# # Master Packet Filter Ruleset # ################################################################################ # N E T W O R K I N T E R F A C E S ## ################################################################################ # Traffic Flow: # ( )<===>( ) indicates a bridge # Web Tier --> (dc0)<===>(dc1) --> App Tier # App Tier --> (dc1)<===>(dc0) --> Web Tier # Inbound To Web Tier (normally this won't be used) to_webtier = "em6" # Inbound to App Tier to_apptier = "em7" # PFSync interface (keep state with other firewall) sync_dev = "em5" ## # Global Options ## set optimization conservative set block-policy return set debug urgent set loginterface $to_apptier # OLD set timeout { adaptive.start 25000, adaptive.end 35000 } set timeout { adaptive.start 50000, adaptive.end 92000 } set limit states 90000 # SCRUB inbound packets (normalizes them) scrub in all ################################################################################ # A D M I N T I E R ## ################################################################################ table persist { 10.100.10.0/24, 10.100.11.0/24, \ 10.100.12.0/24, 10.100.13.0/24, \ 192.168.40.0/24, 192.168.45.0/24, \ 10.100.254.242/32, 10.100.254.250/32 } table persist { 172.16.0.0/16, 10.0.0.0/24 } ################################################################################ ## OSPF ROUTING SUBNETS: ## ## DO NOT TOUCH THESE UNLESS YOU REALLY REALLY KNOW WHAT YOUR DOING IT MAY ## ## CUT OFF ROUTING BETWEEN WEB/APP/ADMIN TIERS ## ## ## table persist { 10.100.254.4/30, 10.100.254.8/30, \ 10.100.254.12/30, 10.100.254.16/30, \ 10.100.254.20/30, 10.100.254.24/30, \ 10.100.254.28/30, 10.100.254.32/30, \ 10.100.254.36/30, 10.100.254.40/30 } table persist { 10.100.254.0/24 } ## ## ################################################################################ ################################################################################ # W E B T I E R ## ################################################################################ table persist { 10.101.9.0/24 } # Boost is on the same Apache nodes as cust2 table persist { 10.101.12.0/24, 10.101.13.0/24, \ 10.101.254.20/32 } table persist { 10.101.14.0/24, 10.101.15.0/24 } table persist { 10.101.16.0/24, 10.101.17.0/24, \ 10.101.18.0/24, 10.101.19.0/24, \ 10.101.20.0/24 } table persist { 10.101.21.0/24, 10.101.248.20/32 } table persist { 10.101.27.0/24 } table persist { 10.101.23.0/24 } table persist { 10.101.25.0/24 } table persist { 10.101.26.0/24 } table persist { 10.101.27.0/24, 10.101.23.0/24 \ 10.101.25.0/24, 10.101.26.0/24 } # myco_engines is generic win32 boxes like CCC server and # elroylyn51, sql analyzer etc. table persist { 10.101.28.0/24, 10.101.29.0/24 } ## # Tomcat/OSN/Taxware/etc ## table persist { 10.101.31.0/24, 10.101.32.0/24, \ 10.101.33.0/24, 10.101.34.0/24, \ 10.101.35.0/24, 10.101.36.0/24, \ 10.101.37.0/24, 10.101.38.0/24, \ 10.101.39.0/24 } table persist { 10.101.40.0/24, 10.101.41.0/24, \ 10.101.42.0/24, 10.101.43.0/24, \ 10.101.44.0/24, 10.101.45.0/24, \ 10.101.242.0/24 } table persist { 10.101.46.0/24, 10.101.47.0/24, \ 10.101.48.0/24, 10.101.49.0/24, \ 10.101.243.0/24 } table persist { 10.101.50.0/24 } table persist { 10.101.51.0/24, 10.101.245.0/24 } table persist { 10.101.52.0/24, 10.101.247.0/24 } table persist { 10.101.22.0/24, 10.101.248.0/24 } table persist { 10.101.53.0/24, 10.101.54.0/24, \ 10.101.55.0/24, 10.101.56.0/24, \ 10.101.57.0/24, 10.101.58.0/24, \ 10.101.59.0/24, 10.101.60.0/24, \ 10.101.61.0/24, 10.101.62.0/24, \ 10.101.63.0/24, 10.101.64.0/24, \ 10.101.65.0/24, 10.101.66.0/24, \ 10.101.67.0/24, 10.101.68.0/24, \ 10.101.69.0/24, 10.101.70.0/24, \ 10.101.71.0/24, 10.101.72.0/24, \ 10.101.73.0/24, 10.101.74.0/24, \ 10.101.75.0/24, 10.101.76.0/24, \ 10.101.77.0/24, 10.101.78.0/24, \ 10.101.79.0/24, 10.101.80.0/24, \ 10.101.81.0/24, 10.101.82.0/24, \ 10.101.83.0/24, 10.101.84.0/24, \ 10.101.85.0/24, 10.101.86.0/24, \ 10.101.87.0/24, 10.101.88.0/24, \ 10.101.89.0/24, 10.101.90.0/24, \ 10.101.91.0/24, 10.101.92.0/24, \ 10.101.93.0/24, 10.101.94.0/24, \ 10.101.95.0/24, 10.101.96.0/24, \ 10.101.97.0/24, 10.101.98.0/24, \ 10.101.99.0/24 } table persist { 10.101.100.0/24, 10.101.101.0/24, \ 10.101.102.0/24, 10.101.103.0/24, \ 10.101.104.0/24, 10.101.105.0/24, \ 10.101.106.0/24, 10.101.107.0/24, \ 10.101.108.0/24, 10.101.109.0/24, \ 10.101.110.0/24, 10.101.111.0/24, \ 10.101.112.0/24, 10.101.113.0/24, \ 10.101.114.0/24, 10.101.115.0/24, \ 10.101.116.0/24, 10.101.117.0/24, \ 10.101.118.0/24, 10.101.119.0/24, \ 10.101.240.0/24 } table persist { 10.101.120.0/24, 10.101.121.0/24, \ 10.101.122.0/24, 10.101.123.0/24, \ 10.101.124.0/24, 10.101.125.0/24, \ 10.101.126.0/24, 10.101.127.0/24, \ 10.101.128.0/24, 10.101.129.0/24, \ 10.101.130.0/24, 10.101.131.0/24, \ 10.101.132.0/24, 10.101.133.0/24, \ 10.101.134.0/24, 10.101.135.0/24, \ 10.101.136.0/24, 10.101.137.0/24, \ 10.101.138.0/24, 10.101.139.0/24, \ 10.101.140.0/24, 10.101.141.0/24, \ 10.101.142.0/24, 10.101.143.0/24, \ 10.101.144.0/24, 10.101.145.0/24, \ 10.101.146.0/24, 10.101.147.0/24, \ 10.101.148.0/24, 10.101.149.0/24, \ 10.101.150.0/24, 10.101.151.0/24, \ 10.101.152.0/24, 10.101.153.0/24, \ 10.101.154.0/24, 10.101.155.0/24, \ 10.101.156.0/24, 10.101.157.0/24, \ 10.101.158.0/24, 10.101.159.0/24, \ 10.101.160.0/24, 10.101.161.0/24, \ 10.101.162.0/24, 10.101.163.0/24, \ 10.101.164.0/24, 10.101.165.0/24, \ 10.101.166.0/24, 10.101.167.0/24, \ 10.101.168.0/24, 10.101.169.0/24, \ 10.101.170.0/24, 10.101.171.0/24, \ 10.101.172.0/24, 10.101.173.0/24, \ 10.101.174.0/24, 10.101.175.0/24, \ 10.101.176.0/24, 10.101.177.0/24, \ 10.101.178.0/24, 10.101.179.0/24, \ 10.101.180.0/24 } table persist { 10.101.181.0/24, 10.101.182.0/24, \ 10.101.183.0/24, 10.101.184.0/24, \ 10.101.185.0/24, 10.101.186.0/24, \ 10.101.187.0/24, 10.101.188.0/24, \ 10.101.189.0/24, 10.101.190.0/24, \ 10.101.191.0/24, 10.101.192.0/24, \ 10.101.193.0/24, 10.101.194.0/24, \ 10.101.195.0/24, 10.101.196.0/24, \ 10.101.197.0/24, 10.101.198.0/24, \ 10.101.199.0/24, 10.101.200.0/24, \ 10.101.201.0/24, 10.101.202.0/24, \ 10.101.203.0/24, 10.101.204.0/24, \ 10.101.205.0/24, 10.101.206.0/24, \ 10.101.207.0/24, 10.101.208.0/24, \ 10.101.209.0/24, 10.101.210.0/24, \ 10.101.211.0/24, 10.101.212.0/24, \ 10.101.213.0/24, 10.101.214.0/24, \ 10.101.215.0/24, 10.101.216.0/24, \ 10.101.217.0/24, 10.101.218.0/24, \ 10.101.219.0/24, 10.101.220.0/24, \ 10.101.221.0/24, 10.101.222.0/24, \ 10.101.223.0/24, 10.101.224.0/24, \ 10.101.225.0/24, 10.101.226.0/24, \ 10.101.227.0/24, 10.101.228.0/24, \ 10.101.229.0/24, 10.101.230.0/24, \ 10.101.231.0/24, 10.101.232.0/24, \ 10.101.233.0/24, 10.101.234.0/24, \ 10.101.235.0/24, 10.101.236.0/24, \ 10.101.237.0/24, 10.101.238.0/24, \ 10.101.239.0/24 } table persist { 10.101.240.0/24, 10.101.241.0/24, \ 10.101.242.0/24, 10.101.243.0/24 } table persist { 10.101.244.0/24, 10.101.246.0/24 } table persist { 10.101.248.0/24, 10.101.249.0/24, \ 10.101.250.0/24, 10.101.251.0/24 } table persist { 10.101.252.0/24, 10.101.253.0/24, \ 10.101.254.0/24 } table persist { 10.101.254.0/24 } ################################################################################ # A P P T I E R ## ################################################################################ table persist { 10.102.1.0/24, 10.102.2.0/24, \ 10.102.3.0/24, 10.102.4.0/24, \ 10.102.5.0/24, 10.102.6.0/24, \ 10.102.7.0/24, 10.102.8.0/24, \ 10.102.9.0/24, 10.102.10.0/24, \ 10.102.11.0/24, 10.102.12.0/24, \ 10.102.13.0/24, 10.102.14.0/24, \ 10.102.15.0/24, 10.102.16.0/24, \ 10.102.17.0/24, 10.102.18.0/24, \ 10.102.19.0/24 } table persist { 10.102.22.0/24, 10.101.5.0/24 } table persist { 10.102.20.0/24, 10.102.21.0/24, \ 10.102.22.0/24, 10.102.23.0/24, \ 10.102.24.0/24, 10.102.25.0/24, \ 10.102.26.0/24, 10.102.27.0/24, \ 10.102.28.0/24, 10.102.29.0/24 } table persist { 10.102.30.0/24, 10.102.31.0/24, \ 10.102.32.0/24, 10.102.33.0/24, \ 10.102.34.0/24, 10.102.35.0/24, \ 10.102.36.0/24, 10.102.37.0/24, \ 10.102.38.0/24, 10.102.39.0/24 } table persist { 10.102.40.0/24, 10.102.41.0/24, \ 10.102.42.0/24, 10.102.43.0/24, \ 10.102.44.0/24, 10.102.45.0/24, \ 10.102.20.0/24, 10.102.21.0/24 } table persist { 10.102.46.0/24, 10.102.47.0/24, \ 10.102.48.0/24, 10.102.49.0/24 } table persist { 10.102.46.16/32, 10.102.46.17/32 } table persist { 10.102.50.0/24 } table persist { 10.102.52.0/24 } table persist { 10.102.5.0/24 } table persist { 10.102.15.0/24 } table persist { 10.102.51.0/24, 10.102.53.0/24, \ 10.102.54.0/24, 10.102.55.0/24, \ 10.102.56.0/24, 10.102.57.0/24, \ 10.102.58.0/24, 10.102.59.0/24, \ 10.102.60.0/24, 10.102.61.0/24, \ 10.102.62.0/24, 10.102.63.0/24, \ 10.102.64.0/24, 10.102.65.0/24, \ 10.102.66.0/24, 10.102.67.0/24, \ 10.102.68.0/24, 10.102.69.0/24, \ 10.102.70.0/24, 10.102.71.0/24, \ 10.102.72.0/24, 10.102.73.0/24, \ 10.102.74.0/24, 10.102.75.0/24, \ 10.102.76.0/24, 10.102.77.0/24, \ 10.102.78.0/24, 10.102.79.0/24, \ 10.102.80.0/24, 10.102.81.0/24, \ 10.102.82.0/24, 10.102.83.0/24, \ 10.102.84.0/24, 10.102.85.0/24, \ 10.102.86.0/24, 10.102.87.0/24, \ 10.102.88.0/24, 10.102.89.0/24, \ 10.102.90.0/24, 10.102.91.0/24, \ 10.102.92.0/24, 10.102.93.0/24, \ 10.102.94.0/24, 10.102.95.0/24, \ 10.102.96.0/24, 10.102.97.0/24, \ 10.102.98.0/24, 10.102.99.0/24 } table persist { 10.102.100.0/24, 10.102.101.0/24, \ 10.102.102.0/24, 10.102.103.0/24, \ 10.102.104.0/24, 10.102.105.0/24, \ 10.102.106.0/24, 10.102.107.0/24, \ 10.102.108.0/24, 10.102.109.0/24, \ 10.102.110.0/24, 10.102.111.0/24, \ 10.102.112.0/24, 10.102.113.0/24, \ 10.102.114.0/24, 10.102.115.0/24, \ 10.102.116.0/24, 10.102.117.0/24, \ 10.102.118.0/24, 10.102.119.0/24 } table persist { 10.102.120.0/24, 10.102.121.0/24, \ 10.102.122.0/24, 10.102.123.0/24, \ 10.102.124.0/24, 10.102.125.0/24, \ 10.102.126.0/24, 10.102.127.0/24, \ 10.102.128.0/24, 10.102.129.0/24, \ 10.102.130.0/24, 10.102.131.0/24, \ 10.102.132.0/24, 10.102.133.0/24, \ 10.102.134.0/24, 10.102.135.0/24, \ 10.102.136.0/24, 10.102.137.0/24, \ 10.102.138.0/24, 10.102.139.0/24, \ 10.102.140.0/24, 10.102.141.0/24, \ 10.102.142.0/24, 10.102.143.0/24, \ 10.102.144.0/24, 10.102.145.0/24, \ 10.102.146.0/24, 10.102.147.0/24, \ 10.102.148.0/24, 10.102.149.0/24, \ 10.102.150.0/24, 10.102.151.0/24, \ 10.102.152.0/24, 10.102.153.0/24, \ 10.102.154.0/24, 10.102.155.0/24, \ 10.102.156.0/24, 10.102.157.0/24, \ 10.102.158.0/24, 10.102.159.0/24, \ 10.102.160.0/24, 10.102.161.0/24, \ 10.102.162.0/24, 10.102.163.0/24, \ 10.102.164.0/24, 10.102.165.0/24, \ 10.102.166.0/24, 10.102.167.0/24, \ 10.102.168.0/24, 10.102.169.0/24, \ 10.102.170.0/24, 10.102.171.0/24, \ 10.102.172.0/24, 10.102.173.0/24, \ 10.102.174.0/24, 10.102.175.0/24, \ 10.102.176.0/24, 10.102.177.0/24, \ 10.102.178.0/24, 10.102.179.0/24, \ 10.102.180.0/24 } table persist { 10.102.181.0/24, 10.102.182.0/24, \ 10.102.183.0/24, 10.102.184.0/24, \ 10.102.185.0/24, 10.102.186.0/24, \ 10.102.187.0/24, 10.102.188.0/24, \ 10.102.189.0/24, 10.102.190.0/24, \ 10.102.191.0/24, 10.102.192.0/24, \ 10.102.193.0/24, 10.102.194.0/24, \ 10.102.195.0/24, 10.102.196.0/24, \ 10.102.197.0/24, 10.102.198.0/24, \ 10.102.199.0/24, 10.102.200.0/24, \ 10.102.201.0/24, 10.102.202.0/24, \ 10.102.203.0/24, 10.102.204.0/24, \ 10.102.205.0/24, 10.102.206.0/24, \ 10.102.207.0/24, 10.102.208.0/24, \ 10.102.209.0/24, 10.102.210.0/24, \ 10.102.211.0/24, 10.102.212.0/24, \ 10.102.213.0/24, 10.102.214.0/24, \ 10.102.215.0/24, 10.102.216.0/24, \ 10.102.217.0/24, 10.102.218.0/24, \ 10.102.219.0/24, 10.102.220.0/24, \ 10.102.221.0/24, 10.102.222.0/24, \ 10.102.223.0/24, 10.102.224.0/24, \ 10.102.225.0/24, 10.102.226.0/24, \ 10.102.227.0/24, 10.102.228.0/24, \ 10.102.229.0/24, 10.102.230.0/24, \ 10.102.231.0/24, 10.102.232.0/24, \ 10.102.233.0/24, 10.102.234.0/24, \ 10.102.235.0/24, 10.102.236.0/24, \ 10.102.237.0/24, 10.102.238.0/24, \ 10.102.239.0/24, 10.102.240.0/24, \ 10.102.241.0/24, 10.102.242.0/24, \ 10.102.243.0/24, 10.102.244.0/24, \ 10.102.245.0/24, 10.102.246.0/24, \ 10.102.247.0/24, 10.102.248.0/24, \ 10.102.249.0/24, 10.102.250.0/24, \ 10.102.251.0/24, 10.102.252.0/24, \ 10.102.253.0/24, 10.102.254.0/24 } ################################################################################ # S P E C I A L S E R V E R S ## ################################################################################ # THIS PART NOT DONE YET # Customer1 Depot Servers table persist { 10.101.101.33/32, 10.101.101.34/32 } # Customer1 IDS Network Sensor table persist { 10.101.101.6/32 } # Customer1 CSN Servers table persist { 10.102.100.150/32, 10.102.100.153/32 } # cust2/Boost IDS Network Sensor table persist { 10.101.50.6/32 } # Global IDS Console Sensor table persist { 10.100.12.50/32, 10.100.12.60/32 } # Kickstart Servers table persist { 10.100.254.242/32, 10.100.254.250/32 } # Central log host table persist { 10.100.10.150/32, 10.100.10.151/32 } # Test Radius Auth server radius_token = "10.100.11.120" # Cust4 Reporting Host cust7_report = "10.102.50.16" # cust4 Reporting Hosts table persist { 10.102.52.12/32, 10.102.52.15/32 } # cust2 Reporting Host cust2_report = "10.102.40.50" # Boost Reporting Host table persist { 10.102.46.50/32, 192.168.7.129/32 } # blah reporting hosts table persist { 10.102.100.100/32, 10.102.100.101/32, \ 10.102.100.102/32, 192.168.7.195/32, \ 192.168.7.21/32, 10.102.100.103/32 } # blah PPC table persist { 10.101.102.12/32, 10.101.102.17/32, \ 10.101.102.22/32, 10.101.102.25/32, \ 10.101.102.28/32, 192.168.20.195/32, \ 192.168.20.205/32 } # Backend Utility table persist { 10.101.248.20/32, 10.101.240.20/32, \ 10.101.254.20/32 } #cust1 smtp cust1_utility = "10.101.240.20" # cust2 taxware cust2_taxware = "10.101.242.24" # This is just the big subnets for each virtual switch admin_tier = "10.100.0.0/16" table persist { 10.101.0.0/16, 192.168.20.0/24, \ 192.168.21.0/24 } app_tier = "10.102.0.0/16" # Old prod web tier (needed for some stuff) table persist { 192.168.20.0/24, 192.168.21.0/24 } cust2_di = "192.168.20.73/32" # cust2 proxy cust2_proxy = "10.101.254.20" # Internal BigIP management interfaces # workaround for broken monitoring setup table { 10.100.11.55/32, 10.100.11.56/32, \ 10.100.11.57/32, 10.100.11.58/32 } # This is for LDAP monitoring table persist { 10.100.11.105/32 } table persist { 170.35.176.60/32, 170.35.184.130/32 } # This is for blah bobowww01.blah.com table persist { 135.209.208.57/32 } # zabbix servers table persist { 10.100.11.14/32 } # sophosadmin servers table persist { 10.100.12.25/32 } ################################################################################ # P O R T S ## ################################################################################ # Weblogic wls_tsn = "7001" # Weblogic TSN wls_osn = "7011" # Weblogic OSN wls_mq = "7003" # Weblogic cust2 MQ wls_admin = "8001" # Weblogic TSN Admin # Tomcat tomcat_http = "8080" # Tomcat HTTP Connector tomcat_ajp = "8009" # Tomcat AJP Connector # Apache apache_http = "80" # Apache HTTP apache_https = "443" # Apache HTTPS apache_taxware = "9080" # Apache for Taxware # # Note there are 2 of these for the macro below. the macro # cannot expand a variable that has 2 options. so putting 2 # different variables to reduce rule count. # apache_status1 = "81" # apache_status2 = "91" # Ports to hit remotely for apache_status3 = "92" # /server-status # Databases db_mysql = "3306" # MySQL # HTTP and HTTPS http_https = "{ 80, 443 }" # HTTP/HTTPS # Utility util_dns = "53" # DNS util_ntp = "123" # NTP util_smtp = "25" # SMTP util_proxy = "3128" # Proxy util_syslog = "514" # Syslog util_nrpe = "5666" # Nagios NRPE util_nsclient = "5631" # Nagios NSClient util_bootp = "{ 67, 68 }" # BootP util_nids1 = "5511" # Sentarus NIDS Sensor util_nids2 = "5512" # Sentarus NIDS Sensor util_hids = "5510" # Sentarus HIDS Sensor util_iperf = "5001" # IPerf network performance tester util_ldap = "389" # LDAP # Remote Management mgmt_ssh = "22" # SSH # TCP mgmt_rdp = "3389" # Rem. Desktop # TCP mgmt_pca = "{ 5631, 5632 }" # PCAnywhere # TCP/UDP mgmt_tftp = "69" # TFTP # UDP mgmt_3dm = "43000" # 3Ware 3DM # TCP mgmt_snmp = "161" # SNMP # UDP mgmt_vnc = "5900" # VNC # TCP mgmt_cfengine = "5308" # CFEngine # TCP mgmt_radius = " { 1812, 1813 }" # Radius/Accounting # TCP/UDP # NFS nfs_portmapper = "111" # Portmapper nfs_nfs = "2049" # NFS nfs_4045 = "4045" # nlockmgr nfs_4046 = "4046" # mountd nfs_4047 = "4047" # status nfs_lockd = "32768" # nfs lockd nfs_statd = "32765" # nfs statd # looks like you can't include a macro that expands to a list into another # macro, e.g. the below macros cannot have $util_bootp or $mgmt_pca in them wls = "{" $wls_tsn $wls_osn $wls_mq $wls_admin "}" tomcat = "{" $tomcat_http $tomcat_ajp "}" apache = "{" $apache_http $apache_https $apache_taxware $apache_status1 $apache_status2 $apache_status3 "}" mgmt_admin_tcp = "{" $mgmt_ssh $mgmt_rdp $mgmt_3dm $mgmt_vnc "}" mgmt_admin_udp = "{" $mgmt_tftp $mgmt_snmp "}" sentarus = "{" $util_nids1 $util_nids2 $util_hids "}" nfs_tofiler = "{" $nfs_portmapper $nfs_nfs $nfs_4045 $nfs_4046 $nfs_4047 "}" nfs_fromfiler = "{" $nfs_portmapper $nfs_lockd $nfs_statd "}" #bigip healthcheck ports bigip_healthcheck = "{ 8009 8080 9080 7011 7001 }" # load balancer ports f5_util_vip = "{ 25 53 123 3128 }" # ICMP stuff icmp_reply = "{ 0 3 4 11 }" icmp_request = "echoreq" #zabbix healthcheck ports zabbix_ports = "{ 10050 10051 }" # Window Anitvirus Update (wav) for sophosadmin server netbios_ns = "137" # NETBIOS Name Service netbios_dgm = "138" # NETBIOS Datagram Service netbios_ssn = "139" # NETBIOS Session Service cifs = "445" # CIFS port_8192 = "8192" # Port 8192 port_8193 = "8193" # Port 8193 port_8194 = "8194" # Port 8194 wav_tcp = "{" $netbios_ns $netbios_dgm $netbios_ssn $cifs $port_8192 $port_8193 $port_8194 "}" wav_udp = "{" $netbios_ns $netbios_dgm $netbios_ssn $cifs "}" ################################################################################ ################################################################################ ################################################################################ ## ## ## BEGIN FIREWALL RULESETS ## ## ## ################################################################################ ################################################################################ ################################################################################ ################################################################################ ## OSPF ROUTING RULES: ## ## DO NOT TOUCH THESE UNLESS YOU REALLY REALLY KNOW WHAT YOUR DOING IT MAY ## ## CUT OFF ROUTING BETWEEN WEB/APP/ADMIN TIERS ## ## ## pass in quick on $to_apptier \ from \ to \ allow-opts pass in quick on $to_apptier \ proto ospf \ from \ to 224.0.0.0/4 \ allow-opts pass in quick on $to_apptier \ proto igmp \ from \ to 224.0.0.0/4 \ allow-opts pass in quick on $to_apptier \ proto ospf \ from 224.0.0.0/4 \ to \ allow-opts pass in quick on $to_apptier \ proto igmp \ from 224.0.0.0/4 \ to \ allow-opts pass out quick on $to_apptier \ from \ to \ allow-opts pass out quick on $to_apptier \ proto ospf \ from \ to 224.0.0.0/4 \ allow-opts pass out quick on $to_apptier \ proto igmp \ from \ to 224.0.0.0/4 \ allow-opts pass out quick on $to_apptier \ proto ospf \ from 224.0.0.0/4 \ to \ allow-opts pass out quick on $to_apptier \ proto igmp \ from 224.0.0.0/4 \ to \ allow-opts # IPERF uses this port - temp for testing pass in quick on $to_apptier \ proto tcp \ from any \ to any \ port 5001 \ keep state pass in quick on $sync_dev \ proto pfsync pass out quick on $sync_dev \ proto pfsync pass out quick on $to_apptier \ proto tcp \ from any \ to any \ port 5001 \ keep state ## ## ################################################################################ ################################################################################ # D E F A U L T R U L E S (D O N ' T T O U C H ) ## ################################################################################ # default block all traffic to/from app tier on app tier interface block in log on $to_apptier all block out log on $to_apptier all # since we are filtering on the app tier interface, allow all traffic # on web tier interface, we COULD filter it twice if we wanted, depending # on CPU load. pass out quick on $to_webtier allow-opts pass in quick on $to_webtier allow-opts ################################################################################ # Sample rule # # pass in on $to_apptier ^ Allow traffic INTO the $to_apptier interface # proto tcp ^ Using the TCP protocol # from any ^ From ANY IP address # to ^ to the servers listed in the kickstart table # port $apache_http ^ Using the $apache_http port # keep state Using the keep state rule option # # NOTE: Replaced backslashes above with carrots otherwise the firewall program # for some reason trys to interpret those lines. In a real firewall # rule it should be backslashes. # NOTE: Do note add any characters, whitespace or otherwise after the # backslashes in the rules or pf will complain and fail to load the # rule(s) that have these errors. # ## # ANTI SPOOFING / PARANOIA RULES PART 1. ## # block traffic claiming to be from the app tier # unless it originates from the app tier block in log on ! $to_apptier \ inet \ from $app_tier \ to any # block traffic claiming to be from the web tier # unless it origintes from the web tier block in log on ! $to_webtier \ inet \ from \ to any # block traffic comming from the web tier unless # it is really comming from the web tier(e.g. no # internet sites or gamma or whatever) # disabled for now, not sure if this is correct or not #block in on $to_webtier \ # inet \ # from ! $web_tier \ # to any # block traffic claiming to be from the admin tier # originating from the web tier block in log on $to_webtier \ inet \ from $admin_tier \ to any ## # IDS RULES ## # Allow servers to connect to the IDS console and # report status. This is for both HIDS and NIDS # client systems. pass in on $to_apptier \ proto tcp \ from any \ to \ port $sentarus \ keep state ## # ADMINISTRATIVE RULES ## # Allow incoming HTTP to kickstart nodes for kickstarting pass in on $to_apptier \ proto tcp \ from any \ to \ port $apache_http \ keep state # Allow incoming MySQL to kickstart nodes for kickstarting pass in on $to_apptier \ proto tcp \ from any \ to \ port $db_mysql \ keep state # Allow incoming CFEngine to kickstart nodes for kickstarting pass in on $to_apptier \ proto tcp \ from any \ to \ port $mgmt_cfengine \ keep state # Allow incoming CFEngine from kickstart nodes for kickstarting pass out on $to_apptier \ proto tcp \ from \ to any \ port $mgmt_cfengine \ keep state # Allow incoming DNS to kickstart nodes for kickstarting pass in on $to_apptier \ proto udp \ from any \ to \ port $util_dns \ keep state # Allow incoming DNS to kickstart nodes for kickstarting pass in on $to_apptier \ proto tcp \ from any \ to \ port $util_dns \ keep state # Allow incoming DNS to kickstart nodes for kickstarting pass in on $to_apptier \ proto udp \ from any \ to \ port $util_ntp \ keep state # Allow incoming Nagios traffic pass in on $to_apptier \ proto tcp \ from any \ to \ port $util_nrpe \ keep state # Allow incoming Nagios traffic pass in on $to_apptier \ proto tcp \ from any \ to \ port $util_nsclient \ keep state # Allow incoming syslog traffic pass in on $to_apptier \ proto tcp \ from any \ to \ port $util_syslog \ keep state # Allow incoming syslog traffic (UDP) pass in on $to_apptier \ proto udp \ from any \ to \ port $util_syslog \ keep state # Allow incoming BOOTP/DHCP for kickstart(maybe not needed?) pass in on $to_apptier \ proto udp \ from any \ to \ port $util_bootp \ keep state # Allow incoming tftp to kickstart for kickstart pass in on $to_apptier \ proto udp \ from any \ to \ port $mgmt_tftp \ keep state # Allow incoming UDP from kickstart for kickstart # Don't know a better way to allow this type of # packet: # 10.100.254.242.35213 > 10.101.46.219.2072: udp 14 (DF) # it happens during tftp download pass out on $to_apptier \ proto udp \ from \ to any \ keep state # Allow outgoing BOOTP/DHCP for kickstart pass out on $to_apptier \ proto udp \ from \ to any \ port $util_bootp \ keep state # Allow outbound management access (TCP) pass out on $to_apptier \ proto tcp \ from \ to any \ port $mgmt_admin_tcp \ keep state # Allow outbound managment access (UDP) pass out on $to_apptier \ proto udp \ from \ to any \ port $mgmt_admin_udp \ keep state # Allow outbound DNS pass out on $to_apptier \ proto udp \ from \ to any \ port $util_dns \ keep state # Allow outbound NTP pass out on $to_apptier \ proto udp \ from \ to any \ port $util_ntp \ keep state # Allow outbound SMTP pass out on $to_apptier \ proto tcp \ from \ to any \ port $util_smtp \ keep state # Allow outbound SNMP pass out on $to_apptier \ proto udp \ from \ to any \ port $mgmt_snmp \ keep state # Allow outbound to hit various apache ports pass out on $to_apptier \ proto tcp \ from \ to any \ port $apache \ keep state # Allow outbound to hit various tomcat ports pass out on $to_apptier \ proto tcp \ from \ to any \ port $tomcat \ keep state # Allow outbound to hit various WLS ports pass out on $to_apptier \ proto tcp \ from \ to any \ port $wls \ keep state # Allow outbound PCAnywhere(TCP) pass out on $to_apptier \ proto tcp \ from \ to any \ port $mgmt_pca \ keep state # Allow outbound PCAnywhere(UDP) pass out on $to_apptier \ proto udp \ from \ to any \ port $mgmt_pca \ keep state # Allow outbound ICMP pass out on $to_apptier \ inet proto icmp \ from \ to any \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass in on $to_apptier \ inet proto icmp \ from any \ to \ icmp-type $icmp_reply \ keep state # Allow outbound proxy access pass out on $to_apptier \ proto tcp \ from \ to any \ port $util_proxy \ keep state # Allow outbound ICMP for kickstart pass out on $to_apptier \ inet proto icmp \ from \ to any \ icmp-type $icmp_request \ keep state # Allow ICMP Replies for kickstart pass in on $to_apptier \ inet proto icmp \ from any \ to \ icmp-type $icmp_reply \ keep state # allow sync to gamma timeserver for now pass in on $to_apptier \ proto udp \ from any \ to 192.168.30.19/32 \ port $util_ntp \ keep state # Allow backend servers to talk to utility nodes for SMTP pass out on $to_apptier \ proto tcp \ from \ to \ port $util_smtp \ keep state # Allow backend servers to talk to utility nodes for DNS pass out on $to_apptier \ proto udp \ from \ to \ port $util_dns \ keep state # Allow backend servers to talk to utility nodes for NTP pass out on $to_apptier \ proto udp \ from \ to \ port $util_ntp \ keep state # Allow nodes access to report to zabbix on 10051 pass in on $to_apptier \ proto tcp \ from any \ to \ port $zabbix_ports \ keep state # Allow zabbix to poll any nodes on 10050 pass out on $to_apptier \ proto tcp \ from \ to any \ port $zabbix_ports \ keep state # Allow sophosadmin to update antivirus on windows boxes pass out on $to_apptier \ proto tcp \ from \ to any \ port $wav_tcp \ keep state # Allow sophosadmin to update antivirus on windows boxes pass out on $to_apptier \ proto udp \ from \ to any \ port $wav_udp \ keep state # Allow engines to sophosadmin to update antivirus pass in on $to_apptier \ proto tcp \ from \ to \ port $wav_tcp \ keep state # Allow engines to sophosadmin to update antivirus pass in on $to_apptier \ proto udp \ from \ to \ port $wav_udp \ keep state ## # CUST1 ORANGE ## # Allow app servers to talk to outbound PPC pass out on $to_apptier \ proto tcp \ from \ to \ port $tomcat_http \ keep state # Allow app servers to talk to taxware pass out on $to_apptier \ proto tcp \ from \ to \ port $apache_taxware \ keep state # Allow app servers to talk to utility nodes for SMTP pass out on $to_apptier \ proto tcp \ from \ to $cust1_utility \ port $util_smtp \ keep state # Allow app servers to talk to utility nodes for DNS pass out on $to_apptier \ proto udp \ from \ to $cust1_utility \ port $util_dns \ keep state # Allow app servers to talk to utility nodes for NTP pass out on $to_apptier \ proto udp \ from \ to $cust1_utility \ port $util_ntp \ keep state # Allow app servers to talk to utility nodes for PROXY pass out on $to_apptier \ proto tcp \ from \ to $cust1_utility \ port $util_proxy \ keep state # Allow web servers to talk to wls port inbound. pass in on $to_apptier \ proto tcp \ from \ to \ port $wls_tsn \ keep state \ # Allow outbound ICMP pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state # Allow inbound ICMP pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state # Allow apache servers to talk to the report box pass in on $to_apptier \ proto tcp \ from \ to \ port $tomcat_ajp \ keep state # Allow report servers to talk to the PPC servers for apache pass out on $to_apptier \ proto tcp \ from \ to \ port $apache \ keep state # Allow report servers to talk to the depots pass out on $to_apptier \ proto tcp \ from \ to \ port $mgmt_ssh \ keep state # Allow LDAP from cust1_app_csn to cing_ldap pass out quick on $to_apptier \ proto tcp \ from \ to \ port $util_ldap \ keep state # Allow SSH from USNs to blah bobowww01.blah.com pass out quick on $to_apptier \ proto tcp \ from \ to \ port $mgmt_ssh \ keep state \ # END CUST1 ## # CUST2 ## # Allow old DI-10 box to connect to new cust2 app tier pass in on $to_apptier \ proto tcp \ from $cust2_di \ to \ port $wls_tsn \ keep state # Allow app servers to talk to outbound PPC pass out on $to_apptier \ proto tcp \ from \ to \ port $tomcat_http \ keep state # Allow app servers to talk to taxware pass out on $to_apptier \ proto tcp \ from \ to \ port $apache_taxware \ keep state # Allow app servers to talk to utility nodes for SMTP pass out on $to_apptier \ proto tcp \ from \ to \ port $util_smtp \ keep state # Allow app servers to talk to utility nodes for DNS pass out on $to_apptier \ proto udp \ from \ to \ port $util_dns \ keep state # Allow app servers to talk to utility nodes for NTP pass out on $to_apptier \ proto udp \ from \ to \ port $util_ntp \ keep state # Allow cust2 app servers(mainly CSN) # to talk to the proxy pass out on $to_apptier \ proto tcp \ from \ to $cust2_proxy \ port $util_proxy \ keep state # Allow web servers to talk to wls port inbound. pass in on $to_apptier \ proto tcp \ from \ to \ port $wls_tsn \ keep state \ # Allow web servers to talk to wls port outbound(loadbalancer) pass out on $to_apptier \ proto tcp \ from \ to \ port $wls_tsn \ keep state \ # Allow outbound ICMP pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state # Allow outbound ICMP pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state # Allow outbound ICMP pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state # Allow apache servers to talk to the report box pass in on $to_apptier \ proto tcp \ from \ to $cust2_report \ port $tomcat_ajp \ keep state # END CUST2 ## # CUST6 ## # Allow app servers to talk to outbound PPC pass out on $to_apptier \ proto tcp \ from \ to \ port $tomcat_http \ keep state # Allow app servers to talk to taxware pass out on $to_apptier \ proto tcp \ from \ to $cust2_taxware \ port $apache_taxware \ keep state # Allow app servers to talk to utility nodes for SMTP pass out on $to_apptier \ proto tcp \ from \ to \ port $util_smtp \ keep state # Allow app servers to talk to utility nodes for DNS pass out on $to_apptier \ proto udp \ from \ to \ port $util_dns \ keep state # Allow app servers to talk to utility nodes for NTP pass out on $to_apptier \ proto udp \ from \ to \ port $util_ntp \ keep state # Allow web servers to talk to wls port inbound. pass in on $to_apptier \ proto tcp \ from \ to \ port $wls_tsn \ keep state \ # Allow app servers to talk to wls port outbound(load balancer) pass out on $to_apptier \ proto tcp \ from \ to \ port $wls_tsn \ keep state \ # Allow outbound ICMP pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state # Allow inbound ICMP pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state # Allow outbound ICMP pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state # Allow apache servers to talk to the report box pass in on $to_apptier \ proto tcp \ from \ to \ port $tomcat_ajp \ keep state # Allow cust6 app servers to talk to cust2 proxy VIP port 3128 pass out on $to_apptier \ proto tcp \ from \ to $cust2_proxy \ port $util_proxy \ keep state # Allow temp access to the internet for cust6-prod-appcsn pass out quick on $to_apptier \ proto tcp \ from \ to any \ port $http_https \ keep state \ # END CUST6 ## # CUST1 BLUE ## # Allow app servers to talk to outbound PPC pass out on $to_apptier \ proto tcp \ from \ to \ port $tomcat_http \ keep state # Allow app servers to talk to taxware pass out on $to_apptier \ proto tcp \ from \ to \ port $apache_taxware \ keep state # Allow app servers to talk to utility nodes for SMTP pass out on $to_apptier \ proto tcp \ from \ to \ port $util_smtp \ keep state # Allow app servers to talk to utility nodes for DNS pass out on $to_apptier \ proto udp \ from \ to \ port $util_dns \ keep state # Allow app servers to talk to utility nodes for NTP pass out on $to_apptier \ proto udp \ from \ to \ port $util_ntp \ keep state # Allow web servers to talk to wls port inbound. pass in on $to_apptier \ proto tcp \ from \ to \ port $wls_tsn \ keep state \ # Allow outbound ICMP pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state ## # BUREAU ## # Allow app servers to talk to outbound PPC pass out on $to_apptier \ proto tcp \ from \ to \ port $tomcat_http \ keep state # Allow app servers to talk to taxware pass out on $to_apptier \ proto tcp \ from \ to \ port $apache_taxware \ keep state # Allow app servers to talk to utility nodes for SMTP pass out on $to_apptier \ proto tcp \ from \ to \ port $util_smtp \ keep state # Allow app servers to talk to utility nodes for DNS pass out on $to_apptier \ proto udp \ from \ to \ port $util_dns \ keep state # Allow app servers to talk to utility nodes for NTP pass out on $to_apptier \ proto udp \ from \ to \ port $util_ntp \ keep state # Allow web servers to talk to wls port inbound. pass in on $to_apptier \ proto tcp \ from \ to \ port $wls_tsn \ keep state \ # Allow outbound ICMP pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state ################################################### # Service Bureau 2 (cust4, Cust4 ...etc..) # ################################################### ## # SB2:cust4 ## # Allow app servers to hit taxware pass out on $to_apptier \ proto tcp \ from \ to \ port $apache_taxware \ keep state # Allow apache servers to talk to the report box pass in on $to_apptier \ proto tcp \ from \ to \ port $tomcat_ajp \ keep state # Allow web servers to talk to mysql port inbound. pass in on $to_apptier \ proto tcp \ from \ to \ port $db_mysql \ keep state \ # Allow app servers to talk to utility nodes for SMTP pass out on $to_apptier \ proto tcp \ from \ to \ port $util_smtp \ keep state # Allow app servers to talk to utility nodes for DNS pass out on $to_apptier \ proto udp \ from \ to \ port $util_dns \ keep state # Allow app servers to talk to utility nodes for NTP pass out on $to_apptier \ proto udp \ from \ to \ port $util_ntp \ keep state # Allow outbound ICMP pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state # Allow inbound ICMP pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state ### End SB2:cust4 ## # SB2:Cust4 ## # Allow app servers to hit taxware pass out on $to_apptier \ proto tcp \ from \ to \ port $apache_taxware \ keep state # Allow apache servers to talk to the report box pass in on $to_apptier \ proto tcp \ from \ to \ port $tomcat_ajp \ keep state # Allow web servers to talk to mysql port inbound. pass in on $to_apptier \ proto tcp \ from \ to \ port $db_mysql \ keep state \ # Allow app servers to talk to utility nodes for SMTP pass out on $to_apptier \ proto tcp \ from \ to \ port $util_smtp \ keep state # Allow app servers to talk to utility nodes for DNS pass out on $to_apptier \ proto udp \ from \ to \ port $util_dns \ keep state # Allow app servers to talk to utility nodes for NTP pass out on $to_apptier \ proto udp \ from \ to \ port $util_ntp \ keep state # Allow outbound ICMP pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state # Allow inbound ICMP pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state ## End SB2:Cust4 ## # SB2 ## # Allow database servers to talk to utility nodes for SMTP pass out on $to_apptier \ proto tcp \ from \ to \ port $util_smtp \ keep state # Allow database servers to talk to utility nodes for DNS pass out on $to_apptier \ proto udp \ from \ to \ port $util_dns \ keep state # Allow database servers to talk to utility nodes for NTP pass out on $to_apptier \ proto udp \ from \ to \ port $util_ntp \ keep state # Allow cust5-prod-nas filers to talk to utility nodes for SMTP pass out on $to_apptier \ proto tcp \ from \ to \ port $util_smtp \ keep state # Allow cust5-prod-nas filers to talk to utility nodes for DNS pass out on $to_apptier \ proto udp \ from \ to \ port $util_dns \ keep state # Allow cust5-prod-nas filers to talk to utility nodes for NTP pass out on $to_apptier \ proto udp \ from \ to \ port $util_ntp \ keep state # Allow cust5-misc filers to talk to utility nodes for SMTP pass out on $to_apptier \ proto tcp \ from \ to \ port $util_smtp \ keep state # Allow cust5-misc filers to talk to utility nodes for DNS pass out on $to_apptier \ proto udp \ from \ to \ port $util_dns \ keep state # Allow cust5-misc filers to talk to utility nodes for NTP pass out on $to_apptier \ proto udp \ from \ to \ port $util_ntp \ keep state # END SB2 ## # cust4 ## # Allow app servers to talk to outbound PPC pass out on $to_apptier \ proto tcp \ from \ to \ port $tomcat_http \ keep state # Allow web servers to talk to wls port inbound. pass in on $to_apptier \ proto tcp \ from \ to \ port $wls_tsn \ keep state \ # Allow outbound ICMP pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state # Allow inbound ICMP pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state # END MARKET ## # cust4 ## # Allow app servers to talk to outbound PPC pass out on $to_apptier \ proto tcp \ from \ to \ port $tomcat_http \ keep state # Allow web servers to talk to wls port inbound. pass in on $to_apptier \ proto tcp \ from \ to \ port $wls_tsn \ keep state \ # Allow outbound ICMP pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state # Allow inbound ICMP pass in on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_request \ keep state # Allow ICMP Replies pass out on $to_apptier \ inet proto icmp \ from \ to \ icmp-type $icmp_reply \ keep state # Allow tomcat servers to talk to the report box pass in on $to_apptier \ proto tcp \ from \ to \ port $tomcat_http \ keep state # END cust4 # netperf test pass in on $to_apptier \ proto tcp \ from any \ to any \ port 9050 \ keep state pass out on $to_apptier \ proto tcp \ from any \ to any \ port 9050 \ keep state pass in on $to_apptier \ proto tcp \ from \ to any \ keep state pass in on $to_apptier \ proto udp \ from \ to any \ keep state pass in on $to_apptier \ proto icmp \ from \ to any \ keep state pass out on $to_apptier \ proto tcp \ from \ to any \ keep state pass out on $to_apptier \ proto udp \ from \ to any \ keep state pass out on $to_apptier \ proto icmp \ from \ to any \ keep state pass out on $to_apptier \ proto udp \ from \ to \ port $f5_util_vip \ keep state pass out on $to_apptier \ proto tcp \ from \ to \ port $f5_util_vip \ keep state pass out on $to_apptier \ proto udp \ from \ to \ port $f5_util_vip \ keep state pass out on $to_apptier \ proto tcp \ from \ to \ port $f5_util_vip \ keep state pass out on $to_apptier \ from any \ to \ keep state pass out on $to_apptier \ proto icmp \ from any \ to \ keep state # for radius testing pass in on $to_apptier \ proto tcp \ from any \ to $radius_token \ port $mgmt_radius \ keep state # for radius testing pass in on $to_apptier \ proto udp \ from any \ to $radius_token \ port $mgmt_radius \ keep state ## # ANTI SPOOFING / PARANOIA RULES PART 2. ## # we have Part 2 so we can override previous # rules. e.g. a rule above says we allow # all outbound DNS/SMTP/NTP/HTTP from the # admin tier to "anywhere". Well we will # prevent it from getting to the internet # at the firewall using rules here. Even # though the NAT at the load balancer would # not route the traffic anyways, rather # stop it before it even gets that far. # block outbound traffic to anything other # than the web tier. # temp disable pass out quick on $to_apptier \ inet \ from any \ to 10.100.254.0/24 \ block out log on $to_apptier \ inet \ from any \ to ! # This is for LDAP Monitoring pass out on $to_apptier \ proto tcp \ from \ to \ port $util_ldap \ keep state # This is a workaround for bigip's broken health checkers # hopefully we can get this fixed today pass out on $to_apptier \ proto tcp \ from \ to any \ port $bigip_healthcheck \ keep state