Tuesday, June 29, 2010

OpenBSD 4.7 PF Changes for Gateway Firewall

So yesterday evening I finally got around to updating one of my OpenBSD gateway firewalls to 4.7. On the gateway the PF rules only needed changes in the scrub and proxy sections. Below are the changes. Hopefully this will help you out if you haven’t already updated.

######4.6 pf.conf###############
# Normalize all incoming/outgoing traffic to prevent malformed packets
scrub in on $ext_if all random-id fragment reassemble no-df min-ttl 5
scrub out on $ext_if all random-id fragment reassemble no-df

# FTP-Proxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from $mynet to any port 21 -> 127.0.0.1 port 8021

# Squid Redirect
rdr on $int_if inet proto tcp from <webproxyusers> to !<nonproxysites> port { 80 8080 }-> 127.0.0.1 port 3128

#######4.7 pf.conf##########

# Normalizing packets
match in on $ext_if scrub (random-id min-ttl 5 no-df)
match out on $ext_if scrub (random-id no-df)

# FTP-Proxy

anchor "ftp-proxy/*"
pass in quick on $int_if proto tcp from $mynet to any port 21 rdr-to 127.0.0.1 port 8021

# Squid Redirect
pass in quick on $int_if proto tcp from <webproxyusers> to !<nonproxysites> port { 80 8080 } rdr-to 127.0.0.1 port 3128



No comments: