[OpenBSD] Regles Packet Filter

Je viens de terminer mes règles pour PF. Pourriez-vous y jeter un oeil, au cas où j'aurais laissé de gros trous ? Merci.

Le routeur qui utilise PF est aussi utilisé comme serveur pour différents réseaux de peer-to-peer, d'où les ports ouverts.
Il a 3 interfaces réseau :
- une reliée à l'internet ($extif)
- une reliée au LAN câblé ($intif)
- une reliée à un point d'accès wireless ($wirelessif).
On autorise tout le trafic venant du LAN mais on interdit les mails sortants du WLAN (protection spam).

Et voilà le script :


#######################
# PF Ruleset
# 17/08/2004
#######################

############# Macros/tables #######################
# RFC 1918/3330
table <nonroutable> const { 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, \
10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
224.0.0.0/3, 255.255.255.255/32 }

##########

extif = "tun0"
intif = "sis0"
wirelessif = "ne4"
unsafe = "{$external, $wireless}"

##########

# TCP services allowed in
# 22 : SSH 1214 : FastTrack
# 1412 : DirectConnect 2234 : SoulSeek
# 4662 : eDonkey2000 4663 : Overnet
# 6347 : Gnutella2 6699 : OpenNap
# 6881 : BitTorrent

tcpserv = { 22,1214,1412,2234,4662,4663,6347,6699,6881 }

# UDP services allowed in
# 1412 : DirectConnect 4663 : Overnet
# 4672 : eDonkey2000 6347 : Gnutella2
udpserv = { 1412,4663,4672,6347 }

###################################################

# Normalize packets, and reassemble fragmented ones.
scrub in all

# NAT for LAN and WLAN.
nat on $intif from $intif:network to any -> $extif
nat on $wirelessif from $wirelessif:network to any -> $extif

set block-policy return

######### Filtering rules ##########################
# Default deny policy.
block all

#####
# Traffic to/from loopback is allowed without restriction.
pass quick on lo0 all

#####
# Drop spoofing attemps.
block drop in quick on $extif from <nonroutable> to any
block drop out quick on $extif from any to <nonroutable>

#####
# Allow access to the upper-definied TCP and UDP services.
pass in quick on $extif inet proto tcp from any to ($extif) \
port $tcpserv flags S/SA synproxy state

pass in quick on $extif inet proto udp from any to ($extif) \
port $udpserv keep state

##### LAN
# Allow all incoming/responding traffic from the LAN (trusted).
pass in quick on $intif from $int_if:network to any keep state

# Allow all outgoing traffic to the LAN.
pass out quick on $intif from any to $intif:network keep state

##### WLAN
# Block sending mails from to WLAN (spam threat).
block in quick on $wirelessif from $wirelessif:network to any \
inet proto tcp port 25

pass in quick on $wirelessif from $wirelessif:network to any keep state
pass out quick on $wirelessif from any to $wirelessif:network keep state

#####
# Block access from the WLAN to the LAN.
block in quick on $wirelessif from $wirelessif:network \
to $intif:network

#####
# Allow external connections from our networks to the Internet.
pass out quick on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

###################################################



Merci d'avance de votre aide !
Olivier