back to OpenBSD after 2 years away.. box still works.. but.. - BSD

This is a discussion on back to OpenBSD after 2 years away.. box still works.. but.. - BSD ; Greeting all.. I have brought my 2 year old OpenBSD 3.3 box out of the attic after 2 years.. Plugged it in.. turned on pf and it worked.. but my rules need to be updated.. I am now running my ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: back to OpenBSD after 2 years away.. box still works.. but..

  1. back to OpenBSD after 2 years away.. box still works.. but..

    Greeting all..
    I have brought my 2 year old OpenBSD 3.3 box out of
    the attic after 2 years..
    Plugged it in.. turned on pf and it worked.. but my rules need to be
    updated..

    I am now running my own Mailserver and have a VOIP phone..
    Tried to update based on other posts
    ---------
    Problems:
    I am not receiving mail
    and
    Not sure what to use to ensure QOS for my VOIP phone..

    --------
    I will move to OpenBSD 3.7 when i have the rules working correctly.

    thx for any help..

    -----------
    My setup

    OpenBSD 3.3 Intel NetPC ( 1 onboard intel and 1 PCI nic - only one pci
    slot so can't have a DMZ)

    Mail Server 192.168.1.2
    Voip Phone 192.168.1.7

    My rules (borrowed and modifed )(tried to comment better)

    ************************************************** ***********
    # ---------------------
    # Generic configuration
    # ---------------------

    set limit { states 20000, frags 20000 }
    set optimization aggressive
    # Enabling the block-policy return show "closed ports"
    http://scan.sygatetech.com/quickscan.html
    # set block-policy return
    set fingerprints "/etc/pf.os"

    # --------------------
    # Variable definitions
    # --------------------

    ext_if = "fxp0"
    int_if = "xl0"
    dhcp_servers = "{ 172.19.57.13 }"

    # new macros not working (need to check syntax)
    # 192.168.1.2 = "mail"
    # 192.168.1.7 = "voipbox"

    # a portnumber.
    friends = "xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx"
    # read the pf-howto for details.
    TCP_OPTIONS = "flags S/SAFR keep state"

    # http://www.iana.org/assignments/ipv4-address-space
    # http://rfc.net/rfc1918.html
    reserved = " {
    0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8,
    169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
    224.0.0.0/3 } "
    # Persistant IPs
    bad = " { 61.143.182.138, 211.162.110.197, 82.67.29.10,
    203.197.199.180 } "

    #Tables
    table persist { 216.73.80.0/20, 204.253.104.0/24,
    205.138.3.0/24, 208.184.29.0/24 }
    table persist { 2.23.190.0/24, 65.247.105.0/24,
    65.215.137.0/24 }
    table persist file "/etc/tables/blacklists"
    # spamd-setup puts addresses to be redirected into table .
    table persist
    # These hosts are trusted
    trusted = "{ xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx,
    xxx.xxx.xxx.xxx }"


    # For Future
    # server = "{ smtp, http }"
    # guest = "xxx.xxx.xxx.xxx"


    # -----------
    # scrub rules
    # -----------

    # scrub in all # borks with linux nfs
    scrub in on $ext_if all

    # but this fixes it again
    scrub in on $int_if all no-df


    # ----------
    # altq rules
    # ----------

    # These are very simple altq rules.
    # All they do is give priority to outgoing ssh traffic.
    altq on $ext_if cbq bandwidth 128Kb \
    queue { std_out, ssh_out, ack_out}

    queue std_out cbq(red default)
    queue ssh_out priority 4 cbq(red)
    queue ack_out priority 6 cbq(red)

    # ---------
    # Nat and Rdr rules
    # ---------

    nat on $ext_if inet from $int_if/24 to any -> ($ext_if)

    # Redirect to Mailserver
    rdr on $ext_if proto tcp from any to $ext_if port 2525 -> 192.168.1.2
    port 2525
    # --------
    # pf rules
    # --------

    # Default policy.
    # remove the log-keyword if you ever get ddossed.
    block out log on $ext_if all queue std_out
    block in log on $ext_if all


    # ---------------
    # SPOOFERS
    # ---------------

    # Block spoofing.
    block in quick on $ext_if from $reserved to any
    block out quick on $ext_if from $reserved to any

    # bad ips.
    block in quick on $ext_if from $bad to any

    # antispoof _has_ to be preceeded with pass in quick on lo0 all.
    pass in quick on { lo0, lo1 } all
    antispoof for { lo0, $int_if, $ext_if }

    # -deny popup ads
    block in quick on $ext_if from any to { , ,
    }
    block out quick on $ext_if from { , ,
    } to any

    # block x10 ads
    block in quick on $ext_if from 63.211.210.20/32 to any
    block out quick on $ext_if from any to 63.211.210.20/32


    # Block AIM
    # block in on $int_if from any to login.oscar.aol.com

    # ----
    # ICMP
    # ----# The inet keyword means ipv4 so ipv6 pings will be blocked.
    pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
    queue std_out
    pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state


    # ---
    # UDP
    # ---

    # outgoing UDP
    pass out quick on $ext_if proto udp all keep state queue std_out


    # I only allow dhcp-traffic from the dhcp-servers I use.

    pass in quick on $ext_if inet proto {udp,tcp} \
    from $dhcp_servers port 67 \
    to 255.255.255.255 port 68

    # ---
    # TCP
    # ---

    # Incoming TCP

    # First the nat'ed traffic

    # The rest of all this trafic should be aimed at $ext_if so We can cut
    # of the rest. Broadcasts and other garbage. Saves a lot of fubar in
    # the logs

    block in quick on $ext_if inet from any to ! ($ext_if)


    # trusted
    pass in quick on $ext_if inet proto tcp from $trusted to ($ext_if)
    port ssh \
    $TCP_OPTIONS

    # Pass rule for Mailserver

    pass in quick on $ext_if inet proto tcp from any to any port 2525 \
    keep state

    # Outgoing TCP

    # Outgoing SSH always gets the highest priority.
    pass out quick on $ext_if proto tcp from any to any port ssh \
    keep state queue ( ssh_out, ack_out )

    pass out quick on $ext_if proto tcp all keep state \
    queue std_out

    # Make voip super interactive for smooth conversation
    pass in on $ext_if proto { udp, icmp } from any to 192.168.1.7 \
    keep state queue voip_in
    pass out on $ext_if proto { udp, icmp } from 192.168.1.7 to any \
    keep state queue voip_out










  2. Re: back to OpenBSD after 2 years away.. box still works.. but..

    Charles wrote:
    > Greeting all..
    > I have brought my 2 year old OpenBSD 3.3 box out of
    > the attic after 2 years..
    > Plugged it in.. turned on pf and it worked.. but my rules need to be
    > updated..
    >
    > I am now running my own Mailserver and have a VOIP phone..
    > Tried to update based on other posts
    > ---------
    > Problems:
    > I am not receiving mail
    > and
    > Not sure what to use to ensure QOS for my VOIP phone..
    >
    > --------
    > I will move to OpenBSD 3.7 when i have the rules working correctly.
    >
    > thx for any help..
    >
    > -----------
    > My setup
    >
    > OpenBSD 3.3 Intel NetPC ( 1 onboard intel and 1 PCI nic - only one pci
    > slot so can't have a DMZ)
    >
    > Mail Server 192.168.1.2
    > Voip Phone 192.168.1.7
    >
    > My rules (borrowed and modifed )(tried to comment better)
    >
    > ************************************************** ***********
    > # ---------------------
    > # Generic configuration
    > # ---------------------
    >
    > set limit { states 20000, frags 20000 }
    > set optimization aggressive
    > # Enabling the block-policy return show "closed ports"
    > http://scan.sygatetech.com/quickscan.html
    > # set block-policy return
    > set fingerprints "/etc/pf.os"
    >
    > # --------------------
    > # Variable definitions
    > # --------------------
    >
    > ext_if = "fxp0"
    > int_if = "xl0"
    > dhcp_servers = "{ 172.19.57.13 }"
    >
    > # new macros not working (need to check syntax)
    > # 192.168.1.2 = "mail"
    > # 192.168.1.7 = "voipbox"
    >
    > # a portnumber.
    > friends = "xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx"
    > # read the pf-howto for details.
    > TCP_OPTIONS = "flags S/SAFR keep state"
    >
    > # http://www.iana.org/assignments/ipv4-address-space
    > # http://rfc.net/rfc1918.html
    > reserved = " {
    > 0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8,
    > 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
    > 224.0.0.0/3 } "
    > # Persistant IPs
    > bad = " { 61.143.182.138, 211.162.110.197, 82.67.29.10,
    > 203.197.199.180 } "
    >
    > #Tables
    > table persist { 216.73.80.0/20, 204.253.104.0/24,
    > 205.138.3.0/24, 208.184.29.0/24 }
    > table persist { 2.23.190.0/24, 65.247.105.0/24,
    > 65.215.137.0/24 }
    > table persist file "/etc/tables/blacklists"
    > # spamd-setup puts addresses to be redirected into table .
    > table persist
    > # These hosts are trusted
    > trusted = "{ xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx,
    > xxx.xxx.xxx.xxx }"
    >
    >
    > # For Future
    > # server = "{ smtp, http }"
    > # guest = "xxx.xxx.xxx.xxx"
    >
    >
    > # -----------
    > # scrub rules
    > # -----------
    >
    > # scrub in all # borks with linux nfs
    > scrub in on $ext_if all
    >
    > # but this fixes it again
    > scrub in on $int_if all no-df
    >
    >
    > # ----------
    > # altq rules
    > # ----------
    >
    > # These are very simple altq rules.
    > # All they do is give priority to outgoing ssh traffic.
    > altq on $ext_if cbq bandwidth 128Kb \
    > queue { std_out, ssh_out, ack_out}
    >
    > queue std_out cbq(red default)
    > queue ssh_out priority 4 cbq(red)
    > queue ack_out priority 6 cbq(red)
    >
    > # ---------
    > # Nat and Rdr rules
    > # ---------
    >
    > nat on $ext_if inet from $int_if/24 to any -> ($ext_if)
    >
    > # Redirect to Mailserver
    > rdr on $ext_if proto tcp from any to $ext_if port 2525 -> 192.168.1.2
    > port 2525
    > # --------
    > # pf rules
    > # --------
    >
    > # Default policy.
    > # remove the log-keyword if you ever get ddossed.
    > block out log on $ext_if all queue std_out
    > block in log on $ext_if all
    >
    >
    > # ---------------
    > # SPOOFERS
    > # ---------------
    >
    > # Block spoofing.
    > block in quick on $ext_if from $reserved to any
    > block out quick on $ext_if from $reserved to any
    >
    > # bad ips.
    > block in quick on $ext_if from $bad to any
    >
    > # antispoof _has_ to be preceeded with pass in quick on lo0 all.
    > pass in quick on { lo0, lo1 } all
    > antispoof for { lo0, $int_if, $ext_if }
    >
    > # -deny popup ads
    > block in quick on $ext_if from any to { , ,
    > }
    > block out quick on $ext_if from { , ,
    > } to any
    >
    > # block x10 ads
    > block in quick on $ext_if from 63.211.210.20/32 to any
    > block out quick on $ext_if from any to 63.211.210.20/32
    >
    >
    > # Block AIM
    > # block in on $int_if from any to login.oscar.aol.com
    >
    > # ----
    > # ICMP
    > # ----# The inet keyword means ipv4 so ipv6 pings will be blocked.
    > pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
    > queue std_out
    > pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
    >
    >
    > # ---
    > # UDP
    > # ---
    >
    > # outgoing UDP
    > pass out quick on $ext_if proto udp all keep state queue std_out
    >
    >
    > # I only allow dhcp-traffic from the dhcp-servers I use.
    >
    > pass in quick on $ext_if inet proto {udp,tcp} \
    > from $dhcp_servers port 67 \
    > to 255.255.255.255 port 68
    >
    > # ---
    > # TCP
    > # ---
    >
    > # Incoming TCP
    >
    > # First the nat'ed traffic
    >
    > # The rest of all this trafic should be aimed at $ext_if so We can cut
    > # of the rest. Broadcasts and other garbage. Saves a lot of fubar in
    > # the logs
    >
    > block in quick on $ext_if inet from any to ! ($ext_if)
    >
    >
    > # trusted
    > pass in quick on $ext_if inet proto tcp from $trusted to ($ext_if)
    > port ssh \
    > $TCP_OPTIONS
    >
    > # Pass rule for Mailserver
    >
    > pass in quick on $ext_if inet proto tcp from any to any port 2525 \
    > keep state
    >
    > # Outgoing TCP
    >
    > # Outgoing SSH always gets the highest priority.
    > pass out quick on $ext_if proto tcp from any to any port ssh \
    > keep state queue ( ssh_out, ack_out )
    >
    > pass out quick on $ext_if proto tcp all keep state \
    > queue std_out
    >
    > # Make voip super interactive for smooth conversation
    > pass in on $ext_if proto { udp, icmp } from any to 192.168.1.7 \
    > keep state queue voip_in
    > pass out on $ext_if proto { udp, icmp } from 192.168.1.7 to any \
    > keep state queue voip_out
    >

    ------------------------------
    After more reading on altq and several other sites.. my email server is
    receiving mail (on a non-standard port) .. still working on
    the proper numbers for alt queue

    My broadband connection is 4Mb down and 384 up.. my main concern is for
    voip..

    Looks like I will have to read more..

    I wish there were some "default examples" for pf instead of having to
    scour the internet for them.. (oh I know about the ones on Openbsd.org)

    anyway.. I will post back my pf.conf (which is really quite simple) for
    others to use..





+ Reply to Thread