please check my pf.conf

[gosha]

Below is my pf.conf which I put together reading the man page and googling around.
It seems to work fine, I'm using it since quite a few months. I have a restricted user "amule" which I use to run amule (rarely, actually), do the lines in my pf.conf make sense (it seems they do, I remember trying to changing them and thus blocking amule traffic).
I use this computer basically as a desktop, but is on 24h/day, so, I need it to be safe.
In google I found this script to block brute-force attacks, which works very well:

Code:

pfctl -t ssh-violations -T flush
for ips in `cat /var/log/authlog | grep sshd | grep "Invalid" | awk '{print $10}' | uniq -d` ; do
       pfctl -t ssh-violations -T add $ips
  done
cat /var/log/authlog | grep sshd | grep "Failed" | rev  | cut -d\  -f 4 | rev | sort | uniq -c | \
( while read num ips; do
    if [ $num -gt 5 ]; then
         if ! pfctl -s rules | grep -q $ips ; then
                pfctl -t ssh-violations -T add $ips
        fi
    fi
done
)

Code:

ext_if="gem0"
ssh= "{ 22 }"
table <ssh-violations> persist file "/etc/ssh-violations"
# options
set block-policy drop
set state-policy if-bound
set loginterface $ext_if
set optimization normal
set skip on lo0

# scrub
scrub in on $ext_if all
pass quick on lo0 all
antispoof for $ext_if

block in log all
block out all
block in quick log from <ssh-violations> to any
pass on $ext_if proto tcp from any to any port $ssh
pass on $ext_if proto tcp from any to any port 4662 user amule
pass on $ext_if proto udp from any to any port 4665 user amule
pass on $ext_if proto udp from any to any port 4672 user amule
pass on $ext_if proto tcp from any to any port 4712 user amule
pass on $ext_if proto tcp from any to any port 4661 user amule
pass out quick on $ext_if inet

martians = "{ 127.0.0.0/8, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"

block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

Any comments or suggestions will be greatly appreciated

[BSDfan666]

Having a macro named $ssh is unnecessary, service names listed in /etc/services are perfectly acceptable substitutes for port numbers.

pass quick on lo0 all is redundant, you already tell pf to ignore local traffic.

I like keeping the block and pass rules separate... block rules first, pass rules after.

Code:

# internet connected interface
ext_if="gem0"

table <ssh-violations> persist file "/etc/ssh-violations"
table <martians> const persist { 127/8, 192.168/16, 172.16/12, 10/8, 0/8, \
169.254/16, 192.0.2/24, 240/4 }

# options
set block-policy drop
set loginterface $ext_if
set skip on lo0

# scrub
scrub in on $ext_if all

# antispoof
antispoof for $ext_if

# catch-all
block in log all
block out all

# block evil people
block in log quick from <ssh-violations> to any
block in quick on $ext_if from <martians> to any
block out quick on $ext_if from any to <martians>

# allow ssh connections
pass in on $ext_if proto tcp from any to any port ssh

# AMule incoming
pass in on $ext_if proto tcp from any to any port 4662 user amule
pass in on $ext_if proto udp from any to any port 4665 user amule
pass in on $ext_if proto udp from any to any port 4672 user amule

# pass out all traffic
pass out on $ext_if inet all

Hope it helps, I do recommend reading the OpenBSD pf FAQ, and perhaps buying Peter NM Hansteen's new PF book.

[BSDfan666]

Note; I changed the macro $martians into a table.. this makes things cleaner, and.. saves pf from needlessly creating 2 temporary tables anyway.

[gosha]

Thanks a lot BSDfan666,
I see that declaring a drop policy was also redundant, since it is default behaviour.
But why don't I need the "quick" in "pass out on $ext_if inet all"?

[BSDfan666]

Because you're misunderstanding the purpose of the keyword, in pf.. the last rule wins, the block rules require the quick because otherwise the pass rules would override them.

..or at least, that's my understanding.

Hope it helps.

[gosha]

I see, now I understand.
Another question, is there a way to block allow outgoing traffic on a "per application" basis, like most windows firewalls do? And does it make any sense?

[gosha]

Also, why do I need to "block out all" if at the end I allow all outgoing traffic?

[BSDfan666]

No, that doesn't seem very feasible.. Windows firewalls are more of a "port monitor", not a packet filter.

Using systrace(1) might be one way of doing what you want, but.. not exactly perfect.

Apologies..

[BSDfan666]

Quote:

Originally Posted by gosha

Also, why do I need to "block out all" if at the end I allow all outgoing traffic?

It might seem redundant, but it's not.. you're blocking "all" outgoing traffic, the last rule is passing out all "IPv4" packets.

It's better to simply block traffic, and then.. permit things on a case-by-case basis.

[gosha]

Are windows firewalls made that way because of the pletora of malaware that runs on it...?

[gosha]

very nice, I've made clear quite a few things to day, thanks a lot