pf.conf okay?

[hitest]

I'm not a security expert by any means. I'm happily running OpenBSD 5.6/amd as a sturdy desktop. Here is a snippet of my /etc/pf.conf

Is this still okay? I found this on our site here. Thanks.

Code:

block all       # block stateless traffic
pass out all keep state         # establish keep-state

[Oko]

Quote:

Originally Posted by hitest

I'm not a security expert by any means. I'm happily running OpenBSD 5.6/amd as a sturdy desktop. Here is a snippet of my /etc/pf.conf

Is this still okay? I found this on our site here. Thanks.

Code:

block all       # block stateless traffic
pass out all keep state         # establish keep-state

You have to post the whole pf.conf before we can say something about it. Describe also your network topology. If those are the only rules you have in pf.conf your PF is very poorly configured. You want to filter traffic not just in egress direction but also ingress. In plain English passing everything out is a bad ides.

This is an example of more elaborate pf.conf for a single OpenBSD desktop plugged into the ISP modem i.e. directly facing Internet. The only fancy stuff is enabling SSH log from the Internet thus protecting from brute forces using built in PF method and sshguard.

Code:

ext_if="xl0"

NoRouteIPs = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                10.0.0.0/8,  169.254.0.0/16, 192.0.2.0/24,  \
                0.0.0.0/8,   240.0.0.0/4, 255.255.255.255/32}"
table <bruteforce> persist
table <sshguard> persist


tcp_services = "{ssh, submission, imaps, http, https}"
udp_services= "{domain, ntp}"


set limit states 100000
set block-policy return
set optimization normal
set skip on lo
set loginterface $ext_if
set state-defaults pflow


match in all scrub (no-df max-mss 1440)
match out all scrub (no-df max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)


block all
block quick from $NoRouteIPs
block quick from <bruteforce>
block in quick on $ext_if proto tcp from <sshguard> \
        to any port 22 label "ssh bruteforce"
antispoof quick for { $ext_if }


block drop in quick on $ext_if from no-route to any
block drop in quick from urpf-failed to any
block in on ! lo0 proto tcp to port 6000:6010


pass out on $ext_if inet proto icmp all icmp-type 8 code 0
pass out on $ext_if inet proto udp to any port $udp_services
pass out on $ext_if inet proto tcp to any port $tcp_services

pass log on $ext_if inet proto tcp from any to any port ssh \
        flags S/SA keep state \
            (max-src-conn 100, max-src-conn-rate 15/5, \
             overload <bruteforce> flush global)

[hitest]

Yeah, those are my only modifications of the stock pf.conf file. I have much to learn. I appreciate the reply. Thanks, Oko.

[Oko]

Quote:

Originally Posted by hitest

Yeah, those are my only modifications of the stock pf.conf file. I have much to learn. I appreciate the reply. Thanks, Oko.

That is a good start. Get your self the book of PF 3rd edition and read through. Peter has a free version of his website

http://home.nuug.no/~peter/pf/en/

Official documentation is also must but it is little bit more difficult reading for a n00b

http://www.openbsd.org/faq/pf/

[hitest]

Quote:

Originally Posted by Oko

That is a good start. Get your self the book of PF 3rd edition and read through. Peter has a free version of his website

http://home.nuug.no/~peter/pf/en/

Official documentation is also must but it is little bit more difficult reading for a n00b

http://www.openbsd.org/faq/pf/

Thanks, mate!

[rocket357]

Quote:

Originally Posted by hitest

Code:

block all       # block stateless traffic
pass out all keep state         # establish keep-state

This is the very first step to locking a machine down. Nothing allowed incoming unless it was initiated from your machine. This is a good start, as Oko has pointed out.

The next step would be to decide what services this machine should offer *to* the network and consume *from* the network, and put ingress and egress rules in place to further tighten up security (which Oko has already pointed out, so I'll leave that at that).

Once you have that in place, you can further tighten up by adding max-src-conn and such (which tends to get used with commonly attacked services, such as sshd...again, as mentioned by Oko) and perhaps even move into tagging packets and policy-based firewall rulesets.

Beyond that, you can place higher level filters in place, such as relayd, http proxies that do content filtering, unbound with stubs for various domains, etc... and redirect traffic via pf to those filters. (For example, I have unbound with a stub that relays all dns traffic to a dnscrypt-proxy instance running locally, which encrypts dns traffic and sends it to a dnscrypt-wrapper instance I have running on a remote machine outside of my ISPs reach, which queries the remote machine's unbound instance to actually do the lookup...my ISP has been known to do stupid filtering based on dns, so I refuse to give them any insight into my dns usage).

[Oko]

Quote:

Originally Posted by rocket357

Beyond that, you can place higher level filters in place, such as relayd, http proxies that do content filtering, unbound with stubs for various domains, etc... and redirect traffic via pf to those filters. (For example, I have unbound with a stub that relays all dns traffic to a dnscrypt-proxy instance running locally, which encrypts dns traffic and sends it to a dnscrypt-wrapper instance I have running on a remote machine outside of my ISPs reach, which queries the remote machine's unbound instance to actually do the lookup...my ISP has been known to do stupid filtering based on dns, so I refuse to give them any insight into my dns usage).

pf.conf for a machine which acts as a firewall for other machines, content filtering, queueing are definitely more advanced topics. However I like the fact that you brought up the issue of DNS. I always use my own instances of of Unbound as resolver and caching DNS. For a single desktop uncomment a single line in /var/unbound/etc/unbound.conf which comes with vanilla OpenBSD

Code:

auto-trust-anchor-file: "/var/unbound/db/root.key"

Code:

echo 'unbound_flags="-c /var/unbound/etc/unbound.conf"' >> /etc/rc.conf.local

and editing your dhclient options to make sure you are using your own DNS

Code:

predrag@oko$ more /etc/dhclient.conf
timeout 60;
retry 60;
reboot 10;
select-timeout 5;
initial-interval 2;
reject 192.33.137.209;

interface "xl0" {
        send host-name "oko";
        send dhcp-lease-time 7776000;
        supersede host-name "oko";
        supersede domain-name "bagdala2.net";
        prepend domain-name-servers 127.0.0.1;
        request subnet-mask, broadcast-address, time-offset, routers,
                domain-name, domain-name-servers, host-name, ntp-servers;
        require subnet-mask, domain-name-servers, routers;
        }

will go long way in keeping your privacy

Reboot after you make changes.