DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th May 2009
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 764
Thanked 36 Times in 32 Posts
Default pf.conf Examples

I am posting pf.conf file for my laptop in order to get some comments and feed back from more experienced users as well as encourage everybody to post the samples of their pf.conf files


Code:
#########
## Macros       
#########

ext_if="rl0"
#int_if=" "

tcp_services = "{ssh, imaps, smtp, 587,, domain, ntp, www, https}"
udp_services= "{domain, ntp}"


#########
## Tables
#########

#table <spamd-white> persist


##########
## Options
##########

set require-order yes
set block-policy return
set optimization normal
set skip on lo
set loginterface $ext_if


########################
## Traffic normalization
########################

scrub in all random-id fragment reassemble 
scrub out all random-id fragment reassemble


#######################
## Bandwidth management
#######################


##############
## Translation
##############


##############
## Redirection
##############

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#rdr-anchor "relayd/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#       -> 127.0.0.1 port spamd

#anchor "ftp-proxy/*"
#anchor "relayd/*" 


#######################################
## Packet filtering
## block and log everything by default
######################################

block log all


## DEBUG:
##  LOG Blocked Packets [uncomment above]:
##     block log all
##  VIEW LOG VIA:
##     tcpdump -n -e -ttt -i pflog0

### Theo's suggestions instead of pfstat
# systat pf 1
# and then use the right and left cursors to see additional
# interesting views
# this is also a good tool
# pfctl -s all


# Make sure all packets are clean and sane
antispoof quick for $ext_if
antispoof quick for { lo $ext_if }

# block anything coming form source we have no back routes for
block in from no-route to any

# block packets whose ingress interface does not match the one
# the route back to their source address
block in from urpf-failed to any

# block and log outfoing packates that do not have our address source
# they are either spoofed or something is misconfigured (NAT disabled, 
# for instance), we want to be nice and do not send out garbage
# block out log quick on $ext_if from ! 157.161.48.183 to any

# silently drop broadcasts (cable modem noise)
block in quick on $ext_if from any to 255.255.255.255



# block and log incoming packets from reserved address space and invalid
# addresses,they are either spoofed or misconfigured, we cannot reply to
# them anyway (hence, no return-rst).
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \
                          192.168.0.0/16, 255.255.255.255/32 } to any


####################################################
## Only allow outgoing services which are sensable..
####################################################

# ICMP

# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
# pass out on $ext_if inet proto icmp all icmp-type 8 code 0

# UDP
# pass out certain UDP connections and keep state (DNS)
pass out on $ext_if proto udp to any port $udp_services


# TCP
# pass out certain TCP connections and keep state (SSH, SMTP, DNS)
pass out on $ext_if proto tcp to any port $tcp_services
As you probably noticed I have some redundant rules. The file is the way it
is so that I can relatively easily modify for similar situation i.e. single
workstation.

I have couple of questions though. Do I have to have ntp listed in both
tcp and udp services in order for time synchronization to work properly?
I thought that ntp service is udp protocol.

I noticed that some people listing imap in udp services. Why do they do that?

Notice also that I have

Code:
pass out on $ext_if proto udp to any port $udp_services
while most set up I saw have

Code:
pass       on $ext_if proto udp to any port $udp_services
Can somebody explain the difference?


Also notice that I have
Code:
# Make sure all packets are clean and sane
antispoof quick for $ext_if
antispoof quick for { lo $ext_if }
even though I think that

Code:
antispoof quick for $ext_if
Can somebody explain the difference?

Last edited by Oko; 22nd September 2011 at 01:22 AM.
Reply With Quote
  #2   (View Single Post)  
Old 12th May 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

I'm not going to post my pf.conf, I'm sure it's full of redundancies as well.. but I will answer your questions.

Quote:
Originally Posted by Oko View Post
I have couple of questions though. Do I have to have ntp listed in both tcp and udp services in order for time synchronization to work properly? I thought that ntp service is udp protocol.

I noticed that some people listing imap in udp services. Why do they do that?
If you look in /etc/services you'll see that some things are assigned both the tcp and udp port, this is IANA legacy.. just because udp port 22 is reserved for ssh, doesn't mean it's actually used.

IANA maintains a registry that OS vendors can use to maintain their /etc/services database, this file allows the OS and users to map numbers to names.

http://www.iana.org/assignments/port-numbers

Quote:
Originally Posted by Oko View Post
Notice also that I have

Code:
pass out on $ext_if proto udp to any port $udp_services
while most set up I saw have

Code:
pass       on $ext_if proto udp to any port $udp_services
Can somebody explain the difference?
There is only one difference between those 2 rules, direction... the former passes out udp packets matching $udp_services, the latter is the same as specifying both in and out.

Quote:
Originally Posted by Oko View Post
Also notice that I have
Code:
# Make sure all packets are clean and sane
antispoof quick for $ext_if
antispoof quick for { lo $ext_if }
even though I think that

Code:
antispoof quick for $ext_if
Can somebody explain the difference?
I don't understand the question, the first rule is redundant.. { lo $ext_if } matches on both interfaces in the lo group and $ext_if, which pretty much just means lo0 and rl0.

Hope that helps...
Reply With Quote
  #3   (View Single Post)  
Old 12th May 2009
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 764
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post


There is only one difference between those 2 rules, direction... the former passes out udp packets matching $udp_services, the latter is the same as specifying both in and out.
This is exactly what I wanted to hear. I have never understood why people are leaving domain (udp) totally open when passing out and keeping state
will work for most users.



Quote:
Originally Posted by BSDfan666 View Post
I don't understand the question, the first rule is redundant.. { lo $ext_if } matches on both interfaces in the lo group and $ext_if, which pretty much just means lo0 and rl0.

Hope that helps...
Does one really need to antispoof lo? I noticed the man pages do recommend antispoofing on lo but most people do not have it.
Having in mind that I am setting skip on lo antispoof should do nothing on
lo anyway. Am I mistaken?
Reply With Quote
  #4   (View Single Post)  
Old 13th May 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Quote:
Originally Posted by Oko View Post
This is exactly what I wanted to hear. I have never understood why people are leaving domain (udp) totally open when passing out and keeping state
will work for most users.
It really depends on the individual ruleset Oko.

There are 2 primary types of rulesets (..probably more):
  • pass .. all, packets are passed unless they match a future block rule. (Default)
  • block .. all, packets are blocked unless they match a future pass rule.
As you can see, pf is a very flexible tool.. users are free to design a ruleset that fits their personal mentality.

In my case, I pass all outgoing IPv4 TCP/UDP/ICMP traffic (..with state) from my /24 private LAN.. but I block all incoming traffic except for whatever I implicitly allow.

Quote:
Originally Posted by Oko View Post
Does one really need to antispoof lo? I noticed the man pages do recommend antispoofing on lo but most people do not have it.
Having in mind that I am setting skip on lo antispoof should do nothing on
lo anyway. Am I mistaken?
Some people might, but considering you have set skip on lo, no packets on interfaces in the lo group will be matched.. thusly the default rule to pass all packets is enforced.

I know it can sound confusing, but reading the pf FAQ and the man pages can make it all become clearer.. I've been using OpenBSD+pf for a long time now, but I still tweak my rulesets occasionally.
Reply With Quote
  #5   (View Single Post)  
Old 13th May 2009
s0xxx's Avatar
s0xxx s0xxx is offline
Package Pilot
 
Join Date: May 2008
Posts: 194
Thanked 47 Times in 22 Posts
Arrow

Mine is actually quite extensive...
Code:
block in log
pass out all
Now I know, I know...scrub is useful, tight things more on outside, etc, etc. This is a personal machine that doesn't spend much time "out there".

Besides PF FAQ, for tweaking pf second place belongs to incredibly readable and very useful articles by Daniel Hartmeier (link's got all three articles):

http://undeadly.org/cgi?action=artic...20060927091645

Skipping on lo means "dont filter on any lo interfaces at all"; whereas antispoof on lo0 concerns other interfaces. The way understand antispoof on lo0 is:

block all incoming traffic from 127.0.0.0/8 net that doesn't go through lo0. One should not receive packets from this net on, say, vr0 interface that has 10.0.0.1/24 address

Code:
rule expands to:
block drop in on ! lo0 inet from 127.0.0.1/8 to any

network 127.0.0.0/8         vr0            lo0
----------------------> 10.0.0.1 - |  127.0.0.1  |
                                   |   PF BOX    |
antispoof applies to aliases too: http://kerneltrap.org/mailarchive/op...8/7/15/2513284
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD
Reply With Quote
  #6   (View Single Post)  
Old 14th May 2009
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 764
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by s0xxx View Post
Mine is actually quite extensive...
Code:
block in log
pass out all
SoXXX even though I advocate exactly the same pf.conf to novice users the truth is that the second rule you have is actually very dangerous. In the real world you have to filter outgoing traffic as well even if you are the only user of the computer. Now more sane pf.conf than the above proposed would be something like

Code:
ext_if="rl0"

tcp_services = "{ssh, imaps, smtp, 587, domain, ntp, www, https}"
udp_services= "{domain, ntp}"


set skip on lo
set loginterface $ext_if

scrub in all random-id fragment reassemble

block return in log all
block out all

antispoof quick for $ext_if


pass out quick on $ext_if proto tcp to any port $tcp_services
pass out quick on $ext_if proto udp to any port $udp_services




Quote:
Originally Posted by s0xxx View Post
Very good reading indeed . I especially optimization article.

Last edited by Oko; 22nd September 2011 at 01:23 AM.
Reply With Quote
  #7   (View Single Post)  
Old 15th May 2009
bsdnewbie999 bsdnewbie999 is offline
Package Pilot
 
Join Date: May 2008
Posts: 145
Thanked 0 Times in 0 Posts
Default

What is wrong with my pf.conf ?
Code:
#Macro
int_if="rl0"

#options
set block-policy return
set loginterface $int_if

#Normalization
scrub in all

#Passing Traffic
pass out quick on $int_if inet proto tcp from $int_if to any port www
pass in quick log on $int_if inet proto tcp to $int_if port 21 keep state

#Default Deny
block all
I having trouble surfing the web but i did "pass out quick" the www packets did I ?
Reply With Quote
  #8   (View Single Post)  
Old 15th May 2009
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 764
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by bsdnewbie999 View Post
What is wrong with my pf.conf ?
Code:
#Macro
int_if="rl0"

#options
set block-policy return
set loginterface $int_if

#Normalization
scrub in all

#Passing Traffic
pass out quick on $int_if inet proto tcp from $int_if to any port www
pass in quick log on $int_if inet proto tcp to $int_if port 21 keep state

#Default Deny
block all
I having trouble surfing the web but i did "pass out quick" the www packets did I ?
SoXXX already gave you the reason why your www doesn't work. You can not resolve the address since your DNS client can not pass to DNS server of your internet service provider.
I would suggest you start with the above simplified pf.conf file that I posted and then remove services which you do not need. You must leave domain intact!

On the another hand I see that you want to keep ftp open for outside access. Do you really have ftp server? Are you sure you really want to do that. You shouldn't be using anything else except sftp for transferring files and ssh for shell access.

If FTP is really needed you need to do little bit more reading about ftp protocol. Namely ftp makes initial contact on port 21 and then randomly open another port for transfer of data. I know that sounds crazy but it is what it is. In order to set ftp properly even just for access to other servers you need to set up ftp proxy. In order for ftp proxy to work inetd must work. Inetd is security risk so you will have very carefully to trim down inetd.conf and remove all unnecessary things.
Reply With Quote
  #9   (View Single Post)  
Old 12th January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

@bsdnewbie999

Quote:
I having trouble surfing the web but i did "pass out quick" the www packets did I ?
LAST matching rule wins in PF, better to block log all at the beginning and then allow specifically what you want in/out, the only reason it working is because you are using "quick" in the pass rule.
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Old 15th May 2009
s0xxx's Avatar
s0xxx s0xxx is offline
Package Pilot
 
Join Date: May 2008
Posts: 194
Thanked 47 Times in 22 Posts
Default

You are only passing TCP packets, but not UDP, which are needed by say DNS or DHCP. So when you try to resolve IP address of google.com your pf is blocking those packets from exiting your box. Try with IP address in browser, or put a log word in the block rule, reload config and start tcpdump on pflog to see the blocked packets.
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD
Reply With Quote
Old 17th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

My remarks

Code:
# --- Macro definitions

ethernet = "fxp0" 

# outside visible  services 
services = "{auth,ntp,rpc }"

set skip on lo0         # no bug on loopback device
set block-policy return # for TCP return RST and for the rest ICMP UNREACHABLE 

# --- fix packets

match in all scrub (no-df)

# --- INCOMING traffic

#  incoming ping and traceroute (ICMP)
pass in quick on $ethernet inet proto icmp from any to any icmp-type { \
     echorep, echoreq, timex, unreach }

# pass in quick on $external inet proto tcp from any to any port $services  

# --- OUTGOING traffic

pass out quick on $ethernet inet proto tcp  all
pass out quick on $ethernet inet proto udp  all 
pass out quick on $ethernet inet proto icmp all

# --- BLOCK policy

block in log quick on $ethernet inet proto icmp from any to any icmp-type redir 
block log  quick on $ethernet all
#
# End of file
For a different approach for a work-station-only-pf.conf see http://www.daemonforums.org/showthread.php?t=4367
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 18th February 2010
wilfried's Avatar
wilfried wilfried is offline
Real Name: Peter Strömberg
Port Guard
 
Join Date: May 2008
Location: Teckomatorp, Sweden
Posts: 11
Thanked 3 Times in 3 Posts
Default

I'm connected with adsl/pppoe
Code:
nic0="em0"  # lan1 1G/jumbo
nic1="msk0" # lan2 100
nic2="em1"  # pppoe port
ext="pppoe0"
torrent="6881:6899"

table <spamd-white> persist

set block-policy return

set skip on { lo $nic0 $nic1 $nic2 bridge0 }

altq on $ext priq bandwidth 800Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

block on $ext

pass  in  on $ext inet proto { tcp udp } from any to ($ext) port ssh queue (q_def, q_pri)

pass  in  on $ext inet proto tcp from any to ($ext) port { auth pop3s imaps } queue (q_def, q_pri)

pass  in  on $ext inet proto tcp from any to ($ext) port { www https } queue (q_def, q_pri) rdr-to 192.168.0.2
pass  in  on $ext inet proto { tcp udp } from any to ($ext) port { $torrent } queue (q_def, q_pri) rdr-to 192.168.0.2

pass  in  on $ext inet proto tcp from any to ($ext) port smtp rdr-to 127.0.0.1 port spamd
pass  in  on $ext inet proto tcp from <spamd-white> to ($ext) port smtp queue (q_def, q_pri)

pass  out on $ext inet proto tcp from ! 224/4 to any queue (q_def, q_pri)
pass  out on $ext inet proto udp from ! 224/4 to any queue (q_def, q_pri)

block     on $ext proto { tcp udp } from any to any port { netbios-ns netbios-dgm netbios-ssn microsoft-ds nfsd }

match out on $ext scrub (max-mss 1440)
match out on $ext from !($ext) nat-to ($ext:0)

# vim: set filetype=pf:
__________________
HP ProCurve 1800-24G, Phenom 9750, Dual Opteron 265, AMD64 3000+,
Dual P3-800, eMac G4 1.0GHz, Sun Blade 150, Alpha PWS 433 and more ...
Reply With Quote
Old 20th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

Wilfried, any reason why you did not use any quick on those pass rules?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 12th October 2012
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

Among other things it was IRC traffic originating from our network. Watching outbound traffic from machines (primarily the destination addresses and ports they were attempting to hit) was the key.
__________________
Network Firefighter
Reply With Quote
Old 12th October 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,640
Thanked 214 Times in 189 Posts
Default

Another type of outbound traffic to consider blocking out of hand -- outbound SMTP to any addresses other than your recognized upstream MTAs. This will stop many forms of spambot.
Reply With Quote
Old 25th November 2012
Trihexagonal's Avatar
Trihexagonal Trihexagonal is offline
Port Guard
 
Join Date: May 2012
Posts: 16
Thanked 0 Times in 0 Posts
Default

Mine is basically the same as everyone else's:

Code:
### macro name for external interface.
ext_if = "fxp0"
netbios_tcp = "{ 13, 22, 23, 37, 107, 111, 113, 512, 513, 514 }"

### Pass loopback
set skip on lo

### Reassemble fragmented packets
match in all scrub (no-df)

### Default deny everything rule
block log all

### Block spoofy
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block specific ports
block in on ! lo0 proto tcp to port 6000:6010
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
I scanned my OpenBSD machine from my FreeBSD box on the lan and it showed TCP ports 13, 37, and 113 open by default on my installation so I added those to the ports I normally block. I didn't see where to disable those services so I just blocked the ports. I don't use SSH so I have TCP 22 blocked as well.

I'm behind a pfSense hardware firewall so running pf on my machines may be somewhat redundant but I wouldn't have it any other way. Unlike some people who claim a firewall isn't necessary if you don't have any open ports and don't see the benefits of not responding to ping or returning a stealth status when scanned.
Reply With Quote
Old 25th November 2012
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

grep your /etc/services file for the ports in question. You'll find that they are daytime, auth ident, and time.

inetd manages these services, so you can modify /etc/inetd.conf to disable them (I'm assuming you aren't intending to serve them if you don't recognize them), then restart inetd ("pkill -HUP inetd").
__________________
Network Firefighter
Reply With Quote
Old 25th November 2012
Trihexagonal's Avatar
Trihexagonal Trihexagonal is offline
Port Guard
 
Join Date: May 2012
Posts: 16
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ai-danno View Post
grep your /etc/services file for the ports in question. You'll find that they are daytime, auth ident, and time.

inetd manages these services, so you can modify /etc/inetd.conf to disable them (I'm assuming you aren't intending to serve them if you don't recognize them), then restart inetd ("pkill -HUP inetd").
I knew what services used those ports, just not right offhand where to turn them off. Those services aren't enabled by default on FreeBSD and I didn't see them in /etc/rc.conf so it was just a matter of not knowing where to look.

Thanks for letting me know.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf.conf lumiwa FreeBSD Security 11 20th September 2008 01:01 AM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM
openVPN 2.1_rc7 (server) on openBSD 4.3 config examples s2scott Guides 2 23rd May 2008 06:16 PM


All times are GMT. The time now is 02:22 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick