DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th August 2016
junkym
-Guest-
 
Posts: n/a
Default How restrictive is your pf.conf?

For those running OpenBSD as a firewall (routing/NAT), how restrictive is your rule set?

For example, here are 2 sample pf.conf snippets:

Code:
# non-restrictive rules
pass out on $WAN inet all
# or really non-restrictive
pass out inet all # let it ALL out from firewall
pass in on $LAN from $LAN:network inet all

Code:
# restrictive rules
pass out on $WAN inet proto { tcp udp } to any port domain
pass out on $WAN inet proto tcp to any port http

pass in on $LAN inet proto { tcp udp } from $LAN:network to any port domain
pass in on $LAN inet proto tcp from $LAN:network to any port http
I've got my rules set to what I consider very restrictive and was wondering if it really matters, as it's becoming a PITA to maintain. This is a home-based network, bare metal firewall, 1 subnet for private lan, 1 subnet for gaming, 1 subnet for ESXi host.

I mean, if it's going inbound from my $LAN et. al. (and I trust it), why not take the non-restrictive route. Similarly, if it's outbound traffic, just let it out from the firewall.

Just curious to what others are doing.

Last edited by junkym; 17th August 2016 at 09:42 PM.
Reply With Quote
  #2   (View Single Post)  
Old 17th August 2016
TronDD TronDD is offline
Shell Scout
 
Join Date: Sep 2014
Posts: 130
Default

I keep mine pretty restrictive. Nothing in or out unless I open the port both ways. I keep seperate rules for traffic between LAN machines and traffic out to the internet. I explicity define DNS, NTP, and such consistant servers.

It's only a pain when I add a new service that needs a new port. I have to allow that port on my local system, allow it into the firewall, then out of the firewall, and if necessary, also between LAN systems. But that happens rarely enough that I don't have a problem maintaining it.

I don't have multiple subnets, rdomains, vlans or any of that.

The rules are probably more restrictive than they need to be, I'm not sure it's protecting me from much, but it was a learning exercise mostly. Malware is probably using http, tor, irc or the like to communicate to control servers and such, all of which I have open.

Tim.
Reply With Quote
  #3   (View Single Post)  
Old 17th August 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,707
Default

My ruleset is quite complex, because I have multiple routers acting as firewalls. One router is the master, while the backup router is an application server.

Restrictive? Very. As an example, the only communication permitted to pass between that pair of routers is pflow(4) statistics and carp(4) advertisements. I do not permit SSH traffic from one to the other. And I cannot connect an SSH session to the primary router from any external address, either.
Reply With Quote
  #4   (View Single Post)  
Old 17th August 2016
junkym
-Guest-
 
Posts: n/a
Default

Nice to see others with restrictive rule sets.

I mentioned mine was a "pain to maintain", but that's not quite true. It can be a pain to setup the in's/out's for a given set of ports (e.g. intranet FTP), but once it's done, you really shouldn't have to mess with it.

At one point, I had a bash-driven menu script that I would use to load or flush rules as required - mostly for gaming - but I've change to just have those anchors "loaded" full time.
Reply With Quote
  #5   (View Single Post)  
Old 18th August 2016
e1-531g e1-531g is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 327
Default

Actually I think that there should be more emphasis on proactive defense. For example if somebody from certain IPv4 is scanning ports of your system, you should block his/her IPv4 for some time. If somebody is trying to log to your SSH server, you should block his/her IP after a few failed attempts.
I have a script that downloads once in 48 hours files from iblocklist.com and is blocking via pf table these IPs.
Unfortuntely IPv6 address space is much bigger and I don't know whether if blocklist are viable solutions in IPv6, but nowadays my ISP doesn't gave me IPv6 connectivity so I don't bother yet.
I also think that some filtering should be done in upper layers for example drop packets that are not DNS packets but they are flowing through 53 UDP port or filter http headers. You can usually do this, to some degree, by proxy.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #6   (View Single Post)  
Old 18th August 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,707
Default

I use divert-to as described here: http://daemonforums.org/showthread.php?t=8846
Reply With Quote
  #7   (View Single Post)  
Old 18th August 2016
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 111
Post how restrictive pf.conf

I have one server facing the internet with many .com's, .org's etc.

Early in my pf.conf I block all non U.S. ip's as there (in my case)
no reason not to. (Has no appreciable effect on speed)

I also block any ssh login from the internet "wan"
ssh loging is only allowed from certain servers and from certain
users on the lan.

I use tables for manually adding "badguys" usually from reviewing logs.
I use tables for "abusive hosts" when ip's abuse server facing internet resourses
I will use tables for "spam" control when I set up a mail server. (not sure of my
skill level yet to attempt it)
I restrict outbound traffic to certain users.

I am a novice here, and will use pf in controlling port traffic as my
confidence and experience with pf grows.

And obviously I appreciate the importance of the packages and ports
review process. I do not download software from sources other than those
in the above. I also try to keep up with releases as part of an overall
security posture.

Thanks Developers and of-course those members here as I read most of your
posts and try to undertand and use the material.


Last edited by frcc; 18th August 2016 at 07:33 PM. Reason: clarification
Reply With Quote
  #8   (View Single Post)  
Old 18th August 2016
junkym
-Guest-
 
Posts: n/a
Default

Interesting point about the IP blocks...

When I started with OpenBSD and pf about 18 months ago, I was amazed at the output of "pfctl -ss", as in "who the hell are are all these IP's hitting my public IP?".

I used to whois on each one and if I didn't recognize it, it would be added to an "ipblock" table in my rules. This became tiresome after a while and I've quit doing it.

I do have bogons and bogons6 blocked on public facing NIC as well as a table for emerging threats. I was downloading CDIR's for countries, but that too became a pain...there are so many.

Is a country block a good thing to think about adding to my configuration?
Reply With Quote
  #9   (View Single Post)  
Old 19th August 2016
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 111
Default how restritive pf

Only you can answer that as your needs certainly will be different than mine.

I too spent too much time looking up ip's, Consequently it occurred to me to
just block all traffic other than US because the type of business, (I,We) do
should not attract non US ip traffic, and, (in our experience traffic with non-US origin
was most troubling)
So now all I do is update the US ip list occasionally.

I use something like this in pf.conf
table <usip> persist file "etc/usip.csv"
then later in pf.conf file
block in quick log on fxp0 from !<usip> to any label "foreign"

Of course I use the table mechanism to block or monitor other traffic.


.

Last edited by frcc; 19th August 2016 at 01:34 AM. Reason: correct typing error
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf.conf and nat latux OpenBSD Security 5 8th December 2012 09:11 PM
Where should I put my config? "rc.conf" or "rc.conf.local"? fender0107401 OpenBSD General 2 2nd April 2012 02:53 AM
Help with pf.conf A_Sorenby OpenBSD Security 14 21st June 2011 09:52 PM
Pf.conf erict35 OpenBSD Security 1 30th January 2010 10:19 PM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM


All times are GMT. The time now is 06:42 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick