konstantin.saurbier.net

OpenBSD Packet Filter (pf) Regeln

ext_if = "em0"

table  { 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15 }

table  persist

tcp_services = "{ ftp, ftp-data, smtp, domain, http, https, ntp, pop3, \
        pop3s, imap, imaps, 32768:40000, >50000 }"

udp_services = "{ domain, ntp, >50000 }"

# Pakete mit illegalen TCP-Flags blockieren
scrub in on $ext_if all
scrub in on $ext_if all fragment drop-ovl
scrub out on $ext_if all random-id
scrub on $ext_if all reassemble tcp

# Ersteinmal alles blockieren
block all

block drop in quick on $ext_if from  to any
block drop out quick on $ext_if from any to 

block drop quick from 

pass quick on lo0 all

# ICMP zulassen
pass in inet proto icmp all keep state
pass in inet6 proto icmp6 all keep state

### Eingehende Regeln
#
#
# ssh und psybnc freigeben
pass in log on $ext_if proto { tcp, udp } from any to ($ext_if) \
        port ssh label "ssh-brute" flags S/SA keep state \
        (max-src-conn 15, max-src-conn-rate 10/60, \
        overload  flush global)

# TCP freigeben
pass in on $ext_if proto tcp from any to ($ext_if) \
        port $tcp_services flags S/SA keep state

# UDP freigeben
pass in on $ext_if proto udp from any to ($ext_if) \
        port $udp_services keep state

### Ausgehende Regeln
#
# Mangels genauerer Regeln alles freigeben
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp, icmp6 } all keep state




	Permalink
Letzte Aktualisierung: 2012-08-28 09:55:11 CEST