DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th January 2010
lumiwa lumiwa is offline
Package Pilot
 
Join Date: May 2008
Posts: 145
Default pf.conf examples (part 2)

I am a newbie too and I try to configure pf.conf for my standalone computer. I red many examples and I had long time:
Code:
# Macros
ext_if = "rl0"

# Options: tune the behavior of pf.
set optimization normal
set block-policy drop
set loginterface $ext_if
set skip on lo

# Normalization: reassemble fragments etc.
scrub in all

# Filtering
antispoof quick for $ext_if

# Nobody gets in from the outside!
block in log quick on $ext_if all label "inblock"

# Block by default. (pass rules dhould follow later).
block out log on $ext_if all label "outblock"

pass out on $ext_if inet proto tcp all
pass out on $ext_if inet proto udp all.
pass out on $ext_if inet proto icmp all icmp-type 8 code
Now I have:
Code:
#macro
ext_if = rl0
scrub in on $ext_if all fragment reassemble
block all
set skip on lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
### block probes that can possibly determine our operating system by disallowing
### certain combinations that are commonly used by nmap, queso and xprobe2, who
### are attempting to fingerprint the server.
### * F : FIN  ? Finish; end of session
### * S : SYN  ? Synchronize; indicates request to start session
### * R : RST  ? Reset; drop a connection
### * P : PUSH ? Push; packet is sent immediately
### * A : ACK  ? Acknowledgement
### * U : URG  ? Urgent
### * E : ECE  ? Explicit Congestion Notification Echo
### * W : CWR  ? Congestion Window Reduced
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### set a rule that allows inbound ssh traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state
table <ssh_abuse> persist
block in quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)
Thanks.
Reply With Quote
  #2   (View Single Post)  
Old 12th January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 170
Default

@luminwa

Quote:
block all
I would use "block log all" and "block log quick inet6 all" if your not fancy on using IPv6 right now.

Quote:
scrub in all
Quote:
match in log on $EXT scrub (no-df)
Is more like this in 4.6, you can use multiple interfaces is you have more than 1 requiring ingress traffic.

Quote:
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
The above is also covered by "block log all" i do no use seperate rules per flagged rule, im certain there is circumstances for such but not for this cat.

Quote:
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
Quote:
pass out log on $EXT proto tcp from any modulate state flags S/SA
pass out log on $EXT proto { udp, icmp} from any
I use the following, i could be wrong but im betting that your not running OBSD 4.6? also the "from any to any" could be a bit hazardous in some situations, better to specify an interface or sometimes even an IP.

I also have a tun0 interface that i include in antispoof (and snort)
Quote:
antispoof log quick for { $LO $EXT tun0 } inet
About synproxy, it's for YOUR servers behind your firewall that you want to "protect" from syn packets

Quote:
TCP SYN Proxy
Normally when a client initiates a TCP connection to a server, PF will pass the handshake packets between the two endpoints as they arrive. PF has the ability, however, to proxy the handshake. With the handshake proxied, PF itself will complete the handshake with the client, initiate a handshake with the server, and then pass packets between the two. The benefit of this process is that no packets are sent to the server before the client completes the handshake. This eliminates the threat of spoofed TCP SYN floods affecting the server because a spoofed client connection will be unable to complete the handshake.

The TCP SYN proxy is enabled using the synproxy state keywords in filter rules. Example:

pass in on $ext_if proto tcp from any to $web_server port www \
flags S/SA synproxy state
Here, connections to the web server will be TCP proxied by PF.
__________________
The more you learn, the more you realize how little you know ....

Last edited by There0; 12th January 2010 at 02:15 PM.
Reply With Quote
  #3   (View Single Post)  
Old 13th January 2010
lumiwa lumiwa is offline
Package Pilot
 
Join Date: May 2008
Posts: 145
Default

@There0

I hope that I did what you suggested me:
Code:
# macro name for external interface.
ext_if = sk0
# all incoming traffic on external interface is normalized and fragmented
# packets are reassembled.
scrub in all
# match in log on $ext_if scrub (no-df)
# set a default deny everything policy.
block log all
block log quick inet6 all
# exercise antispoofing on the external interface, but add the local
# loopback interface as an exception, to prevent services utilizing the
# local loop from being blocked accidentally
set skip on lo
antispoof quick for $ext_if
antispoof log quick for { lo $ext_if } inet
# block anything coming from sources that we have no back routes for.
block in from no-route to any
# block packets that fail a reverse path check. we look up the routing
# table, check to make sure that the outbound is the same as the source
# it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any
# drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255
# block packets claiming to come from reserved internal address blocks, as
# they are obviously forged and cannot be contacted from the outside world.
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any
pass out log on $ext_if proto tcp from any modulate state flags S/SA
pass out log on $ext_if proto { udp, icmp} from any
And I forgot to wrote before that I have a standalone computer.

Thanks for your help.
Reply With Quote
  #4   (View Single Post)  
Old 13th January 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

lumiwa, your initial post was made to a thread which was over six months old. Although there is some overlap on what you ask & the original thread, you should have started a new thread. In forum terminology, this is known as "hijacking" discussion.

I have separated out all posts relating to your discussion into a new thread, but in the future when you find a long-standing thread in which you want to continue discussion, please start a new thread. We try to honor the direction set by the initial poster.

Thanks.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf.conf Examples Oko OpenBSD Security 23 25th November 2012 03:22 PM
shell: how to take part of the line... graudeejs Programming 8 6th September 2008 11:13 PM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM
Trouble burning to dvdrw part 2 whispersGhost Solaris 32 3rd June 2008 12:51 PM


All times are GMT. The time now is 09:34 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick