################################################## # Options ################################################## # Limit the state table to 2 000 000 entries set limit states 2000000 set limit src-nodes 2000000 # Set timeout optimizations for smaller set set optimization normal # Set default policy for blocked packets to drop set block-policy drop # Set the host ID for PFSync set hostid 1 # Do not filter loopback interface set skip on lo0 ################################################## # Queuing ################################################## ################################################## # Traffic Normalization ################################################## # Scrub all to reassemble packets properly scrub in on em3 random-id fragment reassemble ################################################## # Translation rules ################################################## # Anchors for FTP and TFTP proxy auto insertion nat-anchor "ftp-proxy/*" # Outbound nat rules for subnetworks nat on em3 inet from { $VLAN_27, $VLAN_100, $VLAN_101, $VLAN_102, 10.0.0.0/8, 192.168.1.0/24 } to any -> (carp10) nat on em3 inet from 172.16.32.0/19 to any -> (carp12) nat on em3 inet from 192.168.113.0/24 to any -> (carp11) # Redirect rules for FTP Proxy rdr-anchor "ftp-proxy/*" rdr pass on ! em3 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 #rdr-anchor "tftp-proxy/*" ################################################## # Packet Filtering ################################################## #------------------------------- # Default protections #------------------------------- block drop in log all label "Default block and log all" # Antispoof rules - Drop packets that pretend to be from self IP addresses #antispoof for { bce0, bce1, em0, em3, vlan0, vlan1, vlan2, vlan3, vlan4, vlan5, vlan6 } inet # Block source or destination port 0 #block drop log quick proto { tcp, udp } from any port 0 to any #block drop log quick proto { tcp, udp } from any to any port 0 # Block all traffic from RFC 1918 Nets from WAN #block drop in log quick on em3 inet from to any label "RFC 1918 Nets to WAN" # TEMP pass quick proto 22 all keep state # Allow CARP traffic for system failover pass quick proto carp all keep state # Allow PFSync traffic for state table replication pass quick proto pfsync all # Allow all outbound traffic that has been processed by pass in rules pass out quick tagged PI #------------------------------- # Traffic to public interface #------------------------------- # Allow incoming HTTP access to all public services that are available pass in quick on em3 proto tcp from any to port 80 label "HTTP connections to public services" tag PI # Allow incoming HTTPS access all public services that are available pass in quick on em3 proto tcp from any to port 443 label "HTTPS connections to public services" tag PI # Allow incoming PCU requests pass in quick on em3 proto tcp from any to $SITEA_PCU_PUB port 3436 label "TCP/3436 connections to PCU" tag PI # Allow incoming DNS requests to management hosts pass in quick proto udp from any to port 53 label "Incoming DNS to management hosts" tag PI # Allow incoming traffic from other sites for management and monitoring pass in on em3 proto tcp from { $BLEURY_PUB_NAT, } port 22 label "SSH requests from Bleury office and SiteB networks" tag PI pass in on em3 proto tcp from { $BLEURY_PUB_NAT, } to port { 443, 5666, 8000 } label "Management requests from Bleury and SiteB networks" tag PI pass in on em3 proto tcp from to $SITEA_GUS_PUB port { 2221:2224, 8081:8084 } label "SSH validation from update sync servers" tag PI #------------------------------- # Traffic from VLAN 10 (interface vlan0) #------------------------------- # Allow MySQL requests to databases pass in on vlan0 proto tcp from $VLAN_10 to port 3306 label "MySQL access from NIX systems" tag PI pass in on vlan0 proto tcp from $VLAN_10 to port 443 label "HTTPS external request access from NIX systems" tag PI pass in on vlan0 proto tcp from to port 443 label "HTTPS external request access from Prov systems" tag PI #------------------------------- # Traffic from VLAN 21 (interface vlan1) #------------------------------- # Allow Oracle connections pass in on vlan1 proto tcp from $VLAN_21 to $VLAN_101 port 1521 label "Oracle traffic from VLAN 21 to databases" tag PI # Allow MySQL connections pass in on vlan1 proto tcp from $VLAN_21 to port 3306 label "MySQL traffic from VLAN 21 to databases" tag PI #------------------------------- # Traffic from VLAN 26 (interface vlan2) #------------------------------- # Allow PCU External calls to netsweeper pass in quick on vlan2 proto tcp from to port 3436 label "PCU CNS external calls" tag PI pass in quick on vlan2 proto tcp from to port 21 label "PCU FTP updates" tag PI # Allow MISC external calls to partners pass in on vlan2 proto tcp from to port 80 label "MISC external 80 calls to partners" tag PI # Allow CP external calls to partners pass in on vlan2 proto tcp from to port 80 label "MISC external 80 calls to partners" tag PI # Allow FPU External calls to partners pass in on vlan2 proto tcp from to port 443 label "FPU external 443 calls to partners" tag PI # Allow GUS update connections to Update Sync systems pass in on vlan2 proto tcp from to port { 22, 80 } label "GUS connections to Update Sync systems" tag PI #------------------------------- # Traffic from VLAN 101 (interface em0) #------------------------------- pass in on em0 proto tcp from $VLAN_101 to 1.1.1.22 port 22 label "SSH/SCP from oracle to bleury.cp1_msdpdb1_x.net" tag PI pass in on em0 proto tcp from $VLAN_101 to port 2511 label "Oracle replication to SiteB" tag PI pass in on em0 proto tcp from $VLAN_102 to port 3306:3307 label "MySQL replication to SiteB" tag PI #------------------------------- # Traffic from ATM (interface bce1) #------------------------------- # Allow traffic from any host to the public services pass in on bce1 proto tcp from any to port 80 label "HTTP traffic from Bleury to public services" tag PI pass in on bce1 proto tcp from any to port 443 label "HTTPS traffic from Bleury to public services" tag PI pass in on bce1 proto tcp from any to $SITEA_GUS_PUB port 2221:2224 label "Individual GUS SSH management access" tag PI pass in on bce1 proto tcp from any to $SITEA_PCU_PUB port 3436 label "PCU traffic from Bleury to public services" tag PI # Allow traffic from any host to SSH tunnel, DNS and HTTPS on management hosts pass in on bce1 proto tcp from any to port { 22, 443 } label "SSH/HTTPS from Bleury to SSH gateways" tag PI # Allow all management traffic from the NOC network to managed services pass in on bce1 proto tcp from to any port 22 label "SSH traffic access from NOC at Bleury all systems" tag PI pass in on bce1 proto tcp from to port { 80, 83, 803, 8080 } label "Web access from NOC at Bleury to private services" tag PI pass in on bce1 proto tcp from to port 1521 label "Oracle access from NOC at Bleury" tag PI pass in on bce1 proto tcp from to port { 443, 3008 } label "Netscaler java applet access from NOC at Bleury" tag PI pass in on bce1 proto tcp from to port 3306 label "MySQL access from NOC at Bleury" tag PI pass in on bce1 proto tcp from to port 3436 label "PCU access from NOC at Bleury to private PCU servers" tag PI pass in on bce1 proto tcp from to port { 7001, 9003 } label "Weblogic access from NOC at Bleury to WLS servers" tag PI # Allow all management traffic from the NOC network to managed services pass in on bce1 proto udp from to any port snmp label "SNMP traffic access from NOC at Bleury all systems" tag PI # Allow gusreports in BI Network to collect logs from GUS systems and Netscaler pass in proto tcp from $GUSREPORTS to { , } port 22 label "GUSreports log collection from netscaler on NOC" tag PI #------------------------------- # Traffic from VLAN 100 (interface em0) #------------------------------- pass in on bce0 proto tcp from $VLAN_100 to port ftp label "FTP from utility systems to management hosts" tag PI #------------------------------- # Management traffic #------------------------------- # ICMP Policy: allow all ICMP traffic from or to anywhere but the public interface #pass in on em3 proto icmp from to any label "Inbound PING requests from Bleury office and SiteB networks" tag PI #pass in on ! em3 proto icmp from any to any label "Inbound PING requests from all but outside" tag PI pass in proto icmp from any to any label "Inbound PING requests from all but outside" tag PI pass out proto icmp from any to any label "Outbound PING requests from all" tag PI # Allow basic management traffic from management hosts to all VLANs pass in on vlan6 proto tcp from to port $MON_IN_TCP label "Mgmt traffic from mgmt hosts to monitored systems" tag PI pass in on vlan6 proto udp from to port $MON_IN_UDP label "Mgmt traffic from mgmt hosts to monitored systems" tag PI # Allow specific management traffic from management hosts to VLANs pass in on vlan6 proto tcp from to $VLAN_100 port telnet label "Telnet mgmt traffic from mgmt hosts to utility systems" tag PI pass in on vlan6 proto tcp from to port { 80, 83, 803 } label "HTTP mgmt traffic from mgmt hosts to private web systems" tag PI pass in on vlan6 proto tcp from to port 80 label "HTTP mgmt traffic from mgmt hosts to public web services" tag PI pass in on vlan6 proto tcp from to port 443 label "HTTPS mgmt traffic from mgmt hosts to public web services" tag PI pass in on vlan6 proto tcp from to port 1521 label "Oracle mgmt traffic from mgmt hosts to Oracle servers" tag PI pass in on vlan6 proto tcp from to port 2001:2009 label "WebObjects mgmt traffic from mgmt hosts to prov servers" tag PI pass in on vlan6 proto tcp from to port 3010:3011 label "Netscaler log collection from mgmt hosts" tag PI pass in on vlan6 proto tcp from to port 3306 label "MySQL mgmt traffic from mgmt hosts to MySQL servers" tag PI pass in on vlan6 proto tcp from to { , $SITEA_PCU_PUB } port 3436 label "PCU mgmt traffic from mgmt hosts to PCU servers" tag PI pass in on vlan6 proto tcp from to port { 7001, 9003 } label "Weblogic mgmt traffic from mgmt hosts to WLS servers" tag PI # Allow basic management traffic from all VLANs to management hosts pass in on ! em3 proto tcp from any to port $MON_OUT_TCP label "Mgmt traffic from VLANs to mgmt hosts" tag PI pass in on ! em3 proto udp from any to port $MON_OUT_UDP label "Mgmt traffic from VLANs to mgmt hosts" tag PI pass out on vlan6 proto tcp from any to port $MON_OUT_TCP label "Mgmt traffic from self to mgmt hosts" tag PI pass out on vlan6 proto udp from any to port $MON_OUT_UDP label "Mgmt traffic from self to mgmt hosts" tag PI # Allow connections to external Radialpoint sites pass in on vlan6 proto tcp from to { $BLEURY_PUB_NETS, } port 22 label "SSH connections to other Radialpoint sites" tag PI pass in on vlan6 proto tcp from to port { 25, 53 } label "Mail and DNS transfers to primary Radialpoint mailhub" tag PI # Allow external requests to public Internet servers for system operations and updates pass in on vlan6 proto udp from to any port 53 label "DNS requests to everywhere" tag PI pass in on vlan6 proto tcp from to { , } port { 80, rsync } label "CentOS updates to specific repositories" tag PI pass in on vlan6 proto udp from to port 123 label "NTP updates to specific public NTP servers" tag PI pass in on vlan6 proto tcp from to port 443 label "MySQL updates to gw-upp-edge-a2.mysql.com" tag PI #------------------------------- # Special rules #------------------------------- # Anchor for auto insertion of FTP-Proxy requests anchor "ftp-proxy/*" pass out proto tcp from (em5) to any port 21 # Anchor for auto insertion of TFTP-Proxy requests #anchor "tftp-proxy/*"