www.ghislain.fr

##############################################################################
##            Regle de filtrage et de routage packefilter by fg.            ##
##            Sur Laptop www.ghislain.fr      Date : 28-10-2011.             ##
##############################################################################
# Macros:
int_if = "rl0"
ext_if = "fxp0"  # replace with actual external interface name i.e., dc0
lo     = "lo0"  # Carte Local Loopback

# Network
ext_net="192.168.0.1"
int_net = "10.0.0.1"
local_net = "10.0.0.0/8"
# Hosts
host = "10.0.0.1"
host1 = "10.0.0.2"
host2 = "10.0.0.3"
friends = "{ 10.0.0.2, 10.0.0.3 }"
# Services visible de l interieur
tcp_local = "{ ntp, 137, 138, 139, 445 }"
udp_local = "{ 69 }"
# Services visible de l exterieur
tcp_ext = "{ http, https}"
udp_services = "{ ntp, }"
icmp_types = "{ echoreq, unreach, 8, 11 }"

# Non-routable IP numbers
RCF1918 = "{ 127.0.0.0/8, 0.0.0.0/8,255.255.255.255/32 }"
# Tables:
table <RSE> persist {10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/24}
table <ssh-bruteforce> persist file "/etc/ssh-bruteforce"
table <www-abuse> persist file "/etc/www-abuse"

# Options:
set block-policy return
set loginterface $ext_if
set skip on {lo0, $int_if}
set optimization aggressive
#set reassemble yes [no-df]
#set require-order
# Normalization:
match in all scrub (no-df)

# Queueing:
#### NAT and RDR start
# Translation du LAN:

# rdr:
## Redirection vers apache de host2
#match in on egress inet proto tcp from any to any port 80 rdr-to $host2
#### BLOCAGE
# Filtering:
block log all

# anti spoof
antispoof quick for { $lo $ext_if $int_if }
# activate spoofing protection for all interfaces
block in quick from urpf-failed

# Blocage RCF1918
block in on egress from $RCF1918 to any
block out on egress from any to $RCF1918
# Blocage par les tables
# On bloque ceux qui sont dans la table sur les ports concernés
# Le 'quick' permet d'ignorer toute autre rêgle de filtrage
# concernant ces paquets
block in quick on $ext_if proto tcp from <ssh-bruteforce> port ssh
block in quick on $ext_if proto tcp from <www-abuse> port http

# Blocage www
# Si on a plus de 50 connection avec cet IP ou plus de 20 connexion
# en 5 secondes, alors on met l'IP concernée dans la table www-abuse
# on envoi autorise les port tcp_ext
pass in on $ext_if inet proto tcp from any to $Eliott port $tcp_ext flags S/SA synproxy state (source-track rule, max-src-conn 5, max-src-conn-rate 5/5, overload <www-abuse> flush global)

#### AUTORISE
# Sortie autorisé
pass out on egress inet proto tcp all
pass out on egress inet proto udp all
# Autorisation des amies
pass in quick on $ext_if inet proto tcp from $friends to $host port $tcp_local keep state
pass in quick on $ext_if inet proto udp from $friends to $host port $udp_local keep state
# Autorisation du LAN

# SSH protege
# si on a plus de 2 connection toutes les 10 secondes sur
# le port ssh, on rajoute l'IP concernée dans la table ssh-bruteforce
pass in quick on $ext_if inet proto tcp from any to any port ssh flags S/SA keep state (source-track rule, max-src-conn 3, max-src-conn-rate 3/10, overload <ssh-bruteforce> flush global)

# Ping
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $ext_if from $host2 to $host
###############################  F I N  #######################################