DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th September 2012
barti barti is offline
Shell Scout
 
Join Date: Jul 2012
Posts: 122
Default pf rule set for web server on dedicated .

I need a quick setup for PF .

Don't have the time now to learn all the rule sets.
I need all protection to the web server possible + allow access from inside
sysadmins.



Do you know a good example?


Thanks.
Reply With Quote
  #2   (View Single Post)  
Old 13th September 2012
barti barti is offline
Shell Scout
 
Join Date: Jul 2012
Posts: 122
Default Found this on the net ,

Can't find any good example on the net.

Can you please help with making this a working PF file?

Thanks.
Code:
set skip on lo0

# Block everything by default
block log all

# In
pass in quick on $EXT inet proto tcp from any to port {22, 80}

# Out
pass out quick on $EXT inet  all



# pfctl -vvnf test.pf
EXT = "em0"
set skip on { lo0 }
@0 block drop log all
@1 pass in quick on em0 inet proto tcp from any to any port = ssh flags S/SA keep state
@2 pass in quick on em0 inet proto tcp from any to any port = www flags S/SA keep state
@3 pass out quick on em0 inet all flags S/SA keep state




# activate spoofing protection for all interfaces
block in quick from urpf-failed

pass in on $ext_if proto tcp from any to 202.4.2.1 port 80 flags S/SA synproxy state



#  catches any attempts to connect to TCP port 80 
pass in on egress inet proto tcp to (egress) port 80 \
    rdr-to $comp3 synproxy state


pass in inet proto icmp all icmp-type $icmp_types


# traffic must be passed to and from the internal network
pass in on $int_if



# Block PING to a server
block return-icmp in quick on fxp0 proto icmp from any to 10.0.0.1 


# block IPs with high connection rates
block quick from <bad_hosts>
              pass in on $ext if proto tcp to $webserver port www flags S/SA keep state \
                     (max-src-conn-rate 100/10, overload <bad_hosts> flush global)

Last edited by ocicat; 13th September 2012 at 06:11 PM. Reason: Please use [code] & [/code] tags when posting file contents.
Reply With Quote
  #3   (View Single Post)  
Old 13th September 2012
barti barti is offline
Shell Scout
 
Join Date: Jul 2012
Posts: 122
Default

http://www.openbsd.org/faq/pf/example1.html

http://forums.freebsd.org/showthread.php?t=10582
Reply With Quote
  #4   (View Single Post)  
Old 13th September 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

barti, I have asked you twice now to stop posting links without explaining why you doing so. Is there a reason you can't? I'd really like to know.
Reply With Quote
  #5   (View Single Post)  
Old 13th September 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by barti View Post
Don't have the time now to learn all the rule sets.
barti, one of the things this site attempts to promote is good practice done by sysadmins. Having no knowledge of what rules are being used is not a good practice.

One of things you may learn is that rulesets are specific to the network topology in which they are used. Even if someone wanted to do your work for you, without knowledge of the specifics of your network arrangement, they aren't going to get far.
Reply With Quote
  #6   (View Single Post)  
Old 13th September 2012
barti barti is offline
Shell Scout
 
Join Date: Jul 2012
Posts: 122
Default the links are the sources of my example posts

I need only basic pf file.


One web server connected to the internet.
-SSH
-HTTP

Nothing more.


Thanks.
Reply With Quote
  #7   (View Single Post)  
Old 13th September 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Oh, how apt this is. I have posted this before, but barti has not seen it.

---

I quote from Peter Hansteen's Book of PF, No Starch Press, ISBN: 978-1-59327-274-6. As posted in Hansteen's Firewalling with OpenBSD's PF packet filter.
Code:
Just to hammer this in, please repeat after me
  
    The Pledge of the Network Admin
  
    This is my network. 
  
    It is mine 
    or technically my employer's, 
    it is my responsibility 
    and I care for it with all my heart
  
    there are many other networks a lot like mine,
  
    but none are just like it.
  
    I solemnly swear 
  
        that I will not mindlessly paste from HOWTOs.
Reply With Quote
  #8   (View Single Post)  
Old 13th September 2012
barti barti is offline
Shell Scout
 
Join Date: Jul 2012
Posts: 122
Default

ok ok
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with my pf rule please whispersGhost OpenBSD Security 0 19th April 2012 07:54 AM
normal user for dedicated firewall? unixjingleman OpenBSD Security 3 20th January 2011 08:47 PM
PF rule to disable icmp? cyanide_christ OpenBSD Security 6 15th October 2009 05:35 AM
pf: why is that rule not working? ivanatora FreeBSD General 14 11th December 2008 09:32 AM
About Dedicated Servers qmemo Off-Topic 7 4th September 2008 02:15 PM


All times are GMT. The time now is 08:41 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick