Version 1 - Historique - Openbsd apu - Aquilenet - L'atelier d'Aquilenet

1

sacha

> > {{\>toc}}

2

3

# Firewall OpenBSD sur les PCEngines APU

4

5

6

7

## Install an OpenBSD image

8

9

10

### Getting the OpenBSD image

11

12

The list of the mirrors is here: https://www.openbsd.org/ftp.html

13

Get the last version, here 6.5

14

15

~~~

16

wget ftp://ftp.irisa.fr/pub/mirrors/OpenBSD/6.5/amd64/install65.fs

17

~~~

18

19

### Write the image to an USB Key

20

21

My usb key is on /dev/sde

22

23

~~~

24

dd if=install65.fs of=/dev/sde bs=1M

25

~~~

26

27

### Boot USB & install

28

29

Select the tty output in 115200 on com0

30

31

~~~

32

SeaBIOS (version rel-1.12.0.1-0-g393dc9c)

33

34

Press F10 key now for boot menu

35

36

Booting from Hard Disk...

37

Using drive 0, partition 3.

38

Loading......

39

probing: pc0 com0 com1 com2 com3 mem[639K 1918M a20=on]

40

disk: hd0+ hd1+*

41

>> OpenBSD/amd64 BOOT 3.43

42

boot> stty com0 115200

43

boot> set tty com0

44

switching console to com>> OpenBSD/amd64 BOOT 3.43

45

boot>

46

~~~

47

48

Replying to answears

49

~~~

50

Welcome to the OpenBSD/amd64 6.5 installation program.

51

(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I

52

53

Terminal type? [vt220]

54

System hostname? (short form, e.g. 'foo') cerbere

55

Password for root account? (will not echo)

56

Password for root account? (again)

57

Start sshd(8) by default? [yes]

58

Change the default console to com0? [yes]

59

Available speeds are: 9600 19200 38400 57600 115200.

60

Which speed should com0 use? (or 'done') [115200]

61

Setup a user? (enter a lower-case loginname, or 'no') [no]

62

Since no user was setup, root logins via sshd(8) might be useful.

63

WARNING: root is targeted by password guessing attacks, pubkeys are safer.

64

Allow root ssh login? (yes, no, prohibit-password) [no] yes

65

66

Available disks are: sd0 sd1.

67

Which disk is the root disk? ('?' for details) [sd0]

68

No valid MBR or GPT.

69

Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]

70

~~~

71

72

80% /

73

10% swap

74

10% /var/log

75

76

### Configuration

77

78

79

#### /etc/sysctl.conf

80

81

~~~

82

net.inet.ip.forwarding=1

83

net.inet.gre.allow=1

84

85

~~~

86

87

#### adduser

88

89

group wheel

90

91

92

#### /etc/doas.conf

93

94

~~~

95

permit :wheel

96

~~~

97

98

#### /root/.profile

99

100

~~~

101

export PS1="\H|\t|:\w\\$"

102

103

umask 022

104

105

#export LS_OPTIONS='--color=auto'

106

alias ls='/usr/local/bin/colorls -G'

107

alias ll='ls -l'

108

alias l='ls -lA'

109

alias d="du --max-depth=1 -h"

110

#alias carp='ifconfig carp |grep -e "MASTER" -e "BACKUP" && ifconfig -g carp'

111

112

# Some more alias to avoid making mistakes:

113

alias rm='rm -i'

114

alias cp='cp -i'

115

alias mv='mv -i'

116

alias df='df -h'

117

alias b='echo "\n IP BLACKLISTED\n========================================================";pfctl -t BLACKLIST -T show;echo "\n TOP 10 states\n========================================================";pfctl -sS |sort -nrk4 |head -n 10 '

118

echo

119

echo "________________________________________________________________________"

120

echo

121

who

122

echo "________________________________________________________________________"

123

echo

124

last -n 20

125

echo "________________________________________________________________________"

126

echo

127

uptime

128

echo "________________________________________________________________________"

129

~~~

130

131

#### /home/sacha/.profile

132

133

~~~

134

# $OpenBSD: dot.profile,v 1.5 2018/02/02 02:29:54 yasuoka Exp $

135

136

# sh/ksh initialization

137

138

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games

139

export PATH HOME TERM

140

141

export PS1="\H|\t|:\w\\$"

142

143

alias ls='colorls -G'

144

alias ll='ls -l'

145

alias l='ls -lA'

146

alias d="du --max-depth=1 -h"

147

148

# Some more alias to avoid making mistakes:

149

alias rm='rm -i'

150

alias cp='cp -i'

151

alias mv='mv -i'

152

alias df='df -h'

153

154

echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"

155

echo

156

echo -n "     " && uname -a

157

echo

158

echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"

159

echo

160

161

echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"

162

echo && echo

163

164

165

~~~

166

167

#### /etc/ssh/sshd_config

168

169

~~~

170

Port 55555

171

PasswordAuthentication no

172

ChallengeResponseAuthentication no

173

~~~

174

175

+ Ajouter le réseau local sur em2 sour la forme 10.10.département/24

176

177

#### /etc/dhcpd.conf

178

179

En fonction du réseau local, exemple:

180

181

~~~

182

subnet 10.10.79.0 netmask 255.255.255.0 {

183

  range 10.10.79.100 10.10.79.199;

184

  default-lease-time 600;

185

  max-lease-time 7200;

186

  option subnet-mask 255.255.255.0;

187

  option broadcast-address 10.10.79.255;

188

  option routers 10.10.79.254;

189

  option domain-name-servers 10.10.79.254, 185.233.100.100;

190

  option domain-name "niort.rosedor.fr";

191

192

~~~

193

194

~~~

195

echo 'dhcpd_flags="em2"' >>/etc/rc.conf.local

196

~~~

197

198

199

#### /etc/resolv.conf

200

201

~~~

202

search brest.openlux.fr

203

nameserver 10.10.79.254

204

lookup file bind

205

~~~

206

207

208

#### /etc/ntpd.conf

209

210

~~~

211

# $OpenBSD: ntpd.conf,v 1.14 2015/07/15 20:28:37 ajacoutot Exp $

212

213

# See ntpd.conf(5) and /etc/examples/ntpd.conf

214

215

#listen on 172.16.1.254

216

servers fr.pool.ntp.org

217

218

~~~

219

220

#### boot sound

221

222

* Exemples:

223

224

~~~

225

echo -e "l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker

226

echo -e "<cd<a#~<a#>f" > /dev/speaker

227

echo "o2 AAA ml o2l8F P16 o3l16C o2 l4A  l8F o3P16l16C o2 l4A p4 o3 EEE ml l8F P16 o3l16C o2 l4A- l8F o3P16l16C o2 l4A"  > /dev/speaker

228

echo -e "ec" > /dev/speaker

229

echo -e "t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f.." > /dev/speaker

230

echo -e "<cd<a#~<a#>f" > /dev/speaker

231

echo -e "t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.">/dev/speaker

232

echo -e "t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8" > /dev/speaker

233

echo -e "olcega.a8f>cd2bgc.c8dee2" > /dev/speaker

234

echo -e "msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4" > /dev/speaker

235

echo -e "l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker

236

237

Beatles

238

"T255O3< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A F#A B A F# L1 E.< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A L2 F#.> L4 C# < L2 B A L1 B B L1 N0< < L2 A > > > L4 C# < L2 B > L2 C# < L2 A.> L4 C# < A B > L2 C#.< < L2 A > > > L4 C# < L2 B > C# < L2 A.L4 N0 A L2 B AL2 N0 > L2 C# < B A N0L4 F# A B E A B D A B A G# F# E"

239

240

sw

241

"t136 mn o3 l8 ddgfe-dc o2 b-ag o3 d2. l12 ddd l8 g4 p4 p2 p2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t136 mn o3 l8 p4 mn o2 l8 d4 e4.e o3c o2 bag l12 gab l8 a8. e16f+4d8. d e4.e o3 c o2 bag o3 d8.o2   a16 ml a4a4 mn d4 e4.e O3 c o2 bag l12 gaba8. e16 f+4 o3 d8. d16 l16   g8. fe-8. d c8. o2 b-a8. g o3 d2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 co2 b o3c l2 ml o2a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2ba ml l2 o3gdd mn l6 co2bo3c l2 ml o2a1a4 p4 mn l6 o3 mn ddd ml l1 gggg4 p4 p4 mn l12 dddg2"

242

243

244

245

Reveille: t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f..

246

Close Encounters: <cd<a#~<a#>f

247

Lord of the Dance (aka Simple Gifts): t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.

248

Loony Toons theme: t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8

249

standard villain's entrance music: mst200o2ola.l8bc.~a.~>l2d#

250

a trope from 'The Right Stuff' score by Bill Conti: olcega.a8f>cd2bgc.c8dee2

251

opening bars of Bach's Toccata and Fugue in D Minor": msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4

252

opening bars of the theme from Star Trek Classic: l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2

253

254

255

~~~

256

257

~~~

258

echo 'echo -e "<cd<a#~<a#>f" > /dev/speaker' >> /etc/rc.local

259

echo '"O3L30cO4L30cO5L30cO5L30g" > /dev/speaker' >> /etc/rc.local

260

~~~

261

262

#### Unbound

263

264

~~~

265

ln -s /var/unbound/etc/unbound.conf /etc/unbound.conf

266

~~~

267

268

~~~

269

# $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $

270

271

server:

272

        interface: 127.0.0.1

273

        interface: 172.16.1.254

274

        #interface: 127.0.0.1@5353      # listen on alternative port

275

#       interface: ::1

276

        do-ip6: no

277

278

        # override the default "any" address to send queries; if multiple

279

        # addresses are available, they are used randomly to counter spoofing

280

        #outgoing-interface: 192.0.2.1

281

        #outgoing-interface: 2001:db8::53

282

283

        access-control: 0.0.0.0/0 refuse

284

        access-control: 127.0.0.0/8 allow

285

        access-control: 172.16.1.254/16 allow

286

        access-control: ::0/0 refuse

287

        access-control: ::1 allow

288

289

        hide-identity: yes

290

        hide-version: yes

291

292

        # Uncomment to enable DNSSEC validation.

293

294

        #auto-trust-anchor-file: "/var/unbound/db/root.key"

295

        #val-log-level: 2

296

297

        # Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains

298

        # https://tools.ietf.org/html/rfc8198

299

300

        #aggressive-nsec: yes

301

302

        # Serve zones authoritatively from Unbound to resolver clients.

303

        # Not for external service.

304

305

        #local-zone: "local." static

306

        #local-data: "mycomputer.local. IN A 192.0.2.51"

307

        #local-zone: "2.0.192.in-addr.arpa." static

308

        #local-data-ptr: "192.0.2.51 mycomputer.local"

309

310

        # UDP EDNS reassembly buffer advertised to peers. Default 4096.

311

        # May need lowering on broken networks with fragmentation/MTU issues,

312

        # particularly if validating DNSSEC.

313

314

        #edns-buffer-size: 1480

315

316

        # Use TCP for "forward-zone" requests. Useful if you are making

317

        # DNS requests over an SSH port forwarding.

318

319

        #tcp-upstream: yes

320

321

remote-control:

322

        control-enable: yes

323

        control-interface: /var/run/unbound.sock

324

325

# Use an upstream forwarder (recursive resolver) for some or all zones.

326

327

#forward-zone:

328

#       name: "."                               # use for ALL queries

329

#       forward-addr: 192.0.2.53                # example address only

330

#       forward-first: yes                      # try direct if forwarder fails

331

~~~

332

333

~~~

334

rcctl enable unbound

335

rcctl start unbound

336

~~~

337

338

#### Install Prometheus  node exporter

339

340

~~~

341

pkg_add go git gmake python-3.6 colorls gnuwatch mtr pftop curl bash

342

ln -s /usr/local/bin/python3 /usr/local/bin/python

343

cd /home/sacha

344

go get github.com/prometheus/node_exporter

345

cd /home/sacha/go/src/github.com/prometheus/node_exporter

346

gmake

347

mv node_exporter /usr/local/bin/

348

~~~

349

350

##### script de démarage: /etc/rc.d/node_exporter

351

352

~~~

353

vim /etc/login.conf

354

(...)

355

node_exporter:\

356

  :tc=daemon:

357

~~~

358

359

~~~

360

cap_mkdb /etc/login.conf

361

groupadd -g 2222 _node_exporter

362

useradd -u 2222 -g 2222 -c "Prometheus Node Exporter agent" -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter

363

~~~

364

365

* /etc/rc.d/node_exporter

366

367

~~~

368

#!/bin/sh

369

370

371

daemon="/usr/local/bin/node_exporter"

372

node_exporter_textfile_dir="/var/node_exporter"

373

daemon_flags="--collector.textfile.directory==${node_exporter_textfile_dir}"

374

daemon_user="_node_exporter"

375

daemon_group="_node_exporter"

376

377

. /etc/rc.d/rc.subr

378

379

pexp="${daemon}.*"

380

rc_bg=YES

381

rc_reload=NO

382

383

rc_pre() {

384

    if ! id ${daemon_user}; then

385

        groupadd _node_exporter

386

        useradd -g _node_exporter -c "Prometheus Node Exporter agent"\

387

        -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter

388

fi

389

    if [ ! -d ${node_exporter_textfile_dir} ]; then

390

        install \

391

            -d \

392

            -o ${daemon_user} \

393

            -g ${daemon_group} \

394

            -m 1755 \

395

            ${node_exporter_textfile_dir}

396

fi

397

398

399

rc_start() {

400

    ${rcexec} "${daemon} ${daemon_flags} < /dev/null 2>&1"

401

402

403

rc_cmd $1

404

~~~

405

406

407

~~~

408

chmod 0755 /etc/rc.d/node_exporter

409

chown root:wheel /etc/rc.d/node_exporter

410

411

rcctl enable node_exporter

412

rcctl start node_exporter

413

~~~

414

415

---

416

417

## Firewall

418

419

420

~~~

421

touch /etc/BLACKLIST

422

vi /etc/WHITELIST

423

~~~

424

425

426

### Standard: 1 ADSL

427

428

~~~

429

#######################################################

430

#         Firewall PF - OpenBSD - ROSEDOR             #

431

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #

432

# V1.0 - 20190612                                     #

433

#######################################################

434

435

436

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

437

#               MACROS                  #

438

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

439

440

#-----------------------------------------#

441

#               Interfaces                #

442

#-----------------------------------------#

443

#=====----> ADSL

444

ADSL_Data       = "pppoe0"

445

ADSL            = "{" $ADSL_Data "}"

446

447

#=====----> LAN

448

LAN             = "em2"

449

LAN_VoIP        = "em3"

450

451

#-----------------------------------------#

452

#               Hosts                     #

453

#-----------------------------------------#

454

455

456

#-----------------------------------------#

457

#       W H I T E  L I S T                #

458

#-----------------------------------------#

459

table <WHITELIST> persist file "/etc/WHITELIST"

460

461

#-----------------------------------------#

462

#       B L A C K  L I S T                #

463

#-----------------------------------------#

464

table <BLACKLIST> counters persist file "/etc/BLACKLIST"

465

466

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

467

#               OPTIONS                 #

468

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

469

set loginterface $ADSL_Data

470

471

#set optimization aggressive

472

set block-policy drop

473

474

set skip on lo0

475

476

477

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

478

#               LOG                     #

479

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

480

match log all

481

482

483

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

484

#               NORMALISATION           #

485

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

486

487

# Nettoyer les paquets entrant

488

match in scrub (reassemble tcp random-id)

489

490

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

491

#                NAT                    #

492

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

493

match out on $ADSL_Data inet from ($LAN:network) to any nat-to ($ADSL_Data)

494

495

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

496

#               FILTRAGE                #

497

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

498

block log all

499

500

#-----------------------------------------#

501

#               Anti-Flood                #

502

#-----------------------------------------#

503

#NOFLOOD ="synproxy state (source-track rule max-src-conn 500, max-src-conn-rate 50/10, overload <BLACKLIST> flush global)"

504

NOFLOOD ="keep state (source-track rule, max-src-states 100)"

505

506

block in log quick on $ADSL from no-route to any

507

block out log quick on $ADSL from no-route to any

508

block in log quick on $ADSL from any to 255.255.255.255

509

510

#-----------------------------------------#

511

#               Blacklists                #

512

#-----------------------------------------#

513

block in quick from <BLACKLIST>

514

515

block in log quick on $ADSL inet proto icmp from any to any icmp-type redir

516

block in log quick on $ADSL inet6 proto icmp6 from any to any icmp6-type redir

517

518

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

519

#               Anti-spoof                  #

520

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

521

antispoof log quick for $ADSL label "antispoof"

522

523

#---------------------------------------#

524

#               ICMP                    #

525

#---------------------------------------#

526

pass inet proto icmp all icmp-type { echorep, echoreq, timex, unreach }

527

528

#---------------------------------------#

529

#               Trace Route             #

530

#---------------------------------------#

531

pass in on { $LAN } proto udp from any to any port 33433 >< 33626 keep state

532

533

#---------------------------------------#

534

#               WHITELIST               #

535

#---------------------------------------#

536

pass in quick on $ADSL proto tcp from <WHITELIST> to any port 55555

537

538

#---------------------------------------#

539

#                 LAN                   #

540

#---------------------------------------#

541

542

#=====----> Firewall to Lan

543

pass out on $LAN inet to $LAN:network

544

545

546

#=====----> ssh LAN

547

pass in quick on $LAN proto tcp from $LAN:network to $LAN port 55555

548

#pass in quick proto tcp from any to port 55555

549

550

#=====----> dns

551

pass in quick on $LAN proto udp from $LAN:network to $LAN port 53

552

553

#=====----> dhcp

554

pass in quick on $LAN inet from $LAN:network to 255.255.255.255

555

556

#=====----> Permit Lan to output

557

pass in on $LAN inet from $LAN:network to any

558

559

pass out on $LAN inet from $LAN:network to any

560

561

562

#---------------------------------------#

563

#            ACCEPT OUTGOING            #

564

#---------------------------------------#

565

pass out on $ADSL

566

~~~

567

568

---

569

570

### 2 ADSL

571

572

~~~

573

#######################################################

574

#         Firewall PF - OpenBSD - ROSEDOR             #

575

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #

576

# V1.0 - 20190612                                     #

577

#######################################################

578

579

580

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

581

#               MACROS                  #

582

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

583

584

#-----------------------------------------#

585

#               Interfaces                #

586

#-----------------------------------------#

587

#=====----> ADSL

588

ADSL_Data       = "pppoe0"

589

ADSL_VoIP       = "pppoe1"

590

ADSL            = "{" $ADSL_Data $ADSL_VoIP "}"

591

ADSL_GW         = "185.96.184.47"

592

#=====----> LAN

593

LAN             = "em2"

594

LAN_VoIP        = "em3"

595

596

#-----------------------------------------#

597

#               Hosts                     #

598

#-----------------------------------------#

599

VoIP = "{ conference.wildix.com ws2sip.wildix.com videobridge.wildix.com turn.wildix.com ipbx-savia-rosedor.ataraxie.fr rosedor.wildixin.com vnc.wildix.com ec2-34-250-48-200.eu-west-1.compute.amazonaws.com ec2-52-19-52-138.eu-west-1.compute.amazonaws.com }"

600

601

#-----------------------------------------#

602

#       W H I T E  L I S T                #

603

#-----------------------------------------#

604

table <WHITELIST> persist file "/etc/WHITELIST"

605

606

#-----------------------------------------#

607

#       B L A C K  L I S T                #

608

#-----------------------------------------#

609

table <BLACKLIST> counters persist file "/etc/BLACKLIST"

610

611

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

612

#               OPTIONS                 #

613

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

614

set loginterface $ADSL_Data

615

set loginterface $ADSL_VoIP

616

#set optimization aggressive

617

set block-policy drop

618

619

set skip on lo0

620

set skip on enc0

621

set skip on gre0

622

set skip on gre1

623

624

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

625

#               LOG                     #

626

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

627

match log all

628

629

630

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

631

#               NORMALISATION           #

632

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

633

634

# Nettoyer les paquets entrant

635

#match in scrub (no-df reassemble tcp random-id )

636

637

# min-ttl casse traceroute...

638

#match in scrub (random-id min-ttl 64 max-mss 1440)

639

640

#match in scrub (random-id)

641

642

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

643

#                NAT                    #

644

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

645

match out on $ADSL_Data inet from ($LAN:network) to any nat-to ($ADSL_Data)

646

match out on $ADSL_VoIP inet from ($LAN:network) to $VoIP nat-to $ADSL_VoIP

647

match out on $ADSL_VoIP inet from ($LAN_VoIP:network) to any nat-to ($ADSL_VoIP)

648

649

#nat on $ADSL_Data inet from ($LAN:network) to any -> ($ADSL_Data:0) port 1024:65535

650

#nat on $ADSL_VoIP inet from ($LAN_VOIP:network) to any -> ($ADSL_VoIP:0) port 1024:65535

651

#nat on $ADSL_Data inet from 127.0.0.0/8 to any -> ($ADSL_Data:0) port 1024:65535

652

#nat on $ADSL_VoIP inet from 127.0.0.0/8 to any -> ($ADSL_VoIP:0) port 1024:65535

653

654

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

655

#               FILTRAGE                #

656

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

657

block log all

658

659

#-----------------------------------------#

660

#               Anti-Flood                #

661

#-----------------------------------------#

662

#NOFLOOD ="synproxy state (source-track rule max-src-conn 500, max-src-conn-rate 50/10, overload <BLACKLIST> flush global)"

663

NOFLOOD ="keep state (source-track rule, max-src-states 100)"

664

665

block in log quick on $ADSL from no-route to any

666

block out log quick on $ADSL from no-route to any

667

block in log quick on $ADSL from any to 255.255.255.255

668

669

#-----------------------------------------#

670

#               Blacklists                #

671

#-----------------------------------------#

672

block in quick from <BLACKLIST>

673

674

#block in log quick from <ssh-bruteforce>

675

block in log quick on $ADSL inet proto icmp from any to any icmp-type redir

676

block in log quick on $ADSL inet6 proto icmp6 from any to any icmp6-type redir

677

678

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

679

#               Anti-spoof                  #

680

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

681

antispoof log quick for $ADSL label "antispoof"

682

683

#---------------------------------------#

684

#               ICMP                    #

685

#---------------------------------------#

686

pass inet proto icmp all icmp-type { echorep, echoreq, timex, unreach }

687

688

#---------------------------------------#

689

#               Trace Route             #

690

#---------------------------------------#

691

pass in on { $LAN } proto udp from any to any port 33433 >< 33626 keep state

692

693

#---------------------------------------#

694

#               WHITELIST               #

695

#---------------------------------------#

696

pass in quick on $ADSL inet from <WHITELIST> to any

697

698

#---------------------------------------#

699

#              Prometheus               #

700

#---------------------------------------#

701

702

pass in quick on $ADSL proto tcp from 185.233.100.77 to $ADSL port 9100

703

704

#---------------------------------------#

705

#                 LAN                   #

706

#---------------------------------------#

707

708

#=====----> Firewall to Lan

709

pass out on $LAN inet to $LAN:network

710

pass out on $LAN_VoIP inet to $LAN_VoIP:network

711

712

#=====----> ssh LAN

713

pass in quick on $LAN proto tcp from $LAN:network to $LAN port 55555

714

#pass in quick proto tcp from any to port 55555

715

716

#=====----> dns

717

pass in quick on $LAN proto udp from $LAN:network to $LAN port 53

718

719

#=====----> dhcp

720

pass in quick on $LAN inet from $LAN:network to 255.255.255.255

721

pass in quick on $LAN_VoIP inet from $LAN_VoIP:network to 255.255.255.255

722

723

#=====----> Route VOIP

724

pass in on $LAN inet proto tcp from $LAN:network to $VoIP route-to ($ADSL_VoIP $ADSL_GW)

725

726

#=====----> Permit Lan to output

727

728

#pass in on $LAN inet from $LAN:network to ! $LAN:network route-to ($ADSL_Data $ADSL_GW)

729

pass in on $LAN inet from $LAN:network to any

730

pass in on $LAN_VoIP inet from $LAN_VoIP:network to ! $LAN_VoIP:network route-to ($ADSL_VoIP $ADSL_GW)

731

732

#pass in on $LAN inet proto tcp from $LAN:network to $VoIP route-to ($ADSL_VoIP $ADSL_GW)

733

734

735

pass out on $LAN inet from $LAN:network to any

736

pass out on $LAN_VoIP from $LAN_VoIP:network to any

737

738

# IPSEC

739

#pass in on $ADSL_VoIP proto udp from 109.26.193.170 to $ADSL_VoIP port { 500, 4500 } reply-to ($ADSL_VoIP $ADSL_GW)

740

#pass out on $ADSL_VoIP proto udp from $ADSL_VoIP to 109.26.193.170 port { 500, 4500 } route-to ($ADSL_VoIP $ADSL_GW)

741

#pass in on $ADSL_VoIP proto esp from 109.26.193.170 to $ADSL_VoIP reply-to ($ADSL_VoIP $ADSL_GW)

742

#pass out on $ADSL_VoIP proto esp from $ADSL_VoIP to 109.26.193.170 route-to ($ADSL_VoIP $ADSL_GW)

743

744

#---------------------------------------#

745

#            ACCEPT OUTGOING            #

746

#---------------------------------------#

747

pass out on $ADSL

748

749

#pass in on $ADSL_VoIP proto gre reply-to ($ADSL_VoIP $ADSL_GW)

750

#pass out on $ADSL_VoIP proto gre route-to ($ADSL_VoIP $ADSL_GW)

751

752

pass quick on gre proto gre no state

753

pass in on $LAN from { 10.34.1.0/24, 192.168.10.0/24 } to $LAN:network

754

pass out on $LAN from 10.34.1.0/24 to $LAN

755

pass in on $ADSL_VoIP proto gre from { 109.26.193.170 85.118.41.209 }

756

#pass out on $LAN from $LAN:network to { 10.34.1.0/24, 192.168.10.0/24 }

757

758

#pass out on $ADSL proto tcp from any to any modulate state

759

#pass out on $ADSL inet proto { udp, icmp } from any to any keep state

760

761

pass out on $ADSL_Data from $ADSL_VoIP route-to ($ADSL_VoIP $ADSL_GW)

762

pass out on $ADSL_VoIP from $ADSL_Data route-to ($ADSL_Data $ADSL_GW)

763

~~~

764

765

---

Projet

Général

Profil

Aquilenet

Openbsd apu » Historique » Version 1