|
||||
Quote:
This is an example of more elaborate pf.conf for a single OpenBSD desktop plugged into the ISP modem i.e. directly facing Internet. The only fancy stuff is enabling SSH log from the Internet thus protecting from brute forces using built in PF method and sshguard. Code:
ext_if="xl0" NoRouteIPs = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32}" table <bruteforce> persist table <sshguard> persist tcp_services = "{ssh, submission, imaps, http, https}" udp_services= "{domain, ntp}" set limit states 100000 set block-policy return set optimization normal set skip on lo set loginterface $ext_if set state-defaults pflow match in all scrub (no-df max-mss 1440) match out all scrub (no-df max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0) block all block quick from $NoRouteIPs block quick from <bruteforce> block in quick on $ext_if proto tcp from <sshguard> \ to any port 22 label "ssh bruteforce" antispoof quick for { $ext_if } block drop in quick on $ext_if from no-route to any block drop in quick from urpf-failed to any block in on ! lo0 proto tcp to port 6000:6010 pass out on $ext_if inet proto icmp all icmp-type 8 code 0 pass out on $ext_if inet proto udp to any port $udp_services pass out on $ext_if inet proto tcp to any port $tcp_services pass log on $ext_if inet proto tcp from any to any port ssh \ flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, \ overload <bruteforce> flush global) |
|
||||
Quote:
http://home.nuug.no/~peter/pf/en/ Official documentation is also must but it is little bit more difficult reading for a n00b http://www.openbsd.org/faq/pf/ |
|
||||
Quote:
__________________
hitest |
|
||||
Quote:
The next step would be to decide what services this machine should offer *to* the network and consume *from* the network, and put ingress and egress rules in place to further tighten up security (which Oko has already pointed out, so I'll leave that at that). Once you have that in place, you can further tighten up by adding max-src-conn and such (which tends to get used with commonly attacked services, such as sshd...again, as mentioned by Oko) and perhaps even move into tagging packets and policy-based firewall rulesets. Beyond that, you can place higher level filters in place, such as relayd, http proxies that do content filtering, unbound with stubs for various domains, etc... and redirect traffic via pf to those filters. (For example, I have unbound with a stub that relays all dns traffic to a dnscrypt-proxy instance running locally, which encrypts dns traffic and sends it to a dnscrypt-wrapper instance I have running on a remote machine outside of my ISPs reach, which queries the remote machine's unbound instance to actually do the lookup...my ISP has been known to do stupid filtering based on dns, so I refuse to give them any insight into my dns usage).
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. Last edited by rocket357; 22nd March 2015 at 07:56 PM. |
|
||||
Quote:
Code:
auto-trust-anchor-file: "/var/unbound/db/root.key" Code:
echo 'unbound_flags="-c /var/unbound/etc/unbound.conf"' >> /etc/rc.conf.local Code:
predrag@oko$ more /etc/dhclient.conf timeout 60; retry 60; reboot 10; select-timeout 5; initial-interval 2; reject 192.33.137.209; interface "xl0" { send host-name "oko"; send dhcp-lease-time 7776000; supersede host-name "oko"; supersede domain-name "bagdala2.net"; prepend domain-name-servers 127.0.0.1; request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name, ntp-servers; require subnet-mask, domain-name-servers, routers; } Reboot after you make changes. Last edited by Oko; 23rd March 2015 at 02:06 AM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Where should I put my config? "rc.conf" or "rc.conf.local"? | fender0107401 | OpenBSD General | 2 | 2nd April 2012 02:53 AM |
Help with pf.conf | A_Sorenby | OpenBSD Security | 14 | 21st June 2011 09:52 PM |
Pf.conf | erict35 | OpenBSD Security | 1 | 30th January 2010 10:19 PM |
pf.conf | lumiwa | FreeBSD Security | 11 | 20th September 2008 01:01 AM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |