Configuration avancée de pf


PacketFilter, ou pf, est le système de firewalling d'OpenBSD. Il se configure très facilement via le fichier /etc/pf.conf. Pf est bien documenté, la faq officielle se trouve ici, et il permet de faire des choses extrêmement pointues. Précision : contrairement à IPTables sous Linux, c'est la dernière règle du fichier de configuration matchant un paquet qui s'applique, sauf si on précise le mot-clé quick dans la règle.

A titre d'information, je donne mon fichier de configuration commenté: 
#       $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# je declare mes interfaces reseau
external="tun0"
internal="rl0"

# on va bloquer les adresses non routables (loopback, adresses de reseau..)
noroute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"

# liste des services/ports qu'on va laisser ouverts
services = "{ ssh, http, https, smtp, imaps }"

# liste des ports qu'on ne veut pas logguer (ports microsoft/netbios)
ports_not_logged = "{ 445, 135, 139 }"

# liste des ports que l'on va rediriger vers des pcs du reseau local
tcp_forwarded_ports = "{ 6891, 8010, 1720 }"
gnomemeeting_forwarded_ports = "{ 5000:5016 }"

tcp_mldonkey_ports = "{ 4662, 4661 }"
udp_mldonkey_ports = "{ 4665, 4672, 4666 }"

# on reconstruit tout les paquets fragmentes
scrub in all

# on active la nat pour les paquets provenant du reseau local
nat on $external from 10.246.200.0/24 to any -> $external

# on redirige ces ports vers mon pc
rdr pass on $external proto tcp to port $tcp_forwarded_ports -> 10.246.200.XX
rdr pass on $external proto udp to port $gnomemeeting_forwarded_ports -> 10.246.200.XX

# on redirige les ports de mldonkey vers le serveur de fichiers :-) 
rdr pass on $external proto tcp to port $tcp_mldonkey_ports -> 10.246.200.WW
rdr pass on $external proto udp to port $udp_mldonkey_ports -> 10.246.200.WW

# la NAT est configuree, maintenant on passe au filtrage des connexions
# par defaut, on bloque toutes les connexions
# a partir de maintenant, on ne va autoriser que les paquets que l'on veut au cas par cas
block all

# on autorise tout le traffic sur loopback et entre le reseau local et le serveur (on est pas trop paranos encore..) 
pass quick on { lo $internal }
antispoof quick for { lo $internal }

# on empeche les paquets non routables d'entrer et de sortir
block in log quick on $external from $noroute to any
block out log quick on $external from any to $noroute

# on autorise que les paquets icmp de controle en provenance de l'exterieur
pass in quick on $external inet proto icmp from any to any icmp-type { \
    echorep, echoreq, timex, unreach }

# on bloque les autres types de paquets icmp 
block in log quick on $external inet proto icmp from any to any

# on autorise les services voulus en entrant
pass in quick on $external inet proto tcp from any to any port $services flags S/SA keep state

# on autorise tout les paquets sortants ( avec le keep state pour autoriser les reponses aux connexions )
pass out quick on $external inet proto tcp  from any to any flags S/SA keep state
pass out quick on $external inet proto udp  all keep state
pass out quick on $external inet proto icmp from any to any keep state

# finalement, on bloque tout le reste et on logue tout sauf ports microsoft
block in quick on $external inet proto { tcp udp } from any to any port $ports_not_logged
block in log quick on $external all

Et voila !!! Avec ca, on a un firewall complet qui sécurise raisonnablement notre réseau local. On vérifie que pf a bien pris ces règles en compte : 
root@spud[~]$pfctl -f /etc/pf.conf   
root@spud[~]$pfctl -sn
nat on tun0 inet from 10.246.200.0/24 to any -> IP.EXTERNE
rdr pass on tun0 inet proto tcp from any to any port = 6891 -> 10.246.200.XX
rdr pass on tun0 inet proto tcp from any to any port = 8010 -> 10.246.200.XX
rdr pass on tun0 inet proto tcp from any to any port = 1720 -> 10.246.200.XX
rdr pass on tun0 inet proto udp from any to any port 5000:5016 -> 10.246.200.XX
rdr pass on tun0 inet proto tcp from any to any port = 4662 -> 10.246.200.WW
rdr pass on tun0 inet proto tcp from any to any port = 4661 -> 10.246.200.WW
rdr pass on tun0 inet proto udp from any to any port = 4665 -> 10.246.200.WW
rdr pass on tun0 inet proto udp from any to any port = 4672 -> 10.246.200.WW
rdr pass on tun0 inet proto udp from any to any port = 4666 -> 10.246.200.WW

root@spud[~]$pfctl -sr
scrub in all fragment reassemble
block drop all
pass quick on lo all
pass quick on rl0 all
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on ! rl0 inet from 10.246.200.0/24 to any
block drop in quick inet from 10.246.200.1 to any
block drop in quick on rl0 inet6 from fe80::2e0:4cff:fe03:10ed to any
block drop in log quick on tun0 inet from 127.0.0.0/8 to any
block drop in log quick on tun0 inet from 192.168.0.0/16 to any
block drop in log quick on tun0 inet from 172.16.0.0/12 to any
block drop in log quick on tun0 inet from 10.0.0.0/8 to any
block drop in log quick on tun0 inet from 255.255.255.255 to any
block drop out log quick on tun0 inet from any to 127.0.0.0/8
block drop out log quick on tun0 inet from any to 192.168.0.0/16
block drop out log quick on tun0 inet from any to 172.16.0.0/12
block drop out log quick on tun0 inet from any to 10.0.0.0/8
block drop out log quick on tun0 inet from any to 255.255.255.255
pass in quick on tun0 inet proto icmp all icmp-type echorep
pass in quick on tun0 inet proto icmp all icmp-type echoreq
pass in quick on tun0 inet proto icmp all icmp-type timex
pass in quick on tun0 inet proto icmp all icmp-type unreach
block drop in log quick on tun0 inet proto icmp all
pass in quick on tun0 inet proto tcp from any to any port = ssh flags S/SA keep state
pass in quick on tun0 inet proto tcp from any to any port = www flags S/SA keep state
pass in quick on tun0 inet proto tcp from any to any port = https flags S/SA keep state
pass in quick on tun0 inet proto tcp from any to any port = smtp flags S/SA keep state
pass in quick on tun0 inet proto tcp from any to any port = imaps flags S/SA keep state
pass out quick on tun0 inet proto tcp all flags S/SA keep state
pass out quick on tun0 inet proto udp all keep state
pass out quick on tun0 inet proto icmp all keep state
block drop in quick on tun0 inet proto tcp from any to any port = microsoft-ds
block drop in quick on tun0 inet proto tcp from any to any port = epmap
block drop in quick on tun0 inet proto tcp from any to any port = netbios-ssn
block drop in quick on tun0 inet proto udp all
block drop in log quick on tun0 all

Enfin, avec le scanner de ports nmap, on regarde quels sont les ports qui sont vus ouverts de l'extérieur et de l'intérieur. Les ports http/https/imaps/smtp sont marqués fermés car on n'a pas encore installé les services correspondants. 
[breuil@fc breuil]$ nmap fr.homeunix.org

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-17 17:10 CEST 
Insufficient responses for TCP sequencing (0), OS detection may be less accurate 
Insufficient responses for TCP sequencing (0), OS detection may be less accurate 
Interesting ports on 52.215.100-84.rev.gaoland.net (84.100.215.52): 
(The 1658 ports scanned but not shown below are in state: filtered) 
PORT    STATE  SERVICE 
22/tcp  open  ssh 
25/tcp  closed smtp 
80/tcp  closed http 
443/tcp closed https 
993/tcp closed imaps 

landry@renton[~]$nmap spud

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-06-17 17:29 UTC
Interesting ports on spud (10.246.200.1):
(The 1659 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
13/tcp  open  daytime
22/tcp  open  ssh
37/tcp  open  time
113/tcp open  auth

La suite : configuration du serveur DNS et du serveur mail

Valid XHTML 1.0! Valid CSS!