11 September 2009

PF Configuration

### options –> normalization –> queueing –> translation –> filtering

### Macros ###
ext_if=”sk0″ # Menuju ke TELKOM
int_if=”sk1″ # INTRANET

### TABLES ###
table { 10.10.1.0/24 }
table { 10.10.1.213 }
table { 10.10.1.79,10.10.1.80,10.10.1.81,10.10.1.82,10.10.1.83,10.10.1.84,10.10.1.85 }

### GLOBAL OPTIONS ###
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization aggressive
set block-policy drop
set require-order yes
set fingerprints “/etc/pf.os”

### TRAFFIC NORMALIZATION ###
#
scrub in all

# Port Yang Boleh Diakses dari Luar Box
ssh_ports = “{ 22 }”
im_ports = “{ 5050 5222 6667 }”
tcp_services = “{ 21 25 53 80 113 110 143 443 2082 5050 5222 6667 }”
udp_services = “{ 53 1194 }”

# Ping Requests
icmp_types = “echoreq”

### QUEUES – ALTQ rules ###
altq on $ext_if priq bandwidth 1024Kb queue { std_out, ssh_im_out, dns_out, tcp_ack_out }

queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6

altq on $int_if cbq bandwidth 1280Kb queue { std_in, ssh_im_in, dns_in, staff_in, wfidl_in }

queue std_in bandwidth 1024Kb cbq(default)
queue ssh_im_in bandwidth 32Kb priority 4
queue dns_in bandwidth 32Kb priority 5
queue staff_in bandwidth 128Kb cbq(borrow)
queue wfidl_in bandwidth 64Kb cbq(borrow)

### TRANSLATION ###
nat on $ext_if from $int_if:network to any -> ($ext_if)
#nat-anchor “ftp-proxy/*”

#================#
## Redirections ##
#================#
rdr on $int_if proto tcp from to ! port 80 -> 127.0.0.1 port 3128
rdr-anchor “ftp-proxy/*”
#rdr on $int_if proto tcp from to ! port 21 -> 127.0.0.1 port 8021

#==================#
# Anchor Blockit #
#==================#
anchor blockit

#==================#
# Anchor FTP #
#==================#
anchor “ftp-proxy/*”

### PACKET FILTERING ###
set skip on lo0

# filter rules for $ext_if inbound #
# ============================= #
block in on $ext_if all

# filter rules for $ext_if outbound #
# ============================= #
block out on $ext_if all
pass out on $ext_if inet proto tcp from ($ext_if) to any port $tcp_services flags S/SA keep state queue(std_out, tcp_ack_out)
#pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep state queue(std_out, tcp_ack_out)
#pass out on $ext_if inet proto { udp icmp } from ($ext_if) to any keep state
pass out on $ext_if inet proto icmp from ($ext_if) icmp-type $icmp_types keep state
pass out on $ext_if inet proto udp from ($ext_if) to any port $udp_services keep state
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port domain keep state queue dns_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port $ssh_ports flags S/SA keep state queue(std_out, ssh_im_out)
pass out on $ext_if inet proto tcp from ($ext_if) to any port $im_ports flags S/SA keep state queue(ssh_im_out, tcp_ack_out)

# filter rules for $int_if inbound #
# ============================ #
block in on $int_if all
pass in on $int_if from

# filter rules for $int_if outbound #
# ============================ #
block out on $int_if all
pass out on $int_if from any to
pass out on $int_if proto { tcp udp } from any port domain to queue dns_in
pass out on $int_if proto tcp from any port $ssh_ports to queue (std_in, ssh_im_in)
pass out on $int_if proto tcp from any port $im_ports to queue ssh_im_in
pass out on $int_if from any to queue staff_in
pass out on $int_if from any to queue wfidl_in

## Deny spoofing
antispoof for $ext_if
antispoof for $int_if

# Localhost
pass quick on lo0 all

kemudian
net.inet.ip.forwarding=1
lalu
named_flags=”"
ntpd=NO
ftpproxy_flags=”"
sendmail_flags=NO
pf=YES
inetd=NO
check_quotas=NO
mysql=YESS
snort=YES