Firewall pour passerelle : Pf

Pf (firewall à filtrage de paquet avec conservation d'Etat - statefull inspection)

Pf (via pfctl) est l'interface utilisateur permettant d'administrer le firewall présent à partir de la version 3.0 d'OpenBSD.

Quelques rappels :

• Fonctionnement de PF :
• La dernière règle l'emporte (sauf avec le mot clé quick).
• L'application des règles de NAT-age s'effectue avant l'application des règles de filtrage.
• L'optimisation d'un jeu de règles doit prendre en compte un groupement dans l'ordre : Int - Protocol - Src_adr - Src_port - Dst_adr - Dst_port.


• Utilisation de PFCtl :
• pfctl -qn -R pf.conf => Parcoure et teste le fichier de règles sans l'appliquer.
• pfctl -R pf.conf => Applique le fichier de règles.
• pfctl -qn -N nat.conf => Parcoure et teste le fichier de règles NAT sans l'appliquer.
• pfctl -N pf.conf => Applique le fichier de règles NAT.
• pfctl -s state => Affiche la table des états.
• pfctl -s nat => Affiche les informations de NAT.
• pfctl -F nat => Vide la table des règles NAT.

Scripts présentés :

Les trois fichiers de configuration présentés ont les caractéristiques suivantes :

• pf_rules_up.conf : Configuration Pfctl pour activer le firewall.
• pf_rules_down.conf : Configuration Pfctl pour désactiver le firewall.
• nat_rules_up.conf : Configuration des règles de NAT-age.

L'ajout de la ligne suivante dans le fichier de configuration du démon Inetd permet l'utilisation d'un proxy Ftp :

• 127.0.0.1:42870 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n -V -D3 -m 42871 -M 42969

pf_rules_down.conf :

### BEGIN

pass in all
pass out all

pf_rules_up.conf :

### VARIABLES

EXTIF="tun0" # External Interface
INTIF="dc0" # Internal Interface

# Internal Address
PRIVATE_NET="{ 10.1.1.0/24 }"
FW="{10.1.1.7}"

ADM_IP="{ 10.1.1.77 }" # Ip Address of the remote allowed administration station

DNS_IP="{ 10.1.1.10 , 10.1.1.11 }"
PROXY_IP="{ 10.1.1.20 , 10.1.1.21 }"
MAIL_IP="{ 10.1.1.30 , 10.1.1.31 }"

# External Address
NOROUTEIPS="{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 224.0.0.0/16 }"

SMARTMAILER="{ X.X.X.X }";
SMARTDNS="{ X.X.X.X }";

# Ports
GP_SSH="{ 22 }"
GP_MAIL="{ 25 , 110 }"
GP_DNS="{ 53 }"
GP_WEB="{ 80 443 }"

GP_FTPDATA="{ 20 }"
GP_FTP="{ 21 }"
GP_FTPPROXY="{ 42871 >< 42969 }"
GP_FTPPROXY_FW="{ 42870 }"

### BEGIN

# Normalization
scrub in all

# Default Policie : Deny
block in on $INTIF all
block out on $INTIF all
block in on $EXTIF all
block out on $EXTIF all

### LOGIN AND SECURITY

# No source private address coming from the outside
block in log quick on $EXTIF from $NOROUTEIPS to any

# No source private address going outside
block out log quick on $EXTIF from $NOROUTEIPS to any

# Not going to destination private address
block out log quick on $EXTIF from any to $NOROUTEIPS

# Logging and denying broadcast
block in log quick on $EXTIF from any to 255.255.255.255
block out log quick on $EXTIF from any to 255.255.255.255

### ALLOW THESE INCOMING CONNECTIONS FROM INTERNET

# Allow redirection to admin station from the outside
pass in quick on $EXTIF inet proto tcp from any to any port $GP_SSH flags S/SA keep state

# Allow data connection from Ftp Servers to our non privilege ports range used by Ftp-Proxy
pass in quick on $EXTIF inet proto tcp from any port $GP_FTPDATA to any port $GP_FTPPROXY flags S/SA keep state

### ALLOW THESE OUTGOING CONNECTIONS TO INTERNET

# Allow Smtp/Pop trafic to outside defined hosts
pass out quick on $EXTIF inet proto tcp from any port > 1024 to $SMARTMAILER port $GP_MAIL flags S/SA modulate state

# Allow Http/Https trafic to any webserver
pass out quick on $EXTIF inet proto tcp from any port > 1024 to any port $GP_WEB flags S/SA modulate state

# Allow SSH trafic to any SSHD server
pass out quick on $EXTIF inet proto tcp from any port > 1024 to any port $GP_SSH flags S/SA modulate state

# Allow DNS trafic to DNS defined servers
pass out quick on $EXTIF inet proto udp from any to $SMARTDNS port $GP_DNS keep state

# Allow FTP Commands connections to any ftp server
pass out quick on $EXTIF inet proto tcp from any port > 1024 to any port $GP_FTP flags S/SA modulate state

# Allow that kind of ICMP packets
pass out quick on $EXTIF inet proto icmp from any to any icmp-type echoreq keep state

### ALLOW THESE INCOMING CONNECTIONS FROM THE LAN

# Allow relaying Smtp/Pop trafic to outside defined hosts
pass in quick on $INTIF inet proto tcp from $MAIL_IP port > 1024 to $SMARTMAILER port $GP_MAIL flags S/SA modulate state

# Allow relaying Http/Https trafic to any webserver
pass in quick on $INTIF inet proto tcp from $PROXY_IP port > 1024 to !$FW port $GP_WEB flags S/SA modulate state

# Allow relaying SSH trafic to any SSHD server
pass in quick on $INTIF inet proto tcp from any port > 1024 to !$FW port $GP_SSH flags S/SA modulate state

# Allow remote management from the Admin Station
pass in quick on $INTIF inet proto tcp from $ADM_IP port > 1024 to $FW port $GP_SSH flags S/SA modulate state

# Allow relaying DNS trafic to DNS defined servers
pass in quick on $INTIF inet proto udp from $DNS_IP to $SMARTDNS port $GP_DNS keep state

# Allow relaying FTP trafic trough Ftp-Proxy service
pass in quick on $INTIF inet proto tcp from any port > 1024 to 127.0.0.1/32 port $GP_FTPPROXY_FW flags S/SA keep state

# Allow that kind of ICMP packets from the Admin Station
pass in quick on $INTIF inet proto icmp from $ADM_IP to !$FW icmp-type echoreq keep state

### ALLOW THESE OUTGOING CONNECTIONS TO THE LAN

# Allow redirection to admin station from the outside
pass out quick on $INTIF inet proto tcp from any to $ADM_IP port $GP_SSH flags S/SA keep state

# Allow SSH anywhere on the LAN
pass out quick on $INTIF inet proto tcp from $FW port > 1024 to any port $GP_SSH flags S/SA keep state

# Allow Ftp Data flow back from Ftp-Proxy to clients
pass out quick on $INTIF inet proto tcp from $FW port $GP_FTPPROXY to any port > 1024 flags S/SA keep state

# Allow that kind of ICMP packets anywhere on the LAN
pass out quick on $INTIF inet proto icmp from $FW to any icmp-type echoreq keep state

###AND LAST : LOG AND DENY

block in log quick on $INTIF inet proto tcp from any to any
block out log quick on $INTIF inet proto tcp from any to any
block in log quick on $INTIF inet proto udp from any to any
block out log quick on $INTIF inet proto udp from any to any
block in log quick on $INTIF inet proto icmp from any to any
block out log quick on $INTIF inet proto icmp from any to any

block in log quick on $EXTIF inet proto tcp from any to any
block out log quick on $EXTIF inet proto tcp from any to any
block in log quick on $EXTIF inet proto udp from any to any
block out log quick on $EXTIF inet proto udp from any to any
block in log quick on $EXTIF inet proto icmp from any to any
block out log quick on $EXTIF inet proto icmp from any to any

nat_rules_up.conf :

### VARIABLES

ExtIfAdsl="tun0" # Interface ADSL
IntIfEth="dc0" # Interface LAN

# Adresses Serveurs
Dns1="10.1.1.10/32"
Dns2="10.1.1.11/32"
Proxy1="10.1.1.20/32"
Proxy2="10.1.1.21/32"
Mail1="10.1.1.30/32"
Mail2="10.1.1.31/32"

# Adresses Stations
Admin="10.1.1.77/32"


### NAT THESE INTERNAL STATIONS TO THE IP OUTSIDE ADDRESS

# Nat servers
nat on $ExtIfAdsl from $Dns1 to any -> $ExtIfAdsl
nat on $ExtIfAdsl from $Dns2 to any -> $ExtIfAdsl
nat on $ExtIfAdsl from $Proxy1 to any -> $ExtIfAdsl
nat on $ExtIfAdsl from $Proxy2 to any -> $ExtIfAdsl
nat on $ExtIfAdsl from $Mail1 to any -> $ExtIfAdsl
nat on $ExtIfAdsl from $Mail2 to any -> $ExtIfAdsl

# Nat admin station
nat on $ExtIfAdsl from $Admin to any -> $ExtIfAdsl

### SPECIAL SERVICES

# Ftp Proxying for the LAN
rdr on $IntIfEth from any to any port 21 -> 127.0.0.1 port 42870

### SERVICES FOR OUTSIDE PEOPLE

# Redirect SSHD incoming connections to the Admin Station
rdr on $ExtIfAdsl from any to $ExtIfAdsl port 22 -> 10.1.1.77 port 22

Simon Castro
Maj le 22 Janvier 2003