|
|||
pf config error
my box setup only have 1 nic detected as em0,i will add more ethernet card as soon i finished all the server setup,for know the nic i used both for internal and internet traffic,search arround found an article on : http://bash.cyberciti.biz/firewall/pf-firewall-script/ , added some slight modification,here we goes :
Code:
#### First declare a couple of variables #### ### Outgoing tcp / udp port #### ### 43 - whois, 22 - ssh ### tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}" udp_services = "{ domain, ntp }" ### allow ping / pong #### icmp_types = "{ echoreq, unreach }" #### define tables. add all subnets and ips to block table <blockedip> persist file "/etc/pf.blockip.conf" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" ### admin server ranges ### adminrange = "192.168.1.1/24" # connected to internet ext_if = "em0" ##### ftp proxy #proxy="127.0.0.1" #proxyport="8021" #### Normalization #scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments scrub in all #### NAT and RDR start #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" # redirect ftp traffic #rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport # Drop incoming everything block in all block return # keep stats of outgoing connections pass out keep state # We need to have an anchor for ftp-proxy #anchor "ftp-proxy/*" # unlimited traffic for loopback and lan / vpn set skip on {lo0, $ext_if} # activate spoofing protection for all interfaces block in quick from urpf-failed #antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses antispoof log for $ext_if #Block RFC 1918 addresses block drop in log (all) quick on $ext_if from $martians to any block drop out log (all) quick on $ext_if from any to $martians # Block all ips # pfctl -t blockedip -T show block drop in log (all) quick on $ext_if from <blockedip> to any block drop out log (all) quick on $ext_if from any to <blockedip> # allow outgoing pass out on $ext_if proto tcp to any port $tcp_services pass out on $ext_if proto udp to any port $udp_services # Allow trace route pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state # Allow admin to get into box pass in on $ext_if from $adminrange to any # Allow incoming ssh, http, bind traffic # pass in on $ext_if proto tcp from any to any port 25 pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state pass in on $ext_if proto udp from any to any port domain pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy modulate state pass inet proto icmp all icmp-type $icmp_types keep state ## add your rule below ## Quote:
Last edited by J65nko; 29th August 2009 at 08:20 PM. Reason: Replaced php code block by normal code |
|
||||
It's your damned php block. When I grab the raw text out of the php code block, rather than copy/pasting from the browser, then I can see the correct errors: lines 26 and 78: scrub and a synproxy error
Your "scrub" is in error because, I believe, you are running -current. See the April 6 entry of the Following -current FAQ. See the man page for pf.conf(5). Your "synproxy modulate state" is in error because synproxy is a state. See the man page for pf.conf(5). Last edited by jggimi; 29th August 2009 at 09:46 PM. |
|
|||
relax man... ,sory i wass asleep for 2 days lol,didn't see when i paste into the ssh client it has some wrong terminated string,thx worked as your advice,here is the config,any advice for redundant rules elimination?,need help to make the security more tight(block port scanner/syn stealth scan?)
Code:
#### First declare a couple of variables #### ### Outgoing tcp / udp port #### ### 43 - whois, 22 - ssh ### tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}" udp_services = "{ domain, ntp }" ### allow ping / pong #### icmp_types = "{ echoreq, unreach }" #### define tables. add all subnets and ips to block table <blockedip> persist file "/etc/pf.blockip.conf" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" ### admin server ranges ### adminrange = "192.168.1.101" # connected to internet ext_if = "em0" ##### ftp proxy #proxy="127.0.0.1" #proxyport="8021" #### Normalization #scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments scrub in all #### NAT and RDR start #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" # redirect ftp traffic #rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport # Drop incoming everything block in log (to pflog0) all block return # keep stats of outgoing connections pass out log(all) keep state # We need to have an anchor for ftp-proxy #anchor "ftp-proxy/*" # unlimited traffic for loopback and lan / vpn set skip on {lo0, $ext_if} # activate spoofing protection for all interfaces block in quick from urpf-failed #antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses antispoof log (to pflog0) for $ext_if #Block RFC 1918 addresses block drop in log (to pflog0) quick on $ext_if from $martians to any block drop out log (to pflog0) quick on $ext_if from any to $martians # Block all ips # pfctl -t blockedip -T show block drop in log (to pflog0) quick on $ext_if from <blockedip> to any block drop out log (to pflog0) quick on $ext_if from any to <blockedip> # allow outgoing pass out log(to pflog0) on $ext_if proto tcp to any port $tcp_services pass out log(to pflog0) on $ext_if proto udp to any port $udp_services # Allow trace route pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state # Allow admin to get into box pass in log(to pflog0) on $ext_if from $adminrange to any # Allow incoming ssh, http, bind traffic # pass in on $ext_if proto tcp from any to any port 25 pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state pass in on $ext_if proto udp from any to any port domain pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state pass inet proto icmp all icmp-type $icmp_types keep state ## add your rule below ## my interface Quote:
Quote:
Quote:
|
|
||||
Code:
# Allow incoming ssh, http, bind traffic # pass in on $ext_if proto tcp from any to any port 25 pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state pass in on $ext_if proto udp from any to any port domain pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state pass inet proto icmp all icmp-type $icmp_types keep state ## add your rule below ## Code:
# Allow incoming ssh, http, bind traffic # pass in on $ext_if proto tcp from any to any port 25 pass in on $ext_if inet proto tcp \ from !<blockedip> to ($ext_if) port ssh flags S/SA synproxy state pass in on $ext_if inet proto udp \ from !<blockedip> to ($ext_if) port domain pass in on $ext_if inet proto tcp \ from !<blockedips> to ($ext_if) port domain flags S/SA synproxy state pass in on $ext_if inet proto tcp \ from !<blockedips> to ($ext_if) port http flags S/SA synproxy state
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. |
|
|||
ok thank you...
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Xorg 7.3 -> 7.4 config problems | jbhappy | FreeBSD Ports and Packages | 4 | 29th April 2009 03:34 AM |
Annoying blue config dialog | _hmp_ | FreeBSD Ports and Packages | 11 | 28th December 2008 05:37 PM |
Wireless Network Config working -- almost | JMJ_coder | General software and network | 4 | 20th November 2008 05:10 PM |
ports config and makefile scripting | boincv | FreeBSD Ports and Packages | 6 | 1st October 2008 07:57 AM |
Libpurple 2.4.2 config failure. | KernelPanic | FreeBSD Ports and Packages | 3 | 23rd May 2008 06:19 PM |