DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th May 2009
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default pf.conf Examples

I am posting pf.conf file for my laptop in order to get some comments and feed back from more experienced users as well as encourage everybody to post the samples of their pf.conf files


Code:
#########
## Macros       
#########

ext_if="rl0"
#int_if=" "

tcp_services = "{ssh, imaps, smtp, 587,, domain, ntp, www, https}"
udp_services= "{domain, ntp}"


#########
## Tables
#########

#table <spamd-white> persist


##########
## Options
##########

set require-order yes
set block-policy return
set optimization normal
set skip on lo
set loginterface $ext_if


########################
## Traffic normalization
########################

scrub in all random-id fragment reassemble 
scrub out all random-id fragment reassemble


#######################
## Bandwidth management
#######################


##############
## Translation
##############


##############
## Redirection
##############

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#rdr-anchor "relayd/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#       -> 127.0.0.1 port spamd

#anchor "ftp-proxy/*"
#anchor "relayd/*" 


#######################################
## Packet filtering
## block and log everything by default
######################################

block log all


## DEBUG:
##  LOG Blocked Packets [uncomment above]:
##     block log all
##  VIEW LOG VIA:
##     tcpdump -n -e -ttt -i pflog0

### Theo's suggestions instead of pfstat
# systat pf 1
# and then use the right and left cursors to see additional
# interesting views
# this is also a good tool
# pfctl -s all


# Make sure all packets are clean and sane
antispoof quick for $ext_if
antispoof quick for { lo $ext_if }

# block anything coming form source we have no back routes for
block in from no-route to any

# block packets whose ingress interface does not match the one
# the route back to their source address
block in from urpf-failed to any

# block and log outfoing packates that do not have our address source
# they are either spoofed or something is misconfigured (NAT disabled, 
# for instance), we want to be nice and do not send out garbage
# block out log quick on $ext_if from ! 157.161.48.183 to any

# silently drop broadcasts (cable modem noise)
block in quick on $ext_if from any to 255.255.255.255



# block and log incoming packets from reserved address space and invalid
# addresses,they are either spoofed or misconfigured, we cannot reply to
# them anyway (hence, no return-rst).
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \
                          192.168.0.0/16, 255.255.255.255/32 } to any


####################################################
## Only allow outgoing services which are sensable..
####################################################

# ICMP

# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
# pass out on $ext_if inet proto icmp all icmp-type 8 code 0

# UDP
# pass out certain UDP connections and keep state (DNS)
pass out on $ext_if proto udp to any port $udp_services


# TCP
# pass out certain TCP connections and keep state (SSH, SMTP, DNS)
pass out on $ext_if proto tcp to any port $tcp_services
As you probably noticed I have some redundant rules. The file is the way it
is so that I can relatively easily modify for similar situation i.e. single
workstation.

I have couple of questions though. Do I have to have ntp listed in both
tcp and udp services in order for time synchronization to work properly?
I thought that ntp service is udp protocol.

I noticed that some people listing imap in udp services. Why do they do that?

Notice also that I have

Code:
pass out on $ext_if proto udp to any port $udp_services
while most set up I saw have

Code:
pass       on $ext_if proto udp to any port $udp_services
Can somebody explain the difference?


Also notice that I have
Code:
# Make sure all packets are clean and sane
antispoof quick for $ext_if
antispoof quick for { lo $ext_if }
even though I think that

Code:
antispoof quick for $ext_if
Can somebody explain the difference?

Last edited by Oko; 22nd September 2011 at 01:22 AM.
Reply With Quote
  #2   (View Single Post)  
Old 12th May 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

I'm not going to post my pf.conf, I'm sure it's full of redundancies as well.. but I will answer your questions.

Quote:
Originally Posted by Oko View Post
I have couple of questions though. Do I have to have ntp listed in both tcp and udp services in order for time synchronization to work properly? I thought that ntp service is udp protocol.

I noticed that some people listing imap in udp services. Why do they do that?
If you look in /etc/services you'll see that some things are assigned both the tcp and udp port, this is IANA legacy.. just because udp port 22 is reserved for ssh, doesn't mean it's actually used.

IANA maintains a registry that OS vendors can use to maintain their /etc/services database, this file allows the OS and users to map numbers to names.

http://www.iana.org/assignments/port-numbers

Quote:
Originally Posted by Oko View Post
Notice also that I have

Code:
pass out on $ext_if proto udp to any port $udp_services
while most set up I saw have

Code:
pass       on $ext_if proto udp to any port $udp_services
Can somebody explain the difference?
There is only one difference between those 2 rules, direction... the former passes out udp packets matching $udp_services, the latter is the same as specifying both in and out.

Quote:
Originally Posted by Oko View Post
Also notice that I have
Code:
# Make sure all packets are clean and sane
antispoof quick for $ext_if
antispoof quick for { lo $ext_if }
even though I think that

Code:
antispoof quick for $ext_if
Can somebody explain the difference?
I don't understand the question, the first rule is redundant.. { lo $ext_if } matches on both interfaces in the lo group and $ext_if, which pretty much just means lo0 and rl0.

Hope that helps...
Reply With Quote
  #3   (View Single Post)  
Old 12th May 2009
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by BSDfan666 View Post


There is only one difference between those 2 rules, direction... the former passes out udp packets matching $udp_services, the latter is the same as specifying both in and out.
This is exactly what I wanted to hear. I have never understood why people are leaving domain (udp) totally open when passing out and keeping state
will work for most users.



Quote:
Originally Posted by BSDfan666 View Post
I don't understand the question, the first rule is redundant.. { lo $ext_if } matches on both interfaces in the lo group and $ext_if, which pretty much just means lo0 and rl0.

Hope that helps...
Does one really need to antispoof lo? I noticed the man pages do recommend antispoofing on lo but most people do not have it.
Having in mind that I am setting skip on lo antispoof should do nothing on
lo anyway. Am I mistaken?
Reply With Quote
  #4   (View Single Post)  
Old 13th May 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Quote:
Originally Posted by Oko View Post
This is exactly what I wanted to hear. I have never understood why people are leaving domain (udp) totally open when passing out and keeping state
will work for most users.
It really depends on the individual ruleset Oko.

There are 2 primary types of rulesets (..probably more):
  • pass .. all, packets are passed unless they match a future block rule. (Default)
  • block .. all, packets are blocked unless they match a future pass rule.
As you can see, pf is a very flexible tool.. users are free to design a ruleset that fits their personal mentality.

In my case, I pass all outgoing IPv4 TCP/UDP/ICMP traffic (..with state) from my /24 private LAN.. but I block all incoming traffic except for whatever I implicitly allow.

Quote:
Originally Posted by Oko View Post
Does one really need to antispoof lo? I noticed the man pages do recommend antispoofing on lo but most people do not have it.
Having in mind that I am setting skip on lo antispoof should do nothing on
lo anyway. Am I mistaken?
Some people might, but considering you have set skip on lo, no packets on interfaces in the lo group will be matched.. thusly the default rule to pass all packets is enforced.

I know it can sound confusing, but reading the pf FAQ and the man pages can make it all become clearer.. I've been using OpenBSD+pf for a long time now, but I still tweak my rulesets occasionally.
Reply With Quote
  #5   (View Single Post)  
Old 13th May 2009
s0xxx's Avatar
s0xxx s0xxx is offline
Package Pilot
 
Join Date: May 2008
Posts: 192
Arrow

Mine is actually quite extensive...
Code:
block in log
pass out all
Now I know, I know...scrub is useful, tight things more on outside, etc, etc. This is a personal machine that doesn't spend much time "out there".

Besides PF FAQ, for tweaking pf second place belongs to incredibly readable and very useful articles by Daniel Hartmeier (link's got all three articles):

http://undeadly.org/cgi?action=artic...20060927091645

Skipping on lo means "dont filter on any lo interfaces at all"; whereas antispoof on lo0 concerns other interfaces. The way understand antispoof on lo0 is:

block all incoming traffic from 127.0.0.0/8 net that doesn't go through lo0. One should not receive packets from this net on, say, vr0 interface that has 10.0.0.1/24 address

Code:
rule expands to:
block drop in on ! lo0 inet from 127.0.0.1/8 to any

network 127.0.0.0/8         vr0            lo0
----------------------> 10.0.0.1 - |  127.0.0.1  |
                                   |   PF BOX    |
antispoof applies to aliases too: http://kerneltrap.org/mailarchive/op...8/7/15/2513284
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD
Reply With Quote
  #6   (View Single Post)  
Old 14th May 2009
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by s0xxx View Post
Mine is actually quite extensive...
Code:
block in log
pass out all
SoXXX even though I advocate exactly the same pf.conf to novice users the truth is that the second rule you have is actually very dangerous. In the real world you have to filter outgoing traffic as well even if you are the only user of the computer. Now more sane pf.conf than the above proposed would be something like

Code:
ext_if="rl0"

tcp_services = "{ssh, imaps, smtp, 587, domain, ntp, www, https}"
udp_services= "{domain, ntp}"


set skip on lo
set loginterface $ext_if

scrub in all random-id fragment reassemble

block return in log all
block out all

antispoof quick for $ext_if


pass out quick on $ext_if proto tcp to any port $tcp_services
pass out quick on $ext_if proto udp to any port $udp_services




Quote:
Originally Posted by s0xxx View Post
Very good reading indeed . I especially optimization article.

Last edited by Oko; 22nd September 2011 at 01:23 AM.
Reply With Quote
  #7   (View Single Post)  
Old 15th May 2009
bsdnewbie999 bsdnewbie999 is offline
Package Pilot
 
Join Date: May 2008
Posts: 145
Default

What is wrong with my pf.conf ?
Code:
#Macro
int_if="rl0"

#options
set block-policy return
set loginterface $int_if

#Normalization
scrub in all

#Passing Traffic
pass out quick on $int_if inet proto tcp from $int_if to any port www
pass in quick log on $int_if inet proto tcp to $int_if port 21 keep state

#Default Deny
block all
I having trouble surfing the web but i did "pass out quick" the www packets did I ?
Reply With Quote
  #8   (View Single Post)  
Old 15th May 2009
s0xxx's Avatar
s0xxx s0xxx is offline
Package Pilot
 
Join Date: May 2008
Posts: 192
Default

You are only passing TCP packets, but not UDP, which are needed by say DNS or DHCP. So when you try to resolve IP address of google.com your pf is blocking those packets from exiting your box. Try with IP address in browser, or put a log word in the block rule, reload config and start tcpdump on pflog to see the blocked packets.
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD
Reply With Quote
  #9   (View Single Post)  
Old 15th May 2009
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by bsdnewbie999 View Post
What is wrong with my pf.conf ?
Code:
#Macro
int_if="rl0"

#options
set block-policy return
set loginterface $int_if

#Normalization
scrub in all

#Passing Traffic
pass out quick on $int_if inet proto tcp from $int_if to any port www
pass in quick log on $int_if inet proto tcp to $int_if port 21 keep state

#Default Deny
block all
I having trouble surfing the web but i did "pass out quick" the www packets did I ?
SoXXX already gave you the reason why your www doesn't work. You can not resolve the address since your DNS client can not pass to DNS server of your internet service provider.
I would suggest you start with the above simplified pf.conf file that I posted and then remove services which you do not need. You must leave domain intact!

On the another hand I see that you want to keep ftp open for outside access. Do you really have ftp server? Are you sure you really want to do that. You shouldn't be using anything else except sftp for transferring files and ssh for shell access.

If FTP is really needed you need to do little bit more reading about ftp protocol. Namely ftp makes initial contact on port 21 and then randomly open another port for transfer of data. I know that sounds crazy but it is what it is. In order to set ftp properly even just for access to other servers you need to set up ftp proxy. In order for ftp proxy to work inetd must work. Inetd is security risk so you will have very carefully to trim down inetd.conf and remove all unnecessary things.
Reply With Quote
Old 12th January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 170
Default

@bsdnewbie999

Quote:
I having trouble surfing the web but i did "pass out quick" the www packets did I ?
LAST matching rule wins in PF, better to block log all at the beginning and then allow specifically what you want in/out, the only reason it working is because you are using "quick" in the pass rule.
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Old 22nd January 2010
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Default

Quote:
Originally Posted by Oko View Post
In the real world you have to filter outgoing traffic as well even if you are the only user of the computer.
I don't think that can be emphasized enough- one of the best ways to catch an infiltration on your network is to see (and obviously block) the callbacks bot/root kits and viruses make.

The first week I turned on outbound filtering in our hosting network we caught a slew of infected machines that had passed our other means of detection.

Plus, it's part of being a good netizen- don't pass your infection on to others.
__________________
Network Firefighter
Reply With Quote
Old 31st January 2010
ohauer ohauer is offline
Port Guard
 
Join Date: May 2008
Location: germany
Posts: 32
Default

Quote:
Originally Posted by oko
### Theo's suggestions instead of pfstat
# systat pf 1
# and then use the right and left cursors to see additional
# interesting views
Thanks for this hint, in the past I used pftop to get this infos but the build in gives much better info.
Reply With Quote
Old 17th February 2010
Angevin's Avatar
Angevin Angevin is offline
Real Name: Cypherpunk
Ghost in the Shell
 
Join Date: Nov 2009
Location: New York state
Posts: 20
Arrow My example PF

Quote:
Originally Posted by Oko
I am posting pf.conf file for my laptop in order to get some comments and feed back from more experienced users as well as encourage everybody to post the samples of their pf.conf files
I'm posting mine too as suggested because I would like comments and feedback from people more experienced with PF as well :


Code:
ethernet = "fxp0" 

#outside visible  services 

services = "{auth,ntp,rpc }"


#fix packets

match in all scrub (no-df)


# no bug on loopback device

pass out quick on lo0 from any to any
pass in quick on lo0 from any to any


#deal with bad packets

block in log quick on $ethernet inet proto icmp from any to any icmp-type redir 

block in quick on $ethernet from any to any

#
# Now the regular filtering rules
#

#  allow for incoming ping and traceroute only (ICMP)
#

pass in quick on $ethernet inet proto icmp from any to any icmp-type { \
    echorep, echoreq, timex, unreach }
block in log quick on $ethernet inet proto icmp from any to any

# TCP: Allow ssh, smtp, http and https incoming. Only match
# SYN packets, and allow the state table to handle the rest of the
# connection. I'm not currently using these services on this machine so it #is commented out
#
#pass in quick on $external inet proto tcp from any to any port #$services flags #S/SA keep state

# Allow packets coming in as replies to my
# connections so Ie keep state. Strictly speaking, with packets
# coming from our network we don't have to only match SYN, but
# what the heck ?
#
pass out quick on $ethernet inet proto tcp  from any to any flags S/SA keep state
pass out quick on $ethernet inet proto udp  all keep state
pass out quick on $ethernet inet proto icmp from any to any keep state

# End of rules. Block everything to all ports, all protocols and return
# RST (TCP) or ICMP/port-unreachable (UDP).
#
block return-rst in log quick on $ethernet inet proto tcp from any to any
block return-icmp in log quick on $ethernet inet proto udp from any to any
block in quick on $ethernet all

#
# End of file

Last edited by Angevin; 17th February 2010 at 12:07 PM.
Reply With Quote
Old 17th February 2010
Angevin's Avatar
Angevin Angevin is offline
Real Name: Cypherpunk
Ghost in the Shell
 
Join Date: Nov 2009
Location: New York state
Posts: 20
Lightbulb

BTW, my current setup is only for a single workstation/desktop. There are no other computers using the firewall right now (I don't have a personal home office LAN as of right now). Only other people on my network would be other subnet IP block DHCP users from my highspeed cable internet service provider.

Last edited by Angevin; 17th February 2010 at 07:39 PM. Reason: fix minor grammar error
Reply With Quote
Old 17th February 2010
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

My remarks

Code:
# --- Macro definitions

ethernet = "fxp0" 

# outside visible  services 
services = "{auth,ntp,rpc }"

set skip on lo0         # no bug on loopback device
set block-policy return # for TCP return RST and for the rest ICMP UNREACHABLE 

# --- fix packets

match in all scrub (no-df)

# --- INCOMING traffic

#  incoming ping and traceroute (ICMP)
pass in quick on $ethernet inet proto icmp from any to any icmp-type { \
     echorep, echoreq, timex, unreach }

# pass in quick on $external inet proto tcp from any to any port $services  

# --- OUTGOING traffic

pass out quick on $ethernet inet proto tcp  all
pass out quick on $ethernet inet proto udp  all 
pass out quick on $ethernet inet proto icmp all

# --- BLOCK policy

block in log quick on $ethernet inet proto icmp from any to any icmp-type redir 
block log  quick on $ethernet all
#
# End of file
For a different approach for a work-station-only-pf.conf see http://www.daemonforums.org/showthread.php?t=4367
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 18th February 2010
wilfried's Avatar
wilfried wilfried is offline
Real Name: Peter Strömberg
Port Guard
 
Join Date: May 2008
Location: Teckomatorp, Sweden
Posts: 11
Default

I'm connected with adsl/pppoe
Code:
nic0="em0"  # lan1 1G/jumbo
nic1="msk0" # lan2 100
nic2="em1"  # pppoe port
ext="pppoe0"
torrent="6881:6899"

table <spamd-white> persist

set block-policy return

set skip on { lo $nic0 $nic1 $nic2 bridge0 }

altq on $ext priq bandwidth 800Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

block on $ext

pass  in  on $ext inet proto { tcp udp } from any to ($ext) port ssh queue (q_def, q_pri)

pass  in  on $ext inet proto tcp from any to ($ext) port { auth pop3s imaps } queue (q_def, q_pri)

pass  in  on $ext inet proto tcp from any to ($ext) port { www https } queue (q_def, q_pri) rdr-to 192.168.0.2
pass  in  on $ext inet proto { tcp udp } from any to ($ext) port { $torrent } queue (q_def, q_pri) rdr-to 192.168.0.2

pass  in  on $ext inet proto tcp from any to ($ext) port smtp rdr-to 127.0.0.1 port spamd
pass  in  on $ext inet proto tcp from <spamd-white> to ($ext) port smtp queue (q_def, q_pri)

pass  out on $ext inet proto tcp from ! 224/4 to any queue (q_def, q_pri)
pass  out on $ext inet proto udp from ! 224/4 to any queue (q_def, q_pri)

block     on $ext proto { tcp udp } from any to any port { netbios-ns netbios-dgm netbios-ssn microsoft-ds nfsd }

match out on $ext scrub (max-mss 1440)
match out on $ext from !($ext) nat-to ($ext:0)

# vim: set filetype=pf:
__________________
HP ProCurve 1800-24G, Phenom 9750, Dual Opteron 265, AMD64 3000+,
Dual P3-800, eMac G4 1.0GHz, Sun Blade 150, Alpha PWS 433 and more ...
Reply With Quote
Old 20th February 2010
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Wilfried, any reason why you did not use any quick on those pass rules?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 12th October 2012
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

Quote:
Originally Posted by ai-danno View Post
I don't think that can be emphasized enough- one of the best ways to catch an infiltration on your network is to see (and obviously block) the callbacks bot/root kits and viruses make.

The first week I turned on outbound filtering in our hosting network we caught a slew of infected machines that had passed our other means of detection.

Plus, it's part of being a good netizen- don't pass your infection on to others.
can you expand upon your reply a little more as they pertain to detecting
unwanted bots, viruses etc.!
Reply With Quote
Old 12th October 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by frcc View Post
can you expand upon your reply a little more as they pertain to detecting
unwanted bots, viruses etc.!
frcc, you are responding to a thread which is two years old. Some of the contributors who posted then have not posted since.

You may get more of a response if you simply start a new thread.
Reply With Quote
Old 12th October 2012
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Default

Among other things it was IRC traffic originating from our network. Watching outbound traffic from machines (primarily the destination addresses and ports they were attempting to hit) was the key.
__________________
Network Firefighter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf.conf lumiwa FreeBSD Security 11 20th September 2008 01:01 AM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM
openVPN 2.1_rc7 (server) on openBSD 4.3 config examples s2scott Guides 2 23rd May 2008 06:16 PM


All times are GMT. The time now is 11:35 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick