Router di OpenBSD (pf.conf)

Posted on

Kemaren iseng-isengan maen-maen ama OpenBSD dan coba-coba mau bikin router pake distribusi unix yang satu ini…

Berikut ini cuman sekedar contoh konfigurasi pf.conf :

### options –> normalization –> queueing –> translation –> filtering

### Macros ###
ext_if=”sk0″ # Menuju ke TELKOM
int_if=”sk1″ # INTRANET

### TABLES ###
table <unmulnet> { 10.10.1.0/24 }
table <wifi_dl> { 10.10.1.213 }
table <staff> { 10.10.1.79,10.10.1.80,10.10.1.81,10.10.1.82,10.10.1.83,10.10.1.84,10.10.1.85 }

### GLOBAL OPTIONS ###
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization aggressive
set block-policy drop
set require-order yes
set fingerprints “/etc/pf.os”

### TRAFFIC NORMALIZATION ###
#
scrub in all

# Port Yang Boleh Diakses dari Luar Box
ssh_ports = “{ 22 }”
im_ports = “{ 5050 5222 6667 }”
tcp_services = “{ 21 25 53 80 113 110 143 443 2082 5050 5222 6667 }”
udp_services = “{ 53 1194 }”

# Ping Requests
icmp_types = “echoreq”

### QUEUES – ALTQ rules ###
altq on $ext_if priq bandwidth 1024Kb queue { std_out, ssh_im_out, dns_out, tcp_ack_out }

queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6

altq on $int_if cbq bandwidth 1280Kb queue { std_in, ssh_im_in, dns_in, staff_in, wfidl_in }

queue std_in bandwidth 1024Kb cbq(default)
queue ssh_im_in bandwidth 32Kb priority 4
queue dns_in bandwidth 32Kb priority 5
queue staff_in bandwidth 128Kb cbq(borrow)
queue wfidl_in bandwidth 64Kb cbq(borrow)

### TRANSLATION ###
nat on $ext_if from $int_if:network to any -> ($ext_if)
#nat-anchor “ftp-proxy/*”

#================#
## Redirections ##
#================#
rdr on $int_if proto tcp from <unmulnet> to !<unmulnet> port 80 -> 127.0.0.1 port 3128
rdr-anchor “ftp-proxy/*”
#rdr on $int_if proto tcp from <unmulnet> to !<unmulnet> port 21 -> 127.0.0.1 port 8021

#==================#
# Anchor Blockit #
#==================#
anchor blockit

#==================#
# Anchor FTP #
#==================#
anchor “ftp-proxy/*”

### PACKET FILTERING ###
set skip on lo0

# filter rules for $ext_if inbound #
# ============================= #
block in on $ext_if all

# filter rules for $ext_if outbound #
# ============================= #
block out on $ext_if all
pass out on $ext_if inet proto tcp from ($ext_if) to any port $tcp_services flags S/SA keep state queue(std_out, tcp_ack_out)
#pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep state queue(std_out, tcp_ack_out)
#pass out on $ext_if inet proto { udp icmp } from ($ext_if) to any keep state
pass out on $ext_if inet proto icmp from ($ext_if) icmp-type $icmp_types keep state
pass out on $ext_if inet proto udp from ($ext_if) to any port $udp_services keep state
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port domain keep state queue dns_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port $ssh_ports flags S/SA keep state queue(std_out, ssh_im_out)
pass out on $ext_if inet proto tcp from ($ext_if) to any port $im_ports flags S/SA keep state queue(ssh_im_out, tcp_ack_out)

# filter rules for $int_if inbound #
# ============================ #
block in on $int_if all
pass in on $int_if from <unmulnet>

# filter rules for $int_if outbound #
# ============================ #
block out on $int_if all
pass out on $int_if from any to <unmulnet>
pass out on $int_if proto { tcp udp } from any port domain to <unmulnet> queue dns_in
pass out on $int_if proto tcp from any port $ssh_ports to <unmulnet> queue (std_in, ssh_im_in)
pass out on $int_if proto tcp from any port $im_ports to <unmulnet> queue ssh_im_in
pass out on $int_if from any to <staff> queue staff_in
pass out on $int_if from any to <wifi_dl> queue wfidl_in

## Deny spoofing
antispoof for $ext_if
antispoof for $int_if

# Localhost
pass quick on lo0 all

Gak lupa juga edit file /etc/sysctl.conf untuk mengktifkan ip fordwarding-nya, edit filenya dan un-commend pada baris ini :

net.inet.ip.forwarding=1

Untuk mengaktifkan PF-nya setiap kali boot coba buat file rc.conf.local di dalam directory /etc yang isiny, sebagai contoh :

named_flags=””
ntpd=NO
ftpproxy_flags=””
sendmail_flags=NO
pf=YES
inetd=NO
check_quotas=NO
mysql=YESS
snort=YES

Yach cuman sekedar share aza seh sekalian bikin log supaya gak lupa satu saat nanti klo penyakit iseng-nya kumat lagi !!! :)) sekali lagi ini hanya sekedar contoh saja jangan pelg-pleg kan dicoba di komputer kamu… banyak baca dulu sebelum melakukan sesuatu… sebagai catatan sebelumnya dalam box openBSD gue sudah terinstall MySQL, SQUID dan SNORT :p

3 comments

  1. saya newbee, baru kemarin install freebsd7. saya coba config diatas dengan menyesuaikan variabel tentunya,

    kok gak jalan ya limiter dowloadnya utk client nya, namun kalau diganti
    pass out on $int_if
    menjadi
    pass in on $int_if,
    bisa jalan, kenapa ya limiternya ??

    coba deh pake pftop -v queue trus donload film,
    nanti keliatan total benwit yang di pake, kalau sendirian dia bisa minjem benwith root nya ,

Leave a Reply

Your email address will not be published.