandwidth  7% priority 6 qlimit 500 \
hfsc (ecn realtime  7%)
queue ssh        bandwidth 10% priority 5 qlimit 500 \
hfsc (ecn realtime 10%) {ssh_bulk,
ssh_login}
queue ssh_login  bandwidth 90% \
priority 5 qlimit 500 hfsc
queue ssh_bulk   bandwidth 10% \
priority 4 qlimit 500 hfsc
queue bulk       bandwidth  3% priority 4 qlimit 500 \
hfsc (ecn realtime 3% default)

#####   Se realiza NAT de la red interna a la externa   ########
nat on $ext_if inet from $local to any -> ($ext_if)

#####   Habilitar FTP proxy                             #######
nat-anchor “ftp-proxy/*”
rdr-anchor “ftp-proxy/*”
rdr pass on $int_if proto tcp from $local to any port ftp -> 127.0.0.1 port
8021

#####   La politica por defecto todo bloquea            ########
block log (all) all
block quick inet6 all

block return-rst in log inet proto tcp from any to any
block return-icmp in log inet proto udp from any to any

####    El orden es importante la ultima regla manda    ########
#####   Empezamos abrir los puertos para lo necesario   ########
####    Reglas para permitir el tráfico de FTP          ########
anchor “ftp-proxy/*”

#####   Bloqueamos los hosts que esten en la tabla      ########
block in log quick from <bloquear_ssh>

####    Permitimos el paso de ciertos paquetes icmp     ########
pass inet proto icmp all icmp-type $servicio_icmp queue bulk

####    Se permite el paso ssh a ip no ofensivos        ########
pass quick proto tcp from any to any port 2222 \
keep state (max-src-conn 10, max-src-conn-rate 5/3, \
overload <bloquear_ssh> flush ) queue ssh

#####   pass proto tcp to any port $servicio_tcp        ########
pass quick proto {tcp udp} to any port domain queue domain
pass quick proto tcp to any port $servicio_tcp queue ack

antispoof for $ext_if
antispoof for $int_if