J. Buck Caldwell
2005-Dec-15 22:13 UTC
My ungodly PF config - am I sane and brilliant, or just deluded and dangerous?
My company is using FreeBSD for two major applications: our file servers (via Samba), which aren't the subject of this message; and the routers between branches. Some background follows. We have essentially two types of branches - Type A, with thier own cable internet connections, and Type B, who have point-to-point T1 connections to Coprorate and use our internet connection for outside communication. The Type A branches have FreeBSD machines acting as firewall/NAT, and also providing gif endpoints for tunnels to our Corporate office, which also uses a FreeBSD machine to provide firewall/NAT for the Corporate Office and Type B branches. With me so far? Here's the fun part. Our traffic has gotten to the point where I've decided that some traffic shaping (ALTQ) is necessary. I've been experimenting with my home cable internet connection (and gif tunnel to work), and I believe I've come up with a workable solution. However, I'd like to run it by some experts to see if I'm screwing up (or hitting any possible limits) before I try putting it in place live. Here's the config, with some comments/questions int_if = "bge1" # obviously, the Internal interface of our firewall, connected to the corporate internal network ext_if = "bge0" # again, obviously, the external interface, connected to the DMZ, with a publicly routed IP gif_if = "{" gif1 gif3 gif5 gif7 gif10 gif11 gif12 gif13 gif14 gif15 gif19 gif20 gif21 gif25 "}" # all of the gif tunnels to the various branches # options set block-policy return set loginterface $ext_if # scrub scrub in all altq on $ext_if priq bandwidth 4500Kb queue {std_out, ssh_out, mail_out, www_out, notes_out, asna_out, dns_out, gif_out, pri_out} queue std_out priq(default) qlimit 150 queue mail_out priority 2 queue www_out priority 3 queue notes_out priority 4 # We use Notes primarily, so it gets higher priority than normal SMTP/POP3 traffic queue dns_out priority 6 queue ssh_out priority 7 queue gif_out priority 8 # This gets any traffic encapsulated in a gif tunnel or ipsec. queue pri_out priority 15 # nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) # it occurs to me, as I post this, that I'll need to change this to account for the Type B branches that are on seperate subnets. # filter rules block all pass quick on lo0 all pass quick on $int_if all pass in quick on $gif_if all # Is there any reason to keep state on any of the following "in" rules? pass in quick on $ext_if proto ipencap all pass in quick on $ext_if proto esp all pass in quick on $ext_if proto tcp all pass in quick on $ext_if proto udp all pass in quick on $ext_if proto icmp all pass out on $gif_if proto udp all keep state queue(std_out, pri_out) pass out on $gif_if proto icmp all keep state queue(std_out, pri_out) pass out on $gif_if proto tcp all modulate state flags S/SA queue(std_out, pri_out) pass out on $gif_if proto tcp from any to any port 22 modulate state flags S/SA queue(ssh_out, pri_out) pass out on $gif_if proto tcp from any to any port 25 modulate state flags S/SA queue(mail_out, pri_out) pass out on $gif_if proto tcp from any to any port 110 modulate state flags S/SA queue(mail_out, pri_out) pass out on $gif_if proto tcp from any to any port 80 modulate state flags S/SA queue(www_out, pri_out) pass out on $gif_if proto tcp from any to any port 443 modulate state flags S/SA queue(www_out, pri_out) pass out on $gif_if proto tcp from any to any port 1352 modulate state flags S/SA queue(notes_out, pri_out) pass out on $gif_if proto udp from any to any port 53 keep state queue(dns_out, pri_out) pass out on $ext_if proto { udp, icmp } all keep state queue(std_out, pri_out) pass out on $ext_if proto tcp all modulate state flags S/SA queue(std_out, pri_out) pass out on $ext_if proto tcp from any to any port 22 modulate state flags S/SA queue(ssh_out, pri_out) pass out on $ext_if proto tcp from any to any port 25 modulate state flags S/SA queue(mail_out, pri_out) pass out on $ext_if proto tcp from any to any port 110 modulate state flags S/SA queue(mail_out, pri_out) pass out on $ext_if proto tcp from any to any port 1352 modulate state flags S/SA queue(notes_out, pri_out) pass out on $ext_if proto tcp from any to any port 80 modulate state flags S/SA queue(www_out, pri_out) pass out on $ext_if proto tcp from any to any port 443 modulate state flags S/SA queue(www_out, pri_out) pass out on $ext_if proto udp from any to any port 53 keep state queue(dns_out, pri_out) pass out on $ext_if proto ipencap all keep state queue(gif_out, pri_out) # Again - any point in keeping state for the gif tunnels or ipsec (below) packets? pass out on $ext_if proto esp all keep state queue(gif_out, pri_out) Believe it or not, pfctl -nv actually parses all of this out and seems to believe it makes sense. The other ends, which usually have only one or possibly two endpoints (branch->corporate and sometimes branch->sister branch) will be significantly simpler, but if the above works, it's easy to transpose to the smaller situation. Something else I just noticed, since this is the "server end" - the point where most of the servers sit, as opposed to the clients - should I change those 'pass' lines from "from any to any port x" to "from any port x to any"? Is that valid? My theory is that I want to first, prioritize the traffic going out on the gif tunnels, then promote the gif packet actually travelling out over the $ext_if above most other traffic. It LOOKS like this will happen, but I want to see if I'm missing anything obvious. In the past, I've used NetBSD and ipfilter, so I'm relitively new to PF and wanted a second opinion. Thanks to anyone for answering, or for pointing to a more appropriate venue for the question! -J. Buck Caldwell
Vivek Khera
2005-Dec-16 08:38 UTC
My ungodly PF config - am I sane and brilliant, or just deluded and dangerous?
On Dec 16, 2005, at 1:13 AM, J. Buck Caldwell wrote:> Here's the fun part. Our traffic has gotten to the point where I've > decided that some traffic shaping (ALTQ) is necessary. I've been > experimenting with my home cable internet connection (and gif > tunnel to work), and I believe I've come up with a workable > solution. However, I'd like to run it by some experts to see if I'm > screwing up (or hitting any possible limits) before I try putting > it in place live.You may wish to take a look at an embedded GUI based firewall system like pfSense to help you configure this. It has a traffic shaping wizard and can do IPsec VPNs as well. It is based on FreeBSD 6.0 so will run on whatever hardware you've got already. See http://www.pfsense.com/