Archiv für den Monat: September 2013

OpenBSD PF Firewallregelset für IPv6 Verbindungen

Dies ist ein Beispielauszug meiner Firewallregeln auf OpenBSD Servern.

Interface axe1 beschreibt eine ungesicherte IPv4 Anbindung hinter einer externen Firewall
Interface axe0 regelt eigenständig den IPv6 Traffic

cat /etc/pf.conf
### ### ### Srv4 - Web ### ### ###
set skip on lo
pass            # to establish keep-state
block in on ! lo0 proto tcp to port 6000:6010
### ### ### Srv4 - Web ### ### ###
 
### ### ### SBSHosting.biz Services ### ### ###
 
## Options
### set block-policy return
### set log interface axe0
 
### ### ### Unlimited Traffic for AXE1 and Loopback ### ### ###
 
# unlimited traffic for vpn and loopback
### set skip on {lo0, axe1}
 
### ### ### BLOCK ALL ### ### ###
 
block in log all
block out all
 
### ### ### GREEN INTERFACE ### ### ###
pass in quick on msk0 from any to msk0
pass out quick on msk0 from msk0 to any
 
set skip on msk0
 
pass in quick on axe1 from any to axe1
pass out quick on axe1 from axe1 to any
 
set skip on axe1
 
### ### ### IPv6 Anti Spoofing ### ### ###
# activate spoofing protection for all interfaces
block in quick from urpf-failed
 
# antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
antispoof log quick for axe0 inet6
 
### ### ### IPv6 BLOCK NMAP SCANS ### ### ###
# Try to block nmap scans
block in log quick on axe0 inet6 proto tcp from any to any flags FUP/FUP
 
### ### ### ACCESS CONTROL LIST ### ### ###
 
### ### ### IPv6 ICMP Internet to Maschine Access ### ### ###
#IPv6 - pass in/out all IPv6 ICMP traffic
pass in quick proto icmp6 all
### ### ### IPv6 ICMP Internet to Maschine Access ### ### ###
 
### ### ### IPv6 Administrator Access ### ### ###
 
### ### ### IPv6 Maschine to Internet Access ### ### ###
# Allow outgoing services
pass out on axe0 inet6 proto tcp to any port ssh
pass out on axe0 inet6 proto tcp to any port smtp
pass out on axe0 inet6 proto tcp to any port domain
pass out on axe0 inet6 proto tcp to any port www
pass out on axe0 inet6 proto tcp to any port https
pass out on axe0 inet6 proto tcp to any port 122
pass out on axe0 inet6 proto tcp to any port ntp
pass out on axe0 inet6 proto tcp to any port 43
 
pass out on axe0 inet6 proto udp to any port domain
pass out on axe0 inet6 proto udp to any port ntp
 
### ### ### IPv6 Internet Access to Maschine ### ### ###
# Allow incoming services
pass in on axe0 inet6 proto tcp from any to axe0 port https
pass in on axe0 inet6 proto tcp from any to axe0 port http
 
### INCOMING - TunnelBroker - SBSHosting.biz - 1 ###
# 1.tunnel.tser1.pop1.ipv6.he.net
# 2001:470:xxx:xxx::/64
pass in on axe0 inet6 proto tcp from 2001:470:xxx:xxx::/64 to axe0 port ssh
# 2001:470:xxx::/48
pass in on axe0 inet6 proto tcp from 2001:470:xxx::/48 to axe0 port ssh
### INCOMING - TunnelBroker - SBSHosting.biz - 1 ###
 
... und so weiter ...
 
# pass in on axe0 inet6 proto udp from any to axe0 port ntp
### ### ### IPv6 Internet Access to Maschine ### ### ###
 
### ### ### IPv6 Trace Route ### ### ###
# Trace route out
pass out on axe0 inet6 proto udp from any to any port 33433 >< 33626 keep state
 
### ### ### IPv6 Router advertisement ### ### ###
# Router advertisement out
pass out on axe0 inet6 proto icmp6 all icmp6-type routeradv 
 
# Router solicitation in
pass in on axe0 inet6 proto icmp6 all icmp6-type routersol
 
### ### ### IPv6 ND advertisement ### ### ###
# ND advertisement in
pass in on axe0 inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
 
# ND solicitation out
pass out on axe0 inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
 
### ### ### IPv6 Ping Pong ### ### ###
# Allow Ping pong in
pass in on axe0 inet6 proto icmp6 all icmp6-type echoreq
 
# Allow ping pong out
pass out on axe0 inet6 proto icmp6 all icmp6-type echoreq keep state
 
### ### ### SBSHosting.biz Services ### ### ###
### EOF