pf.conf examples (part 2)

[lumiwa]

I am a newbie too and I try to configure pf.conf for my standalone computer. I red many examples and I had long time:

Code:

# Macros
ext_if = "rl0"

# Options: tune the behavior of pf.
set optimization normal
set block-policy drop
set loginterface $ext_if
set skip on lo

# Normalization: reassemble fragments etc.
scrub in all

# Filtering
antispoof quick for $ext_if

# Nobody gets in from the outside!
block in log quick on $ext_if all label "inblock"

# Block by default. (pass rules dhould follow later).
block out log on $ext_if all label "outblock"

pass out on $ext_if inet proto tcp all
pass out on $ext_if inet proto udp all.
pass out on $ext_if inet proto icmp all icmp-type 8 code

Now I have:

Code:

#macro
ext_if = rl0
scrub in on $ext_if all fragment reassemble
block all
set skip on lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
### block probes that can possibly determine our operating system by disallowing
### certain combinations that are commonly used by nmap, queso and xprobe2, who
### are attempting to fingerprint the server.
### * F : FIN  ? Finish; end of session
### * S : SYN  ? Synchronize; indicates request to start session
### * R : RST  ? Reset; drop a connection
### * P : PUSH ? Push; packet is sent immediately
### * A : ACK  ? Acknowledgement
### * U : URG  ? Urgent
### * E : ECE  ? Explicit Congestion Notification Echo
### * W : CWR  ? Congestion Window Reduced
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### set a rule that allows inbound ssh traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state
table <ssh_abuse> persist
block in quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)

Thanks.

[There0]

@luminwa

Quote:

block all

I would use "block log all" and "block log quick inet6 all" if your not fancy on using IPv6 right now.

Quote:

scrub in all

Quote:

match in log on $EXT scrub (no-df)

Is more like this in 4.6, you can use multiple interfaces is you have more than 1 requiring ingress traffic.

Quote:

block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

The above is also covered by "block log all" i do no use seperate rules per flagged rule, im certain there is circumstances for such but not for this cat.

Quote:

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

Quote:

pass out log on $EXT proto tcp from any modulate state flags S/SA
pass out log on $EXT proto { udp, icmp} from any

I use the following, i could be wrong but im betting that your not running OBSD 4.6? also the "from any to any" could be a bit hazardous in some situations, better to specify an interface or sometimes even an IP.

I also have a tun0 interface that i include in antispoof (and snort)

Quote:

antispoof log quick for { $LO $EXT tun0 } inet

About synproxy, it's for YOUR servers behind your firewall that you want to "protect" from syn packets

Quote:

TCP SYN Proxy
Normally when a client initiates a TCP connection to a server, PF will pass the handshake packets between the two endpoints as they arrive. PF has the ability, however, to proxy the handshake. With the handshake proxied, PF itself will complete the handshake with the client, initiate a handshake with the server, and then pass packets between the two. The benefit of this process is that no packets are sent to the server before the client completes the handshake. This eliminates the threat of spoofed TCP SYN floods affecting the server because a spoofed client connection will be unable to complete the handshake.

The TCP SYN proxy is enabled using the synproxy state keywords in filter rules. Example:

pass in on $ext_if proto tcp from any to $web_server port www \
flags S/SA synproxy state
Here, connections to the web server will be TCP proxied by PF.

[lumiwa]

@There0

I hope that I did what you suggested me:

Code:

# macro name for external interface.
ext_if = sk0
# all incoming traffic on external interface is normalized and fragmented
# packets are reassembled.
scrub in all
# match in log on $ext_if scrub (no-df)
# set a default deny everything policy.
block log all
block log quick inet6 all
# exercise antispoofing on the external interface, but add the local
# loopback interface as an exception, to prevent services utilizing the
# local loop from being blocked accidentally
set skip on lo
antispoof quick for $ext_if
antispoof log quick for { lo $ext_if } inet
# block anything coming from sources that we have no back routes for.
block in from no-route to any
# block packets that fail a reverse path check. we look up the routing
# table, check to make sure that the outbound is the same as the source
# it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any
# drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255
# block packets claiming to come from reserved internal address blocks, as
# they are obviously forged and cannot be contacted from the outside world.
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any
pass out log on $ext_if proto tcp from any modulate state flags S/SA
pass out log on $ext_if proto { udp, icmp} from any

And I forgot to wrote before that I have a standalone computer.

Thanks for your help.

[ocicat]

lumiwa, your initial post was made to a thread which was over six months old. Although there is some overlap on what you ask & the original thread, you should have started a new thread. In forum terminology, this is known as "hijacking" discussion.

I have separated out all posts relating to your discussion into a new thread, but in the future when you find a long-standing thread in which you want to continue discussion, please start a new thread. We try to honor the direction set by the initial poster.

Thanks.