Ik had standaard alleen mijn externe interface beveiligd.
Nu ik wat meer regels intern wil toepassen heb ik dit gedaan door subnets te creeren en deze af te schermen en alleen bepaalde diensten toe te laten.
Nu werken deze rules goed alleen ontzettend traag.
Kunnen we dit is even doornemen.
Er is dus geen probleem op FXP alleen het management en extranet gedeelte leveren problemen op.
Wanneer ik dit gedeelte uit comment
# -- Block the rest -- #
block in quick on xl0 all
Dan werkt alles goed maar dat is niet wat ik wil. Ik wil juist het verkeer wat ik toelaat en opgebouwd is door keep state toe laten. Zou het zo kunnen zijn dat het matchen van de keep state regels veel tijd in beslag neemt.
# --- IPF Firewall Rules --- #
# --- 27-08-2006 --- #
# ----------------------- #
#
#
# Section for External fxp0
#
#
# ----------------------- #
# ----------------------- #
#
#
# Out External fxp0
#
#
# ----------------------- #
# -- Speedtouch Communication -- #
pass out quick on fxp0 proto tcp from any to 10.0.0.138/32 flags S keep frags keep state
pass out quick on fxp0 proto udp from any to 10.0.0.138/32 keep frags keep state
# -- Block out private adresses -- #
block out log quick on fxp0 from any to 192.168.0.0/16
block out log quick on fxp0 from any to 172.16.0.0/12
block out log quick on fxp0 from any to 10.0.0.0/8
block out log quick on fxp0 from any to 0.0.0.0/8
block out log quick on fxp0 from any to 127.0.0.0/8
block out log quick on fxp0 from any to 169.254.0.0/16
block out log quick on fxp0 from any to 192.0.2.0/24
block out log quick on fxp0 from any to 204.152.64.0/23
block out log quick on fxp0 from any to 224.0.0.0/3
# -- Pass out trafic that need internet access -- #
pass out quick on fxp0 proto tcp from 10.0.10.16/28 to any flags S keep frags keep state
pass out quick on fxp0 proto tcp from 10.0.10.48/28 to any flags S keep frags keep state
pass out quick on fxp0 proto tcp from 10.0.10.43/32 to any flags S keep frags keep state
pass out quick on fxp0 proto udp from 10.0.10.16/28 to any keep frags keep state
pass out quick on fxp0 proto udp from 10.0.10.48/28 to any keep frags keep state
pass out quick on fxp0 proto udp from 10.0.10.43/32 to any keep frags keep state
# -- Pass out direct router services -- #
pass out quick on fxp0 proto udp from any to any port = 53 keep frags keep state
pass out quick on fxp0 proto tcp from any to any port = 25 flags S keep frags keep state
# -- Block the rest -- #
block out quick on fxp0 all
# ----------------------- #
#
#
# In External fxp0
#
#
# ----------------------- #
# -- Block in private adresses -- #
block in log quick on fxp0 from 192.168.0.0/16 to any
block in log quick on fxp0 from 172.16.0.0/12 to any
#block in log quick on fxp0 from 10.0.0.0/8 to any
block in log quick on fxp0 from 127.0.0.0/8 to any
block in log quick on fxp0 from 0.0.0.0/8 to any
block in log quick on fxp0 from 169.254.0.0/16 to any
block in log quick on fxp0 from 192.0.2.0/24 to any
block in log quick on fxp0 from 204.152.64.0/23 to any
block in log quick on fxp0 from 224.0.0.0/3 to any
# -- Block Strange Trafic -- #
block in quick on fxp0 from any to "public" port = 6346
# -- Regulate ICMP -- #
pass in quick on fxp0 proto icmp from any to any icmp-type 0
pass in quick on fxp0 proto icmp from any to any icmp-type 11
block in log quick on fxp0 proto icmp from any to any
# -- Pass in direct services on router -- #
pass in log level auth.info quick on fxp0 proto tcp from any to any port = 2222 flags S
keep frags keep state
pass in log quick on fxp0 proto tcp from any to any port = 443 flags S keep frags keep
state
# -- OpenVPN -- #
pass in log level auth.info quick on fxp0 proto tcp from any to any port = 3333 keep
frags keep state
# -- Pass in direct services on router -- #
pass in log quick on fxp0 proto tcp from any to 10.0.10.43/32 port = 25 flags S keep
frags keep state
pass in log quick on fxp0 proto tcp from any to 10.0.10.43/32 port = 80 flags S keep
frags keep state
# ----------------------- #
#
#
# Section for management xl0
#
#
# ----------------------- #
# -- Block the rest -- #
block in quick on xl0 all
pass out quick proto tcp from any to 10.0.10.0/28 port = 2222 flags S keep frags keep
state
# -- SNMP Direct -- #
pass out quick on xl0 proto udp from any to 10.0.10.14/32 port = 161 keep frags keep
state
# -- Block the rest -- #
block out quick on xl0 all
# ----------------------- #
#
#
# Section for extranet xl2
#
#
# ----------------------- #
# -- Block the rest -- #
block in quick on xl2 all
pass out quick on xl2 proto tcp from any to 10.0.10.32/28 port = 25 flags S keep frags
keep state
pass out quick on xl2 proto tcp from any to 10.0.10.32/28 port = 143 flags S keep frags
keep state
pass out quick on xl2 proto tcp from any to 10.0.10.32/28 port = 110 flags S keep frags
keep state
pass out quick on xl2 proto tcp from any to 10.0.10.32/28 port = 80 flags S keep frags
keep state
pass out quick on xl2 proto tcp from any to 10.0.10.32/28 port = 443 flags S keep frags
keep state
# -- Block the rest -- #
block out quick on xl2 all
# ----------------------- #
#
#
# Section for wireless xl3
#
#
# ----------------------- #
pass in quick on xl3 from 10.0.10.48/28 to 10.0.10.28/32 keep frags keep state
pass in quick on xl3 from 10.0.10.48/28 to 10.0.10.43/32 keep frags keep state
pass in quick proto udp from any to 10.0.10.30/32 port = 53 keep frags keep state
block in quick on xl3 from any to 10.0.10.32/28
block in quick on xl3 from any to 10.0.10.16/28
block in quick on xl3 from any to 10.0.10.0/28
# ----------------------- #
#
#
# Section for vpn tun0
#
#
# ----------------------- #
pass in quick on tun0 from 10.0.10.80/28 to 10.0.10.28/32 keep frags keep state
pass in quick on tun0 proto tcp from 10.0.10.80/28 to 10.0.10.43/32 port = 110 flags S
keep frags keep state
block in quick on tun0 from any to 10.0.10.32/28
block in quick on tun0 from any to 10.0.10.16/28
block in quick on tun0 from any to 10.0.10.0/28
# ----------------------- #
#
#
# Allow the rest
#
#
# ----------------------- #
pass in all
Nu ik wat meer regels intern wil toepassen heb ik dit gedaan door subnets te creeren en deze af te schermen en alleen bepaalde diensten toe te laten.
Nu werken deze rules goed alleen ontzettend traag.
Kunnen we dit is even doornemen.
Er is dus geen probleem op FXP alleen het management en extranet gedeelte leveren problemen op.
Wanneer ik dit gedeelte uit comment
# -- Block the rest -- #
block in quick on xl0 all
Dan werkt alles goed maar dat is niet wat ik wil. Ik wil juist het verkeer wat ik toelaat en opgebouwd is door keep state toe laten. Zou het zo kunnen zijn dat het matchen van de keep state regels veel tijd in beslag neemt.
# --- IPF Firewall Rules --- #
# --- 27-08-2006 --- #
# ----------------------- #
#
#
# Section for External fxp0
#
#
# ----------------------- #
# ----------------------- #
#
#
# Out External fxp0
#
#
# ----------------------- #
# -- Speedtouch Communication -- #
pass out quick on fxp0 proto tcp from any to 10.0.0.138/32 flags S keep frags keep state
pass out quick on fxp0 proto udp from any to 10.0.0.138/32 keep frags keep state
# -- Block out private adresses -- #
block out log quick on fxp0 from any to 192.168.0.0/16
block out log quick on fxp0 from any to 172.16.0.0/12
block out log quick on fxp0 from any to 10.0.0.0/8
block out log quick on fxp0 from any to 0.0.0.0/8
block out log quick on fxp0 from any to 127.0.0.0/8
block out log quick on fxp0 from any to 169.254.0.0/16
block out log quick on fxp0 from any to 192.0.2.0/24
block out log quick on fxp0 from any to 204.152.64.0/23
block out log quick on fxp0 from any to 224.0.0.0/3
# -- Pass out trafic that need internet access -- #
pass out quick on fxp0 proto tcp from 10.0.10.16/28 to any flags S keep frags keep state
pass out quick on fxp0 proto tcp from 10.0.10.48/28 to any flags S keep frags keep state
pass out quick on fxp0 proto tcp from 10.0.10.43/32 to any flags S keep frags keep state
pass out quick on fxp0 proto udp from 10.0.10.16/28 to any keep frags keep state
pass out quick on fxp0 proto udp from 10.0.10.48/28 to any keep frags keep state
pass out quick on fxp0 proto udp from 10.0.10.43/32 to any keep frags keep state
# -- Pass out direct router services -- #
pass out quick on fxp0 proto udp from any to any port = 53 keep frags keep state
pass out quick on fxp0 proto tcp from any to any port = 25 flags S keep frags keep state
# -- Block the rest -- #
block out quick on fxp0 all
# ----------------------- #
#
#
# In External fxp0
#
#
# ----------------------- #
# -- Block in private adresses -- #
block in log quick on fxp0 from 192.168.0.0/16 to any
block in log quick on fxp0 from 172.16.0.0/12 to any
#block in log quick on fxp0 from 10.0.0.0/8 to any
block in log quick on fxp0 from 127.0.0.0/8 to any
block in log quick on fxp0 from 0.0.0.0/8 to any
block in log quick on fxp0 from 169.254.0.0/16 to any
block in log quick on fxp0 from 192.0.2.0/24 to any
block in log quick on fxp0 from 204.152.64.0/23 to any
block in log quick on fxp0 from 224.0.0.0/3 to any
# -- Block Strange Trafic -- #
block in quick on fxp0 from any to "public" port = 6346
# -- Regulate ICMP -- #
pass in quick on fxp0 proto icmp from any to any icmp-type 0
pass in quick on fxp0 proto icmp from any to any icmp-type 11
block in log quick on fxp0 proto icmp from any to any
# -- Pass in direct services on router -- #
pass in log level auth.info quick on fxp0 proto tcp from any to any port = 2222 flags S
keep frags keep state
pass in log quick on fxp0 proto tcp from any to any port = 443 flags S keep frags keep
state
# -- OpenVPN -- #
pass in log level auth.info quick on fxp0 proto tcp from any to any port = 3333 keep
frags keep state
# -- Pass in direct services on router -- #
pass in log quick on fxp0 proto tcp from any to 10.0.10.43/32 port = 25 flags S keep
frags keep state
pass in log quick on fxp0 proto tcp from any to 10.0.10.43/32 port = 80 flags S keep
frags keep state
# ----------------------- #
#
#
# Section for management xl0
#
#
# ----------------------- #
# -- Block the rest -- #
block in quick on xl0 all
pass out quick proto tcp from any to 10.0.10.0/28 port = 2222 flags S keep frags keep
state
# -- SNMP Direct -- #
pass out quick on xl0 proto udp from any to 10.0.10.14/32 port = 161 keep frags keep
state
# -- Block the rest -- #
block out quick on xl0 all
# ----------------------- #
#
#
# Section for extranet xl2
#
#
# ----------------------- #
# -- Block the rest -- #
block in quick on xl2 all
pass out quick on xl2 proto tcp from any to 10.0.10.32/28 port = 25 flags S keep frags
keep state
pass out quick on xl2 proto tcp from any to 10.0.10.32/28 port = 143 flags S keep frags
keep state
pass out quick on xl2 proto tcp from any to 10.0.10.32/28 port = 110 flags S keep frags
keep state
pass out quick on xl2 proto tcp from any to 10.0.10.32/28 port = 80 flags S keep frags
keep state
pass out quick on xl2 proto tcp from any to 10.0.10.32/28 port = 443 flags S keep frags
keep state
# -- Block the rest -- #
block out quick on xl2 all
# ----------------------- #
#
#
# Section for wireless xl3
#
#
# ----------------------- #
pass in quick on xl3 from 10.0.10.48/28 to 10.0.10.28/32 keep frags keep state
pass in quick on xl3 from 10.0.10.48/28 to 10.0.10.43/32 keep frags keep state
pass in quick proto udp from any to 10.0.10.30/32 port = 53 keep frags keep state
block in quick on xl3 from any to 10.0.10.32/28
block in quick on xl3 from any to 10.0.10.16/28
block in quick on xl3 from any to 10.0.10.0/28
# ----------------------- #
#
#
# Section for vpn tun0
#
#
# ----------------------- #
pass in quick on tun0 from 10.0.10.80/28 to 10.0.10.28/32 keep frags keep state
pass in quick on tun0 proto tcp from 10.0.10.80/28 to 10.0.10.43/32 port = 110 flags S
keep frags keep state
block in quick on tun0 from any to 10.0.10.32/28
block in quick on tun0 from any to 10.0.10.16/28
block in quick on tun0 from any to 10.0.10.0/28
# ----------------------- #
#
#
# Allow the rest
#
#
# ----------------------- #
pass in all