|
|
|||
Help with PF for openbsd 5.1
I want to build a PF for 1 network card to all SSH, PHP, Apache, SQL also log files for attempted attacks. can anyone help?
I'm not good with PF yet. |
|
||||
Hello, and welcome!
5.1 is no longer supported. The OpenBSD Project only supports a release for a single year, as there are two releases annually and they only support the most recent two releases, which today are 5.4 and 5.3. Please consider upgrading. PF operates within the kernel and does not not filter at the application layer, only by IP protocol.
Code:
user <user> This rule only applies to packets of sockets owned by the specified user. For outgoing connections initiated from the firewall, this is the user that opened the connection. For incoming connections to the firewall itself, this is the user that listens on the destination port.... Edited to add: -------------- Thinking about the separate PHP process -- even though I use php-fpm for PHP, I would not be able to filter this traffic with PF. All of the protocol headers that PF could inspect are identical for all traffic. Last edited by jggimi; 8th November 2013 at 02:47 PM. |
|
|||
Quote:
here is what I created can you look and tell me if its ok Code:
## our interface ## ext_if="vr0" ## Private network IP goes in the EXT_IP EXT_IP 172.22.106.146 # Block everything (inbound AND outbound on ALL interfaces) by default (catch-all) block all ## do not block mysqld on ## mysqld_ip="{ !172.22.106.146 }" ## Block everything for tcp port number 3306 except $mysqld_ip ### block in on $ext_if proto tcp from any to $mysqld_ip port 3306 ## apache rules need the ip address### pass in on $ext_if proto tcp from any to 172.22.106.146 port 80 flags S/SA synproxy state ##also ssh port22/tcp, auth 22/tcp, ICMP pings#### # Default TCP policy block return-rst in log on $ext_if proto TCP all pass in log quick on $ext_if proto TCP from any to $EXT_IP port 22 flags $SYN_ONLY keep state pass in log quick on $ext_if proto TCP from any to $EXT_IP port 113 flags $SYN_ONLY keep state # Default UDP policy block in log on $ext_if proto udp all # It's rare to be hosting a service that requires UDP (unless you are hosting # a dns server for example), so there typically won't be any entries here. # Default ICMP policy block in log on $ext_if proto icmp all pass in log quick on $ext_if proto icmp from any to $EXT_IP echoreq keep state block out log on $ext_if all pass out log quick on $ext_if from $EXT_IP to any keep state # Allow the local interface to talk unrestricted pass in quick on lo0 all pass out quick on lo0 all Last edited by esilvaz1101; 8th November 2013 at 04:21 PM. Reason: error |
|
|||
Welcome!
I would recommend three sources to increase your understanding of pf(8):
Last edited by ocicat; 8th November 2013 at 06:39 PM. Reason: spelling |
|
|||
Ok does this look better? this is for a class project and want to do this at home, my professor just told me to try to build a PF
Code:
## our interface ## ext_if="vr0" ## Private network IP goes in the EXT_IP EXT_IP 172.22.106.146 # Block everything (inbound AND outbound on ALL interfaces) by default (catch-all) block all ## do not block mysqld on ## mysqld_ip="{ !172.22.106.146 }" ## Block everything for tcp port number 3306 except $mysqld_ip ### block all pass in from any to $EXT_IP port 3306 ## apache rules need the ip address### pass in on $ext_if proto tcp from any to 172.22.106.146 port 80 flags S/SA synproxy state ##also ssh port22/tcp, auth 22/tcp, ICMP pings#### # Default TCP policy block return-rst in log on $ext_if proto TCP all pass in log quick on $ext_if proto TCP port 22 pass in log quick on $ext_if proto TCP port 113 # Default UDP policy block in log on $ext_if proto udp all # Allow the local interface to talk unrestricted pass in quick on lo0 all pass out quick on lo0 all Last edited by esilvaz1101; 8th November 2013 at 05:50 PM. Reason: errors |
|
||||
I would not use your updated configuration, as it still does has things I dislike as an administrator. It still has syntax errors, such as a missing "=" in a macro definition, and missing proto tcp when port numbers are referenced.
But more important than transcription errors, you are still intermixing policy settings and macros with your pass/block filter rules. While allowed by the configuration grammar, this is something I would never do. Humans must manage and maintain these configurations. Please don't do this. Your professor can contact me if he or she takes issue with a configuration that is structured with policy settings, macro assignments, and general settings at the top, then is followed by general filtration rules, then specific rules. Here is how I might define a terminal server PF configuration, where I block all but inbound traffic to TCP ports 22, 80, 113, and 3306. This is based on your application set you have defined in this thread, and based on the policy settings you have attempted in your sample configurations. Note that I do not reference your interface, nor your IP address. You have only one NIC, so the rules "from any to any" will appy to everything that crosses the NIC. I have also used symbolic names for the destination port numbers, these are pre-defined in /etc/services. Code:
### General information # # This configuration is for a terminal server with a single NIC. It blocks by # by default, and passes inbound stateful traffic for SSH, web, auth, and SQL inbound ### policy section ### # # return TCP RST or ICMP UNREACHABLE for blocked traffic: set block-policy return # do not filter loopback traffic: set skip lo0 ### filter rules ### # # block by default: block all # pass stateful traffic for four applications on this terminal server: pass in proto tcp from any to any port {ssh, www, auth, mysql} Last edited by jggimi; 8th November 2013 at 06:55 PM. Reason: typo |
|
|||
That is way simple then what I was trying, my professor didn't give us any help said to look it up online and create a PF for MySQL, PHP, Apache I been working on this for a week straight and can't seem to get it working, basically I was blocking everything and had no idea why until you explained this to me. I just bought the book for PF for OpenBSD, to read up more on the subject.
|
|
|||
Quote:
Also note that Hansteen's PF manuscript continues to be updated. The latest set of changes is dated June 2013. Studying all three documents will help fill in any blanks found in any one particular source. |
|
|||
Book of PF and other documents
Quote:
The tutorial (full text) manuscript is in 'minimal maintenance' mode. I haven't yet decided how much more work I will put into it. If I revise that one to include newqueue, it will anyway be after the book is done. The slides for any events where I give a talk or tutorial will be available after the corresponding session has ended. The acceptance deadlines for the ones I have sent proposals to haven't passed yet, so it's too early to say which events I'll be speaking at this year. - Peter |
|
|||
just found about this
NOTE: The filter rules that the antispoof rule expands to will also block packets sent over the loopback interface to local addresses. It's best practice to skip filtering on loopback interfaces anyways, but this becomes a necessity when using antispoof rules: set skip on lo0 antispoof for fxp0 inet Usage of antispoof should be restricted to interfaces that have been assigned an IP address. Using antispoof on an interface without an IP address will result in filter rules such as: block drop in on ! fxp0 inet all block drop in inet all With these rules there is a risk of blocking all inbound traffic on all interfaces. |
|
||||
You have two (or three) reasons not to worry about antispoof rules.
|
|
||||
Excellent advice, ocicat, but I'd like to make one clarification, to avoid any confusion. I'd put my tongue into my cheek and say thatl the FAQ always "-release", as opposed to "-current."
There have been recent changes in -current that affect PF traffic shaping rules. The altq subsystem is being replaced with a new queueing subsystem, so -current users must use the oldqueue keyword if they wish to use altq during this transition period. These changes will be in the PF User's Guide for 5.5, and until 5.5 -current users will find guidance in the Following -current FAQ. Last edited by jggimi; 10th November 2013 at 01:52 AM. Reason: clarity |
|
|||
Quote:
While I get the joke, esilvaz1101, being new to OpenBSD, may be confused by its flavors. Explanation of OpenBSD's flavors (-release, -stable, & -current) are discussed in Section 5.1 of the project's official FAQ. In fact, this is a good point to plug the value of the overall FAQ document. The official FAQ is the single best source of information on the most recent release (-release) of OpenBSD. Studying its content is the best thing newcomers can do to familiarize themselves with general usage. Many newbie questions will be answered by reading this document. |
|
|||
Quote:
|
|
|||
For some reason when I built the server and went to write the PF.CONF file the system by default had this on their should I delete it or just add my section? and also ifconfig show my nic=lo0 but this script put "lo" as you can see bellow. Is this just an example and it does nothing at all or I need it?
Code:
#$OpenBSD: pf.conf,v 1.52 2013/02/13 23:11:14 halex Exp $ # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. # increase default state limit from 10'000 states on busy systems #set limit states 100000 set skip on lo # filter rules and anchor for ftp-proxy(8) #anchor "ftp-proxy/*" #pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 # anchor for relayd(8) #anchor "relayd/*" block # block stateless traffic pass # establish keep-state # rules for spamd(8) #table <spamd-white> persist #table <nospamd> persist file "/etc/mail/nospamd" #pass in on egress proto tcp from any to any port smtp \ # rdr-to 127.0.0.1 port spamd #pass in on egress proto tcp from <nospamd> to any port smtp #pass in log on egress proto tcp from <spamd-white> to any port smtp #pass out log on egress proto tcp to any port smtp #block in quick from urpf-failed to any # use with care # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 #COnfiguration is for terminal server with single NIC. It blocks #by default, and passes inbound statefull traffic for ssh, web, auth, andSQL inb ound ####policy section###### # return TCP RST or ICMP UNREACHABLE for Blocked Traffic: #set block-policy return # do not filter looback traffic: set skip lo0 ####Filter Rules ##### # block by default: block all # pass stateful traffic for four applications on this terminal server: pass in proto tcp from any to any port {ssh, www, auth, mysql} |
|
||||
PF is enabled by default, and the OS ships with a default configuration file, which you have modified, by adding the example text I'd provided to you in this thread.
The default configuration for OpenBSD 5.3 or 5.4 a) does not filter on loopback interfaces, b) blocks stateless traffic, c) blocks incoming remote X11 traffic, and d) passes stateful traffic. Here are those lines, with the comments removed: Code:
set skip on lo block pass block in on ! lo0 proto tcp to port 6000:6010 Quote:
|
Thread Tools | |
Display Modes | |
|
|