DaemonForums  

Go Back   DaemonForums > NetBSD > NetBSD Security

NetBSD Security Securing NetBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th September 2019
Sehnsucht94's Avatar
Sehnsucht94 Sehnsucht94 is offline
Real Name: Paolo Vincenzo Olivo
Package Pilot
 
Join Date: Oct 2017
Location: Rome
Posts: 169
Lightbulb My annotated NPF config for workstation usage

Given the almost total lack of example NPF configurations around, the significant source changes happened and features introduced (in regard of the firewall) during the transition towards 9.0, as well as the recent official deprecation of the old and unmaintained PF port (which many users still seemed to resolve to, largely due -I suppose- to the broad availability old user-friendly tutorials for OpenBSD)....I thought I might as well share my /etc/npf.conf (the same I had shared few months ago on a NPF thread on the SDF.org BBS, some of you might have come across it already ).

So, here it is:

Code:
# Associate a dynamic list of IPs , both IPv4 and IPv6, to the default 
interface
   $int_if = ifaddrs(usmsc0)

# Enable Just-In-Time compilation of filter pro-
# grams sent to the bpf(4) node
   set bpf.jit on;
 
 # Variable $LAN represents thei range of IPs for the local network 
   $LAN = { 192.168.1.1/24 }

# Static public IPv4 address
   $PUB_IP = { x.x.x.x } 

# Translate public IP  to local network
  map $int_if dynamic $LAN <- $PUB_IP

# Introduce container lists for blacklisted IPs
   table <blacklist> type ipset file "/etc/npf_blacklist"       
   table <suspicious> type lpm 
   
#Introduce 2 variables to list opened TCP and UDP ports
   $services_tcp = { http, https, smtp, domain, submission }
   $services_udp = { domain, ntp, 6000, 51413 }

# Load ICMP application-level gateway
   alg "icmp"

# Introduce a pseudo-device for logging events
  procedure "log" {
        log: npflog0
  }

# Introduce a set of 'normalization' options
  procedure "norm" {
        normalize: "random-id", "min-ttl" 512, "max-mss" 1432,  "no-df"
  }
 
   group default {
        #Pass everything on loop interface
              pass final on lo0 all

        #Block and release ports on demand to avoid DoS abuse, 
          #according to blacklistd(8) policies
              ruleset "blacklistd-wifi" 

        #Block blacklisted IPs
              block in final from <blacklist>
              
        #Block IPs marked as 'suspicious'
              block in final from <suspicious>     
        
        #Allow all outgoing traffic
              pass stateful out final all
             
        #Only allow selected ICMP types
              pass in final proto icmp icmp-type timxceed all
              pass in final proto icmp icmp-type unreach all
              pass in final proto icmp icmp-type echoreply all
              pass in final proto icmp icmp-type sourcequench all
              pass in final proto icmp icmp-type paramprob all
                        
        # Allow DHCP requests 
              pass out final proto udp from any port \
                        bootpc to any port bootps
              pass in final proto udp from any port \
                         bootps to any port bootpc
              pass in final proto udp from any port \
                         bootps to 255.255.255.0 port bootpc

        #Allow incoming TCP/UDP packets \
        # on selected ports applying "norm" procedure
              pass stateful in final proto tcp to $int_if \
                         port $services_tcp apply "norm" 
              pass stateful in final proto udp to $int_if \
                         port $services_udp apply "norm"

       # Allow DNS/SSH/FTP/MPD/TigerVNC \ 
       # connections on LAN and log them 
             pass stateful in final proto tcp from \
                       $LAN to $int_if port ftp apply "log"
             pass stateful in final proto tcp from \
                       $LAN to $int_if port ssh apply "log"
             pass stateful in final proto udp from \
                        $LAN to $int_if port nameserver apply "log"
             pass stateful in final proto tcp from \
                        $LAN to $int_if port nameserver apply "log"
             pass stateful in final proto tcp from \
                        $LAN to $int_if port 6600 apply "log"           
             pass stateful in final proto tcp from \
                        $LAN to $int_if port 5901  apply "log"

      # Allow Traceroute 
             pass stateful in final proto udp to $int_if \
                        port 33434-33600    
        
        # Allow Mosh server
              pass stateful in final proto udp from \ 
                    $LAN to $int_if port 60001-60099  

        # FTP PSV on safer ports
             pass stateful in final proto tcp to from \ 
                   $LAN to $int_if port 65525-65535  

        # Enable CARP, to avoid spurious failovers.
             pass proto carp all

        # Reject everything else 
               block return-rst in final proto tcp all apply "log"
               block return-icmp in final proto udp all apply "log"
               block return in final all apply "log"
  }
In addition, my /etc/blacklistd.conf:
Code:
# service               type    proto   owner           name    nfail   disable
[local]
ssh                     stream  tcp     root            -wifi   3       48h
ftp                     stream  tcp     root            -wifi   3       24h
http                    stream  tcp     root            -wifi   3       24h
https                   stream  tcp     root            -wifi   3       24h
domain                  dgram   udp     named           -wifi   3       12h
smtp                    stream  tcp     postfix         -wifi   3       24h
submission              stream  tcp     postfix         -wifi   3       24h

[remote]
192.168.1.0/24:ftp      stream  tcp     root            -wifi   9       =
192.168.1.0/24:ssh      stream  tcp     root            -wifi   9       =
It's worth stressing that as opposed to FreeBSD's blacklistd(8) port, which was patched for PF and IPFW, the original NetBSD's daemon only works with NPF as frontend, as it relies on BPF and BPFjit.


As an amateur, I don't expect this configuration to be devoid of mistakes and gross misconceptions, so I'm definitely opened to suggestions and fixes. Rather, it would be lovely, and greatly appreciated, if any of you shared their npf.conf too below

Thanks in advance, and Cheers!

###Reference
- npf.conf(5)
- NPF Documentation
- blacklistd.conf(5)
__________________
“Mi casa tendrá dos piernas y mis sueños no tendrán fronteras„
Reply With Quote
Reply

Tags
#blacklistd, #firewall, #netbsd, #npf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible data leakage from OpenBSD workstation alex_b83 OpenBSD Security 25 18th February 2016 12:55 AM
New Workstation hardware question. tedeumjorge OpenBSD Installation and Upgrading 7 16th November 2012 02:37 AM
NetBSD as a workstation OS laconic NetBSD General 16 3rd May 2010 09:54 PM
Dual-head OpenBSD workstation? DraconianTimes OpenBSD General 6 7th October 2008 04:22 PM
News: BSD Workstation for sale kace FreeBSD General 26 22nd May 2008 12:00 PM


All times are GMT. The time now is 01:33 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick