|
|
|||
I'm not going to post my pf.conf, I'm sure it's full of redundancies as well.. but I will answer your questions.
Quote:
IANA maintains a registry that OS vendors can use to maintain their /etc/services database, this file allows the OS and users to map numbers to names. http://www.iana.org/assignments/port-numbers Quote:
Quote:
Hope that helps... |
|
||||
Quote:
will work for most users. Quote:
Having in mind that I am setting skip on lo antispoof should do nothing on lo anyway. Am I mistaken? |
|
|||
Quote:
There are 2 primary types of rulesets (..probably more):
In my case, I pass all outgoing IPv4 TCP/UDP/ICMP traffic (..with state) from my /24 private LAN.. but I block all incoming traffic except for whatever I implicitly allow. Quote:
I know it can sound confusing, but reading the pf FAQ and the man pages can make it all become clearer.. I've been using OpenBSD+pf for a long time now, but I still tweak my rulesets occasionally. |
|
||||
Mine is actually quite extensive...
Code:
block in log pass out all Besides PF FAQ, for tweaking pf second place belongs to incredibly readable and very useful articles by Daniel Hartmeier (link's got all three articles): http://undeadly.org/cgi?action=artic...20060927091645 Skipping on lo means "dont filter on any lo interfaces at all"; whereas antispoof on lo0 concerns other interfaces. The way understand antispoof on lo0 is: block all incoming traffic from 127.0.0.0/8 net that doesn't go through lo0. One should not receive packets from this net on, say, vr0 interface that has 10.0.0.1/24 address Code:
rule expands to: block drop in on ! lo0 inet from 127.0.0.1/8 to any network 127.0.0.0/8 vr0 lo0 ----------------------> 10.0.0.1 - | 127.0.0.1 | | PF BOX |
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn. If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD |
|
||||
Quote:
Code:
ext_if="rl0" tcp_services = "{ssh, imaps, smtp, 587, domain, ntp, www, https}" udp_services= "{domain, ntp}" set skip on lo set loginterface $ext_if scrub in all random-id fragment reassemble block return in log all block out all antispoof quick for $ext_if pass out quick on $ext_if proto tcp to any port $tcp_services pass out quick on $ext_if proto udp to any port $udp_services Quote:
Last edited by Oko; 22nd September 2011 at 01:23 AM. |
|
|||
What is wrong with my pf.conf ?
Code:
#Macro int_if="rl0" #options set block-policy return set loginterface $int_if #Normalization scrub in all #Passing Traffic pass out quick on $int_if inet proto tcp from $int_if to any port www pass in quick log on $int_if inet proto tcp to $int_if port 21 keep state #Default Deny block all |
|
||||
Quote:
I would suggest you start with the above simplified pf.conf file that I posted and then remove services which you do not need. You must leave domain intact! On the another hand I see that you want to keep ftp open for outside access. Do you really have ftp server? Are you sure you really want to do that. You shouldn't be using anything else except sftp for transferring files and ssh for shell access. If FTP is really needed you need to do little bit more reading about ftp protocol. Namely ftp makes initial contact on port 21 and then randomly open another port for transfer of data. I know that sounds crazy but it is what it is. In order to set ftp properly even just for access to other servers you need to set up ftp proxy. In order for ftp proxy to work inetd must work. Inetd is security risk so you will have very carefully to trim down inetd.conf and remove all unnecessary things. |
|
|||
@bsdnewbie999
Quote:
__________________
The more you learn, the more you realize how little you know .... |
|
||||
You are only passing TCP packets, but not UDP, which are needed by say DNS or DHCP. So when you try to resolve IP address of google.com your pf is blocking those packets from exiting your box. Try with IP address in browser, or put a log word in the block rule, reload config and start tcpdump on pflog to see the blocked packets.
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn. If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD |
|
|||
My remarks
Code:
# --- Macro definitions ethernet = "fxp0" # outside visible services services = "{auth,ntp,rpc }" set skip on lo0 # no bug on loopback device set block-policy return # for TCP return RST and for the rest ICMP UNREACHABLE # --- fix packets match in all scrub (no-df) # --- INCOMING traffic # incoming ping and traceroute (ICMP) pass in quick on $ethernet inet proto icmp from any to any icmp-type { \ echorep, echoreq, timex, unreach } # pass in quick on $external inet proto tcp from any to any port $services # --- OUTGOING traffic pass out quick on $ethernet inet proto tcp all pass out quick on $ethernet inet proto udp all pass out quick on $ethernet inet proto icmp all # --- BLOCK policy block in log quick on $ethernet inet proto icmp from any to any icmp-type redir block log quick on $ethernet all # # End of file
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
I'm connected with adsl/pppoe
Code:
nic0="em0" # lan1 1G/jumbo nic1="msk0" # lan2 100 nic2="em1" # pppoe port ext="pppoe0" torrent="6881:6899" table <spamd-white> persist set block-policy return set skip on { lo $nic0 $nic1 $nic2 bridge0 } altq on $ext priq bandwidth 800Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) block on $ext pass in on $ext inet proto { tcp udp } from any to ($ext) port ssh queue (q_def, q_pri) pass in on $ext inet proto tcp from any to ($ext) port { auth pop3s imaps } queue (q_def, q_pri) pass in on $ext inet proto tcp from any to ($ext) port { www https } queue (q_def, q_pri) rdr-to 192.168.0.2 pass in on $ext inet proto { tcp udp } from any to ($ext) port { $torrent } queue (q_def, q_pri) rdr-to 192.168.0.2 pass in on $ext inet proto tcp from any to ($ext) port smtp rdr-to 127.0.0.1 port spamd pass in on $ext inet proto tcp from <spamd-white> to ($ext) port smtp queue (q_def, q_pri) pass out on $ext inet proto tcp from ! 224/4 to any queue (q_def, q_pri) pass out on $ext inet proto udp from ! 224/4 to any queue (q_def, q_pri) block on $ext proto { tcp udp } from any to any port { netbios-ns netbios-dgm netbios-ssn microsoft-ds nfsd } match out on $ext scrub (max-mss 1440) match out on $ext from !($ext) nat-to ($ext:0) # vim: set filetype=pf:
__________________
HP ProCurve 1800-24G, Phenom 9750, Dual Opteron 265, AMD64 3000+, Dual P3-800, eMac G4 1.0GHz, Sun Blade 150, Alpha PWS 433 and more ... |
|
|||
Wilfried, any reason why you did not use any quick on those pass rules?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Among other things it was IRC traffic originating from our network. Watching outbound traffic from machines (primarily the destination addresses and ports they were attempting to hit) was the key.
__________________
Network Firefighter |
|
||||
Mine is basically the same as everyone else's:
Code:
### macro name for external interface. ext_if = "fxp0" netbios_tcp = "{ 13, 22, 23, 37, 107, 111, 113, 512, 513, 514 }" ### Pass loopback set skip on lo ### Reassemble fragmented packets match in all scrub (no-df) ### Default deny everything rule block log all ### Block spoofy antispoof for $ext_if inet block in from no-route to any block in from urpf-failed to any block in quick on $ext_if from any to 255.255.255.255 block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any ### Block specific ports block in on ! lo0 proto tcp to port 6000:6010 block in quick log on $ext_if proto tcp from any to any port $netbios_tcp ### Keep and modulate state of outbound tcp, udp and icmp traffic pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state I'm behind a pfSense hardware firewall so running pf on my machines may be somewhat redundant but I wouldn't have it any other way. Unlike some people who claim a firewall isn't necessary if you don't have any open ports and don't see the benefits of not responding to ping or returning a stealth status when scanned. |
|
||||
grep your /etc/services file for the ports in question. You'll find that they are daytime, auth ident, and time.
inetd manages these services, so you can modify /etc/inetd.conf to disable them (I'm assuming you aren't intending to serve them if you don't recognize them), then restart inetd ("pkill -HUP inetd").
__________________
Network Firefighter |
|
||||
Quote:
Thanks for letting me know. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf.conf | lumiwa | FreeBSD Security | 11 | 20th September 2008 01:01 AM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |
openVPN 2.1_rc7 (server) on openBSD 4.3 config examples | s2scott | Guides | 2 | 23rd May 2008 06:16 PM |