# $Id: pf.conf 1676 2012-05-17 01:50:02Z jhealy $ # # Suffield Academy PF ruleset for border firewall. # # This setup assumes a redundant active-passive setup using two physical # machines and a carp/pfsync setup to cluster them together. # # See http://web.suffieldacademy.org/ils/netadmin/docs/servers/pf/ # ########################################################################### ### Macros and Tables ### ########################################################################### ## ## Interface devices ## # LAN physical interface lan_if="vlan901" # CEN WAN physical interface cen_if="vlan72" # pfsync physical interface pfsync_if="vlan915" ## ## Interface addresses ## # LAN IP (CARP) lan_ip="carp0:0" # Firewall IP (unique to this host; use no-sync for rules on this IP) fw_ip=$lan_if:0 ## ## Address Pools ## # Entire LAN range table { 172.16.0.0/12 } # All external IPs that we own table { 72.10.118.0/23 } # Netadmin addresses table { 172.19.0.0/19 } # Servers/Equipment table { 172.30.0.0/16 , 172.31.0.0/17 } # Faculty/Staff table { 172.18.0.0/16 , 172.28.0.0/16 } # Hosts allowed to query our SNMP daemon table { 172.19.0.0/19 , 172.31.1.9 } # Addresses to use for public nat pool table { 72.10.119.254 , 72.10.119.253 , 72.10.119.252 , \ 72.10.119.251 , 72.10.119.250 , 72.10.119.249 , \ 72.10.119.248 , 72.10.119.247 , 72.10.119.246 , \ 72.10.119.245 } table { 72.10.119.244 , 72.10.119.243 , 72.10.119.242 } table { 72.10.119.241 } table { 72.10.119.240 } # Send all web traffic out over a single address to prevent tarded sites # that don't like requests coming from more than one place web_nat="72.10.119.239" web_ports="{ http , https }" # Bogus/private/evil IPs that we should never see # (DHCP autoconfig, RESERVED, NET-TEST, MULTICAST D and E, RFC1918, # NULL, and LOOPBACK) # [Suffield uses 172.16/12, though, so we don't list it here] table { 169.254.0.0/16 , 192.0.2.0/24, \ 224.0.0.0/4 , 240.0.0.0/4, \ 10.0.0.0/8 , 192.168.0.0/16 ,\ 0.0.0.0/8 , 127.0.0.0/8 } # CEN "on-net" list provided by CEN staff (our block is 72.10.118.0/23) table { 63.145.155.128/27, 192.107.38.0/24, 216.87.96.0/19, \ 64.251.48.0/20, 72.10.96.0/19, 159.247.232.0/22, \ 159.247.236.0/24, 207.210.128.0/19, 63.145.155.0/26, \ 63.145.155.192/26, 192.83.228.0/24, 155.43.0.0/16, \ 136.244.0.0/16, 149.152.0.0/16, 64.202.80.0/20, \ 192.160.243.0/24, 192.160.244.0/24, 137.49.0.0/16, \ 192.132.64.0/24, 192.152.243.0/24, 129.5.0.0/16, \ 129.161.0.0/16, 148.166.0.0/16, 157.252.0.0/16, \ 192.31.112.0/24, 192.107.134.0/24, 67.221.64.0/19, \ 137.99.0.0/16, 155.37.0.0/16, 138.29.0.0/16, 129.133.0.0/16, \ 128.36.0.0/16, 130.132.0.0/16, 199.249.227.0/24, 67.218.95.34 } # Portscanners (SSH bots, etc) that we want to tarpit/blackhole table persist table { 75.144.171.129 } ## ## Tags (used to defer "pass" decisions until later for queue assignment) ## # tag for packets that are OK to send out (replaces vanilla "pass" rules) accept="TAG_PASS" # tag for packets that re NOT OK to send out (replaces vanilla "block" rules) reject="TAG_BLOCK" ########################################################################### ### Options ### ########################################################################### ## ## Skip interfaces ## # Completely ignore loopback (we should never filter our own traffic) set skip on lo0 # Completely ignore pfsync interface (it's a crossover cable) set skip on $pfsync_if ## ## Block policy ## # Be nice and return an unreachable/rst packet for blocked packets # set block-policy drop set block-policy return ## ## Optimization ## # Basic optimization removes duplicates, overlaps, and merges into tables # to make rules more efficient. Use "profile" to adaptively change rule order set ruleset-optimization basic ## ## Logging ## # Don't collect interface stats (we can use labels and anchors for that) set loginterface none # Set noise level (none -> urgent -> misc -> loud) set debug urgent ## ## Timeouts (see pfctl -s timeout) ## # Allow clients 2 minutes to complete a handshake set timeout tcp.first 120 # Allow 2 hours before we kill an idle connection set timeout tcp.established 7200 ## ## State limits ## # Allow 30000 states at the maximum, with 15000 fragments tracked set limit { states 30000 , frags 15000 } # Once we pass 25000 states, start scaling the TTL on existing states # to age them out more aggressively (until we hit 30000 and kill all) set timeout { adaptive.start 25000 , adaptive.end 30000 } ########################################################################### ### Traffic Normalization ### ########################################################################### # Reassemble fragments so we only have to deal with whole packets # randomize ids for hosts that aren't smart enough to do it themselves scrub in all random-id fragment reassemble # Enforce TCP window and TTL behavior #scrub all reassemble tcp # jhealy: 2008/07/08: "reassemble tcp" still causes some problems with # certain web servers (connections appear to hang). # *sigh* -- disabling and only doing fragment reassm scrub all ########################################################################### ### Queueing ### ########################################################################### # We have a packet shaping box that comes before the firewalls, so we # do not have major queueing rules here. We just have a "fail safe" to # keep our internet usage under our quota. ### DISABLED HARD LIMITS ## ## We have a packetshaper inside our network which handles rate-limiting ## based on the priority of traffic. If you also enable rate-limiting on ## the firewall, it may drop packets arbitrarily, rather than by these ## priority rules. Thus, we disable any limits here and assume the ## shaper will take care of it. ## ## If, for any reason, you need to rate limit here (for example, the shaper ## isn't working), REMOVE the "default" option from the "icenlocal" and ## "ocenlocal" lines below and set their qlimit to 30. Then, ADD the ## "default" option to the "icentransit" and "ocentransit" lines below. ## You will probably also want to flush states when you reload the rules ## to force traffic to the new queue. # outbound external interface altq on $cen_if hfsc bandwidth 1Gb queue { ocenlocal, ocentransit } # cen "on-net" traffic (no charge for bandwidth) # JHEALY_TEMP: add "default" back when shaper is working! queue ocenlocal hfsc(realtime 30Mb linkshare 30Mb upperlimit 1Gb) qlimit 10 # cen metered traffic (cannot exceed 135Mb total outbound) # JHEALY_TEMP: uncomment line below and remove lines afterwords that define # subqueues after shaper is working again #queue ocentransit hfsc(realtime 135Mb linkshare 135Mb upperlimit 135Mb) qlimit 10 # JHEALY_TEMP: remove these sub-queues when shaper is working again, and # instead use single ocentransit queue above queue ocentransit hfsc(realtime 0Mb linkshare 135Mb upperlimit 135Mb) { \ odmz, onetadmin, ofacstaff, odefault } queue odmz hfsc(realtime 10Mb linkshare 20Mb upperlimit 125Mb \ red ecn) qlimit 30 queue onetadmin hfsc(realtime 10Mb linkshare 15Mb upperlimit 125Mb \ red ecn) qlimit 30 queue ofacstaff hfsc(realtime 20Mb linkshare 11Mb upperlimit 125Mb \ red ecn) qlimit 30 queue odefault hfsc(realtime 20Mb linkshare 9Mb upperlimit 125Mb \ red ecn default) qlimit 30 # inbound internal interface altq on $lan_if hfsc bandwidth 1Gb queue { ilan, icenlocal, icentransit } # local area traffic (doesn't leave our network) queue ilan hfsc(realtime 135Mb linkshare 10Mb upperlimit 1Gb) qlimit 50 # cen "on-net" traffic (no charge for bandwidth) # JHEALY_TEMP: add "default" back when shaper is working! queue icenlocal hfsc(realtime 30Mb linkshare 30Mb upperlimit 1Gb) qlimit 10 # cen metered traffic (cannot exceed 135Mb total inbound) # JHEALY_TEMP: uncomment line below and remove lines afterwords that define # subqueues after shaper is working again #queue icentransit hfsc(realtime 135Mb linkshare 135Mb upperlimit 135Mb) qlimit 10 # JHEALY_TEMP: remove these sub-queues when shaper is working again, and # instead use single ocentransit queue above queue icentransit hfsc(realtime 0Mb linkshare 135Mb upperlimit 135Mb) { \ idmz, inetadmin, ifacstaff, idefault } queue idmz hfsc(realtime 10Mb linkshare 20Mb upperlimit 125Mb \ red ecn) qlimit 30 queue inetadmin hfsc(realtime 10Mb linkshare 15Mb upperlimit 125Mb \ red ecn) qlimit 30 queue ifacstaff hfsc(realtime 20Mb linkshare 11Mb upperlimit 125Mb \ red ecn) qlimit 30 queue idefault hfsc(realtime 20Mb linkshare 9Mb upperlimit 125Mb \ red ecn default) qlimit 30 ########################################################################### ### Translation ### ########################################################################### ## ## DMZ Servers (be sure to add to Packet Filtering section below as well) ## # Sample #sample_lan="172.30.0." #sample_cen="72.10.118." #sample_tcp="{ }" #sample_udp="{ }" #binat on $cen_if inet from $sample_lan to any -> $sample_cen # Luke (LDAP/Kerberos) [See below for Google/Postini special case SMTP] luke_lan="172.30.0.2" luke_cen="72.10.118.2" luke_tcp="{ kerberos , ldap , ldaps , submission }" luke_udp="{ kerberos }" binat on $cen_if inet from $luke_lan to any -> $luke_cen # Leia (LDAP/Kerberos) [See below for Google/Postini special case SMTP] leia_lan="172.30.0.3" leia_cen="72.10.118.3" leia_tcp="{ kerberos , ldap , ldaps , submission }" leia_udp="{ kerberos }" binat on $cen_if inet from $leia_lan to any -> $leia_cen # Werner (VPN) werner_lan="172.30.0.9" werner_cen="72.10.118.8" werner_tcp="{ pptp }" werner_udp="{ isakmp , ipsec-nat-t , 1701 , pptp }" binat on $cen_if inet from $werner_lan to any -> $werner_cen # Jamaica (Aruba master controller address for Remote AP deployment) jamaica_lan="172.19.32.3" jamaica_cen="72.10.118.31" jamaica_udp="{ isakmp , ipsec-nat-t , 1701 }" binat on $cen_if inet from $jamaica_lan to any -> $jamaica_cen # Cerebro (FileMaker) cerebro_lan="172.30.0.117" cerebro_cen="72.10.118.4" cerebro_tcp="{ http , https }" binat on $cen_if inet from $cerebro_lan to any -> $cerebro_cen # Tessa (File Server) tessa_lan="172.30.0.105" tessa_cen="72.10.118.5" tessa_tcp="{ ssh , http , https , 3690 , 8008 , 8443 }" # also 8096 8086 8087 ? for wiki, blog, ical binat on $cen_if inet from $tessa_lan to any -> $tessa_cen # Marion (Library Catalog / Streaming Server) marion_lan="172.30.0.6" marion_cen="72.10.118.6" marion_tcp="{ http , rtsp , 7070 , 8000 , 8001 }" marion_udp="{ 6970:6999 }" binat on $cen_if inet from $marion_lan to any -> $marion_cen # Sigma (Jason's web server) sigma_lan="172.30.0.7" sigma_cen="72.10.118.7" binat on $cen_if inet from $sigma_lan to any -> $sigma_cen # Gordon (FirstClass Core) gordon_lan="172.30.0.115" gordon_cen="72.10.118.29" gordon_tcp="{ 510 , ssh }" gordon_udp="{ 810 }" binat on $cen_if inet from $gordon_lan to any -> $gordon_cen # Reba (FirstClass Inet Svcs) [See below for Google/Postini SMTP] reba_lan="172.30.0.116" reba_cen="72.10.118.30" reba_tcp="{ ssh , ftp-data , ftp , http , https , imap , imaps , 943 , 2195 }" binat on $cen_if inet from $reba_lan to any -> $reba_cen # Cliff (mailman listserver) cliff_lan="172.30.0.84" cliff_cen="72.10.118.9" cliff_tcp="{ http , https , smtp }" binat on $cen_if inet from $cliff_lan to any -> $cliff_cen # Vader (Netadmin VPN / ssh) vader_lan="172.19.0.4" vader_cen="72.10.118.10" vader_tcp="{ ssh }" vader_udp="{ isakmp , ipsec-nat-t , 1701 }" binat on $cen_if inet from $vader_lan to any -> $vader_cen # Aragog (WWW: web, library, sphereschools) aragog_lan="172.30.0.81" aragog_cen="72.10.118.11" aragog_tcp="{ smtp , http , https }" binat on $cen_if inet from $aragog_lan to any -> $aragog_cen # Dumbledore (WWW: moodle) dumbledore_lan="172.30.0.90" dumbledore_cen="72.10.118.12" dumbledore_tcp="{ http , https }" binat on $cen_if inet from $dumbledore_lan to any -> $dumbledore_cen # RT (WWW: help / request tracker) rt_lan="172.30.0.86" rt_cen="72.10.118.13" rt_tcp="{ http , https }" binat on $cen_if inet from $rt_lan to any -> $rt_cen # pr0n (ELF Sharing) pr0n_lan="172.30.0.32" pr0n_cen="72.10.118.14" pr0n_tcp="{ http , https }" binat on $cen_if inet from $pr0n_lan to any -> $pr0n_cen # Luigi (Game server: armagetron, bzFlag, teamspeak) luigi_lan="172.30.0.23" luigi_cen="72.10.118.15" luigi_tcp="{ 4534 5154:5164 8767 14534 }" luigi_udp="{ 4534 5154:5164 8767 14534 }" binat on $cen_if inet from $luigi_lan to any -> $luigi_cen # Yakko (NTP server) yakko_lan="172.30.0.24" yakko_cen="72.10.118.16" yakko_tcp="{ ntp }" yakko_udp="{ ntp }" binat on $cen_if inet from $yakko_lan to any -> $yakko_cen # Wakko (NTP server) wakko_lan="172.30.0.25" wakko_cen="72.10.118.17" wakko_tcp="{ ntp }" wakko_udp="{ ntp }" binat on $cen_if inet from $wakko_lan to any -> $wakko_cen # Dot (NTP server) dot_lan="172.30.0.26" dot_cen="72.10.118.18" dot_tcp="{ ntp }" dot_udp="{ ntp }" binat on $cen_if inet from $dot_lan to any -> $dot_cen ## ## Vendor IPs (restricted and shared) ## vendor_cen="72.10.118.19" # SNE Building Management Server snebms_ext="68.15.53.219" snebms_lan="172.19.194.2" snebms_cen=$vendor_cen snebms_tcp="{ http , 3011 , 5800 , 5900 }" rdr on $cen_if inet proto tcp from $snebms_ext \ to $snebms_cen port $snebms_tcp -> $snebms_lan nat on $cen_if inet from $snebms_lan to any -> $snebms_cen # ABS Building Management Server absbms_ext="{ 12.229.122.90 , 12.229.122.91 , 12.229.122.92 , 12.229.122.93 , 12.229.122.94 }" absbms_lan="172.19.194.4" absbms_cen=$vendor_cen absbms_tcp="{ 5800 , 5900 }" rdr on $cen_if inet proto tcp from $absbms_ext \ to $absbms_cen port $absbms_tcp -> $absbms_lan nat on $cen_if inet from $absbms_lan to any -> $absbms_cen # Webcam access webcam_poolsouth_lan="172.19.96.11" webcam_poolsouth_cen=$vendor_cen webcam_poolsouth_ports="{ 8554 }" rdr on $cen_if inet proto { tcp , udp } from any \ to $webcam_poolsouth_cen port $webcam_poolsouth_ports -> $webcam_poolsouth_lan nat on $cen_if inet from $webcam_poolsouth_lan to any -> $webcam_poolsouth_cen webcam_poolnorth_lan="172.19.96.50" webcam_poolnorth_cen=$vendor_cen webcam_poolnorth_ports="{ 8555 }" rdr on $cen_if inet proto { tcp , udp } from any \ to $webcam_poolnorth_cen port $webcam_poolnorth_ports -> $webcam_poolnorth_lan nat on $cen_if inet from $webcam_poolnorth_lan to any -> $webcam_poolnorth_cen # IPerf Performance Testing iperf_lan="172.31.1.16" iperf_cen=$vendor_cen iperf_ports="{ 5001 }" rdr on $cen_if inet proto { tcp , udp } from any \ to $iperf_cen port $iperf_ports -> $iperf_lan nat on $cen_if inet from $iperf_lan to any -> $iperf_cen # Enernoc (generator monitoring) enernoc_ext="{ 216.93.250.70 , 8.192.1.0/25 , 8.192.160.0/25 }" enernoc_cen=$vendor_cen enernoc_tcp="502" # Library generator enernocl_lan="172.30.0.34" enernocl_tcp="8034" rdr on $cen_if inet proto tcp from $enernoc_ext \ to $enernoc_cen port $enernocl_tcp -> $enernocl_lan port $enernoc_tcp nat on $cen_if inet from $enernocl_lan to any -> $enernoc_cen # Brewster generator enernocb_lan="172.30.0.35" enernocb_tcp="8035" rdr on $cen_if inet proto tcp from $enernoc_ext \ to $enernoc_cen port $enernocb_tcp -> $enernocb_lan port $enernoc_tcp nat on $cen_if inet from $enernocb_lan to any -> $enernoc_cen # Unpublished primary DNS service (CEN hosts the name servers cendns_ext="{ 67.218.95.0/24 , 207.210.151.0/24 , 159.247.233.2 , 159.247.233.18 , 207.210.132.35 }" cendns_cen=$vendor_cen cendns_lan="172.30.0.4" cendns_ports="domain" rdr on $cen_if inet proto { tcp, udp } from $cendns_ext \ to $cendns_cen port $cendns_ports -> $cendns_lan nat on $cen_if inet from $cendns_lan to any -> $cendns_cen # Bradford Campus Manager - allow tunel to manage appliance bradford_ext="{ 216.153.209.2 }" bradford_cen=$vendor_cen bradford_lan="172.31.1.13" bradford_ports="{ 22 }" rdr on $cen_if inet proto tcp from $bradford_ext \ to $bradford_cen port $bradford_ports -> $bradford_lan nat on $cen_if inet from $bradford_lan to any -> $bradford_cen # IT Solutions - allow VNC access to FM staging machine its_ext="{ 74.94.63.16/29 , 76.99.3.11 }" its_cen=$vendor_cen its_client_lan="172.30.0.118" its_client_ports="{ 22, 5900 }" rdr on $cen_if inet proto tcp from $its_ext \ to $its_cen port \ $its_client_ports -> $its_client_lan nat on $cen_if inet from $its_client_lan \ to $its_ext -> $its_cen # Sirius (Suffield Summer Server) sirius_lan="172.30.0.70" sirius_cen="72.10.118.20" sirius_tcp="{ www }" #sirius_udp="{ }" binat on $cen_if inet from $sirius_lan to any -> $sirius_cen # habs.org habs_lan="172.30.0.94" habs_cen="72.10.118.21" habs_tcp="{ www }" binat on $cen_if inet from $habs_lan to any -> $habs_cen # ullramassoc.com ullramassoc_lan="172.30.0.95" ullramassoc_cen="72.10.118.22" ullramassoc_tcp="{ www }" binat on $cen_if inet from $ullramassoc_lan to any -> $ullramassoc_cen # wnessla.org wnessla_lan="172.30.0.96" wnessla_cen="72.10.118.23" wnessla_tcp="{ www }" binat on $cen_if inet from $wnessla_lan to any -> $wnessla_cen # wmloa.org wmloa_lan="172.30.0.97" wmloa_cen="72.10.118.24" wmloa_tcp="{ www }" binat on $cen_if inet from $wmloa_lan to any -> $wmloa_cen # SMTP smtp_lan="{ 172.30.0.16 , 172.30.0.17 }" smtp_cen="72.10.118.25" nat on $cen_if inet from $smtp_lan to any -> $smtp_cen # CAISLists (mailman listserver) caislists_lan="172.30.0.15" caislists_cen="72.10.118.27" caislists_tcp="{ http , https , smtp }" binat on $cen_if inet from $caislists_lan to any -> $caislists_cen # CTCSTA (web/mail) ctcsta_lan="172.30.0.8" ctcsta_cen="72.10.118.28" ctcsta_tcp="{ http , https , smtp , ssh }" binat on $cen_if inet from $ctcsta_lan to any -> $ctcsta_cen ## ## Default NAT (first match wins) ## # Send all web traffic out a single IP address #nat log (to pflog1) on $cen_if inet proto tcp from { } \ # to any port $web_ports -> $web_nat nat log (to pflog1) on $cen_if inet from { } to any -> \ round-robin sticky-address nat log (to pflog1) on $cen_if inet from { } to any -> \ round-robin sticky-address nat log (to pflog1) on $cen_if inet from { } to any -> \ round-robin sticky-address # Default: NAT to our round-robin pool (record translation address) nat log (to pflog1) on $cen_if inet from { } to any -> \ round-robin sticky-address ## ## Honeypot (redirect commonly attacked ports to tarpit them) ## # ignore ssh honeypot for hosts that actually use ssh no rdr on $cen_if inet proto tcp from any to \ { $tessa_cen , $vader_cen , $sigma_cen , $ctcsta_cen , $gordon_cen , $reba_cen } port 22 # send ssh and ms-domain requests to discard port rdr on $cen_if inet proto tcp from any to any port { 22 , 445 } \ -> 127.0.0.1 port 6666 ########################################################################### ### Packet Filtering ### ########################################################################### # Note: Filter rules are applied AFTER redirection and NAT, so all # source/destinations should be specified according to what they would # be after translation takes place. # # Honeypot and blacklists # # blocked traffic remains until you manually expire them out: # pfctl -t portscanners -T expire 86400 (expires all blocked older than 1 day) # ADD A CRON JOB to do this! block in log quick from to any # Any redirected "honeypot" traffic is garbage, so be agressive about # blacklisting this traffic. pass quick inet proto tcp from ! \ to 127.0.0.1 port 6666 keep state \ (max-src-conn-rate 3/60, overload flush global) # Blacklist hosts that try to connect to legitimate SSH servers # more than 5 times a minute over several minutes pass quick inet proto tcp from ! to \ { $tessa_lan , $vader_lan , $sigma_lan , $ctcsta_lan } \ port ssh keep state \ (max-src-conn-rate 10/120, overload flush global) ## ## Failsafe permits ## # Always allow CARP advertisements pass quick on { $lan_if , $cen_if } proto carp queue ilan keep state (no-sync) # Allow network administrator access to SSH pass in quick on $lan_if proto tcp \ from to $fw_ip port ssh queue ilan keep state (no-sync) # Allow SNMP access pass in quick on $lan_if proto udp \ from to $fw_ip port snmp queue ilan keep state (no-sync) ## ## Bogus/Evil packets ## # immediately drop and log packets that are clearly not valid block in log quick from to any # don't accept packets with our internal addresses on the external interface block in log quick on !$lan_if from to any # ignore inbound traffic that's not for us (don't even bother logging) block in quick from any to ## ## Default policy ## # block and log by default block in log all tag $reject block out log all tag $reject # allow ICMP to everyone (in our case, this covers binat machines) pass inet proto icmp \ tag $accept ## ## Firewall-sourced connections ## # don't label this rule -- it will generate a rule for every virtual ip # the firewall listens on... pass out from self tag $accept ## ## DMZ Hosts (Be sure to add to Translation section above as well) ## # Note: ICMP is allowed to all machines in the "default policy" section # above, so you only need to explicitly allow TCP, UDP, etc. # Sample (jhealy: don't use "synproxy state"; appears to be broken) #pass inet proto tcp from any to $sample_lan port $sample_tcp \ # tag $accept #pass inet proto udp from any to $sample_lan port $sample_udp \ # tag $accept # Luke (LDAP/Kerberos) pass inet proto tcp from any to $luke_lan port $luke_tcp \ tag $accept pass inet proto udp from any to $luke_lan port $luke_udp \ tag $accept # Allow inbound SMTP from Postini/Google only pass inet proto tcp from { 64.18.0.0/20 } to $luke_lan port smtp \ tag $accept # Leia (LDAP/Kerberos) pass inet proto tcp from any to $leia_lan port $leia_tcp \ tag $accept pass inet proto udp from any to $leia_lan port $leia_udp \ tag $accept pass inet proto gre from any to $leia_lan \ tag $accept # Allow inbound SMTP from Postini/Google only pass inet proto tcp from { 64.18.0.0/20 } to $leia_lan port smtp \ tag $accept # Werner (VPN) pass inet proto tcp from any to $werner_lan port $werner_tcp \ tag $accept pass inet proto udp from any to $werner_lan port $werner_udp \ tag $accept pass inet proto gre from any to $werner_lan \ tag $accept # Jamaica (Aruba master controller address for Remote AP deployment) #pass inet proto tcp from any to $jamaica_lan port $jamaica_tcp \ # tag $accept pass inet proto udp from any to $jamaica_lan port $jamaica_udp \ tag $accept pass inet proto gre from any to $jamaica_lan \ tag $accept # Cerebro (FileMaker) pass inet proto tcp from any to $cerebro_lan port $cerebro_tcp \ tag $accept # Tessa (File Server) pass inet proto tcp from any to $tessa_lan port $tessa_tcp \ tag $accept # Marion (Library Catalog / Streaming Server) pass inet proto tcp from any to $marion_lan port $marion_tcp \ tag $accept pass inet proto udp from any to $marion_lan port $marion_udp \ tag $accept # Sigma (Jason's web server) pass inet from any to $sigma_lan \ tag $accept # Gordon (FirstClass Core) pass inet proto tcp from any to $gordon_lan port $gordon_tcp \ tag $accept pass inet proto udp from any to $gordon_lan port $gordon_udp \ tag $accept # Reba (FirstClass Inet Svcs) pass inet proto tcp from any to $reba_lan port $reba_tcp \ tag $accept # Allow inbound SMTP from Postini/Google only pass inet proto tcp from { 64.18.0.0/20 } to $reba_lan port smtp \ tag $accept # Cliff (mailman listserver) pass inet proto tcp from any to $cliff_lan port $cliff_tcp \ tag $accept # Vader (Netadmin VPN / ssh) pass inet proto tcp from any to $vader_lan port $vader_tcp \ tag $accept pass inet proto udp from any to $vader_lan port $vader_udp \ tag $accept pass inet proto gre from any to $vader_lan \ tag $accept # Aragog (WWW: web, library, sphereschools) pass inet proto tcp from any to $aragog_lan port $aragog_tcp \ tag $accept # Dumbledore (WWW: moodle) pass inet proto tcp from any to $dumbledore_lan port $dumbledore_tcp \ tag $accept # RT (WWW: help / request tracker) pass inet proto tcp from any to $rt_lan port $rt_tcp \ tag $accept # pr0n (ELF Sharing) pass inet proto tcp from any to $pr0n_lan port $pr0n_tcp \ tag $accept # Luigi (Game server: armagetron, bzFlag, teamspeak) pass inet proto tcp from any to $luigi_lan port $luigi_tcp \ tag $accept pass inet proto udp from any to $luigi_lan port $luigi_udp \ tag $accept # Yakko (NTP server) pass inet proto tcp from any to $yakko_lan port $yakko_tcp \ tag $accept pass inet proto udp from any to $yakko_lan port $yakko_udp \ tag $accept # Wakko (NTP server) pass inet proto tcp from any to $wakko_lan port $wakko_tcp \ tag $accept pass inet proto udp from any to $wakko_lan port $wakko_udp \ tag $accept # Dot (NTP server) pass inet proto tcp from any to $dot_lan port $dot_tcp \ tag $accept pass inet proto udp from any to $dot_lan port $dot_udp \ tag $accept ## ## Vendor IPs (restricted and shared) ## # SNE Building Management Server pass inet proto tcp from $snebms_ext to $snebms_lan port $snebms_tcp \ tag $accept # ABS Building Management Server pass inet proto tcp from $absbms_ext to $absbms_lan port $absbms_tcp \ tag $accept # Webcam Access pass inet proto { tcp , udp } from any to $webcam_poolsouth_lan \ port $webcam_poolsouth_ports \ tag $accept pass inet proto { tcp , udp } from any to $webcam_poolnorth_lan \ port $webcam_poolnorth_ports \ tag $accept # IPerf performance testing pass inet proto { tcp , udp } from any to $iperf_lan port $iperf_ports \ tag $accept # Enernoc (generator monitoring) # Library generator pass inet proto tcp from $enernoc_ext to $enernocl_lan port $enernoc_tcp \ tag $accept # Brewster generator pass inet proto tcp from $enernoc_ext to $enernocb_lan port $enernoc_tcp \ tag $accept # Unpublished primary DNS pass inet proto { tcp , udp } from $cendns_ext to $cendns_lan port $cendns_ports \ tag $accept # Bradford Campus Manager pass inet proto tcp from $bradford_ext to $bradford_lan port $bradford_ports \ tag $accept # IT Solutions pass inet proto tcp from $its_ext to $its_client_lan \ port $its_client_ports \ tag $accept # Sirius pass inet proto tcp from any to $sirius_lan port $sirius_tcp \ tag $accept #pass inet proto udp from any to $sirius_lan port $sirius_udp \ # tag $accept # habs.org pass inet proto tcp from any to $habs_lan port $habs_tcp \ tag $accept # ullramassoc.com pass inet proto tcp from any to $ullramassoc_lan port $ullramassoc_tcp \ tag $accept # wnessla.org pass inet proto tcp from any to $wnessla_lan port $wnessla_tcp \ tag $accept # wmloa.org pass inet proto tcp from any to $wmloa_lan port $wmloa_tcp \ tag $accept # SMTP # pass no inbound for now # CAISLists (mailman listserver) pass inet proto tcp from any to $caislists_lan port $caislists_tcp \ tag $accept # CTCSTA (web/mail server) pass inet proto tcp from any to $ctcsta_lan port $ctcsta_tcp \ tag $accept ## ## Final Cleanup ## # # NAT hosts # # Allow anyone on the LAN to communicate to initiate connections to the # outside (except as overridden below); log connections for analysis pass in log (to pflog1) on $lan_if from to ! \ tag $accept # We use "inet" to only pass IPv4 for now pass out on $cen_if inet from \ tag $accept pass out on $cen_if inet proto tcp from $web_nat port $web_ports \ tag $accept # Block outgoing SMTP for non-trusted servers block out log on $cen_if proto tcp from port smtp \ tag $reject block out log on $cen_if proto tcp from port smtp \ tag $reject ## ## Queue Assignment ## # As packets leave the system, divert to the proper queue based on source # and destination address. To prevent passing *all* traffic, we only pass # out traffic that has been previously tagged as OK. # NOTE: queues are stored in the state table, so changing queue assignments # may not have an immediate effect on existing connections # identify LAN-only traffic (note: no direction is specified here, as packets # are both sent and received to/from LAN on this interface) pass on $lan_if inet from to tagged $accept \ queue ilan # identify any "on-net" CEN traffic that should not be rate-limited # Queue assignments are stateful, so you must set up both the forward # and return queues at the time the session is started. This looks a # little weird below, but it sets up the queue assignments in both directions # regardless of who sourced the traffic. # For packets sourced from our network, have the return traffic # put on icenlocal, and the sourced traffic passed out on ocenlocal pass in quick on $lan_if inet from any to \ tagged $accept queue icenlocal pass out quick on $cen_if inet from any to \ tagged $accept queue ocenlocal # For packets sourced from CEN, have the return traffic go out on # ocenlocal, and the sourced traffic passed in on icenlocal pass in quick on $cen_if inet from to any \ tagged $accept queue ocenlocal pass out quick on $lan_if inet from to any \ tagged $accept queue icenlocal # JHEALY_TEMP: give higher priority to some traffic until our # shaper is fixed pass in on $lan_if inet from to any \ tagged $accept queue idmz pass out on $cen_if inet from to any \ tagged $accept queue odmz pass in on $lan_if inet from to any \ tagged $accept queue inetadmin pass out on $cen_if inet from to any \ tagged $accept queue onetadmin pass in on $lan_if inet from to any \ tagged $accept queue ifacstaff pass out on $cen_if inet from to any \ tagged $accept queue ofacstaff # allow our network to emit all the traffic it wants... pass out on $cen_if from to any # default: assign to the centransit queues (defined as default above in # queueing section declarations)