pf.conf and some questions about brute attacks

[Daffy]

As I'm discovering my way through pf while reading the book "The book of PF", I have some questions and need a little help. First of all, I want to be able to configure pf to stop the brute force attacks. So, let's go to pf.conf as the book gives in the example.

First I have to create a table with

Code:

table <bruteforce> persist file "etc/bruteforce"

This is gonna create a table (<bruteforce>) and create the logs in the file /etc/bruteforce as I can understand.

After that, we're creating the rule

Code:

block quick from <bruteforce>

This is checking if the ip is logged in the <bruteforce> table and denies the chance to try to login, correct?

What I don't understand, is the following:

Code:

pass inet proto tcp to $localnet port $tcp_services \
            keep state (max-src-conn 100, max-src-conn-rate 15/5, \
                      overload <bruteforce> flush global)

- why use 'inet' parameter and not 'in'?

- in the case I want to transfer files from outside the local network (for example I'll say 150 small text files.not a chance, but for the sake of the question), I must configure the max-conn-rate, or every file counts as a new connection (and therefore I have to modify the max-src-conn?)

[BSDfan666]

The inet/inet6 parameter is used to distinguish between IPv4 and IPv6, it is not in place of in/out.

• If in/out are not specified, the rule matches both inbound and outbound packets.
• If inet/inet6 are not specified, the rule matches both packet families.

Just a reminder, if you're using the latest version of OpenBSD/pf, you'll need the second edition of The Book of PF.

[Daffy]

Quote:

Originally Posted by BSDfan666

The inet/inet6 parameter is used to distinguish between IPv4 and IPv6, it is not in place of in/out.

• If in/out are not specified, the rule matches both inbound and outbound packets.
• If inet/inet6 are not specified, the rule matches both packet families.

Thank you! So inet for me (IPv4 yet).

Quote:

Originally Posted by BSDfan666

Just a reminder, if you're using the latest version of OpenBSD/pf, you'll need the second edition of The Book of PF.

Thanks. I was very careful about this. The book is indeed the second version. (using OpenBSD 4.8)


Do you ( or anyone else) find those rules ok? I know I may seem a little hasty but seeing all those log entries somehow scares me.

[BSDfan666]

If you want someone to review your ruleset, you should post the entire file in [code][/code] blocks, as an attachment, or hosted on personal webspace.

Be advised that it may take time for someone to respond, but there are a few PF experts on the forums who seem to enjoy tackling overly complicated rulesets.

[Daffy]

So it's time for me to post my first pf.conf and hope it's not a complete fail :

Code:

# macros defined
int_if="ale0"
localnet = $int_if:network
tcp_services = "{ ssh, 62222, www }"
udp_services = "{ ssh, 62222, www }"

# tables
table <bruteforce> persist file "/etc/bruteforce"

# block rules
block all
block quick from <bruteforce>

# pass rules
pass inet proto tcp to $localnet port $tcp_services \
	keep state (max-src-conn 100, max-src-conn-rate 20/5, \
		overload <bruteforce> flush global)

And the questions:
- is this going to work? I expect to be able to do simple browsing, be able to ssh to this machine (main desktop) and keep port 62222 open (for transmission). So as far as I can tell, in the macros ssh is port 22, www is port 80 and 62222 is... well, 62222.

- the macro "localnet = $int_if:network", is used to filter my traffic and the traffic from other pcs connected to my desktop?

Those are the questions that come to my mind for now. Back to reading and I'll be coming with more.


Thank you.

[J65nko]

• Add a log statement to the block rule: block log all
• Set the loginterface to your NIC.
• Reload your ruleset
• Run tcpdump on the pflog0 device.
  
  Code:

  # tcpdump -en -s 160 - i pflog0

• Start a web browser and watch the tcpdump window/xterm to see what you are missing.

[Daffy]

Quote:

Originally Posted by J65nko

[*]Start a web browser and watch the tcpdump window/xterm to see what you are missing. [/list]

lol. I think I may have forgotten the "pass out all" rule. That's why I didn't have any connection at all.

Here is my complete pf.conf again. Thank you very much for your help.
Can you find more mistakes? For now, it seems to work fine with browsing but the port 62222 for transmission seems closed. Why is this happening?

Code:

# macros defined
int_if="ale0"
localnet = $int_if:network
tcp_services = "{ ssh, 62222, www }"
udp_services = "{ ssh, 62222, www }"

# tables
table <bruteforce> persist file "/etc/bruteforce"

# options
set loginterface $int_if

# block rules
block log all
block quick from <bruteforce>

# pass rules
pass inet proto tcp to $localnet port $tcp_services \
	keep state (max-src-conn 100, max-src-conn-rate 20/5, \
		overload <bruteforce> flush global)
pass out all

I couldn't find any info on "set loginterface" though. Even in the book, it doesn't explain why and how we use this option. Can you point me to some direction or explain me why and how we use this rule?

[edit]: also, before pass out all, do I need to add the rule

Code:

pass inet proto udp to $localnet port $udp_services

or is this unnecessary because of the "pass out all" rule (last rule-->strongest rule)?


p.s. I was never been so excited with an os again...

[J65nko]

The book is a gentle introduction to pf. The details about set loginterface and why it is useful, can be found in the pf.conf(5) manual page.

If you follow my advice, you will see the blocked packets, the protocol (tcp or udp) and the port number in the tcpdump on pflog0 xterm.
If you don't want pf to block this type of packets, then you have all the information to create an additional rule that will allow this kind of traffic.

Instead of giving hungry Daffy a fish, I am just trying to teach how to fish by yourself

[Daffy]

Quote:

Originally Posted by J65nko

The book is a gentle introduction to pf. The details about set loginterface and why it is useful, can be found in the pf.conf(5) manual page.

Found it, understood it. There's so much information and really with so much reading, a starter may be confused. I hope in some time (and with more reading) I'll be able to understand most of these rules. Practice, practice, practice...

After all, I'm already able to do everything I did with other operating systems with OpenBSD and I'm happy. It completely took over my Desktop.

Quote:

Originally Posted by J65nko

If you follow my advice, you will see the blocked packets, the protocol (tcp or udp) and the port number in the tcpdump on pflog0 xterm.
If you don't want pf to block this type of packets, then you have all the information to create an additional rule that will allow this kind of traffic.

I see them all now. I can't thank you and all the other members enough for all the information you're providing.

Quote:

Originally Posted by J65nko

Instead of giving hungry Daffy a fish, I am just trying to teach how to fish by yourself

The part with the "fish" was the best.

[Daffy]

Everything seems to work perfect now. I modified even more my pf.conf file, mainly the "max-src-conn" and "max-src-conn-rate" numbers to get the desired results but I ran into another question.

I blocked an attacker with the ip 77.xx.xx.x and I saw the ip at the bruteforce table with

Code:

>sudo pfctl -t bruteforce -T show
 77.xx.xx.x

When I changed the max-src-conn-rate and reloaded my pf.conf with

Code:

>sudo pfctl -f /etc/pf.conf

I decided to check the bruteforce table again and it was empty. Does the table reset every time I reload my pf.conf file or if I restart my pc? Why is this happening? I mean the table is persisted (therefore it can be updated) but at the same time I have created a file which contains the table logs with

Code:

table <bruteforce> persist file "/etc/bruteforce"

[edit]:
for anyone else having trouble figuring this out (if my way is wrong, please correct me)

I found the way to save entries with

Code:

sudo pfctl -t bruteforce -T show >/etc/bruteforce

but I was getting the error

Code:

ksh: cannot create /etc/bruteforce: Permission denied

So with

Code:

sudo chmod g+w bruteforce

I change permissions and now entries are saved!


I hope not so bad for a complete newbie.

[Loki]

Code:
table <bruteforce> persist file "/etc/bruteforce"

No. Make it /var/db/bruteforce or use /var/pf/ after you make the /var/pf dir.