DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th July 2009
zelut zelut is offline
Port Guard
 
Join Date: Oct 2008
Posts: 11
Exclamation first match vs last match ruleset design (pf vs iptables)

I'm just starting my research into pf, but I have quite a bit of experience with Linux iptables. With iptables the ruleset is a first-match design. Upon finding a packet that matches a rule the list is exited and the packet is acted upon. From my reading with pf it appears to be the opposite.

I'm wondering if anyone can explain the idea behind this--it seems backwards to me. Or has anyone else gone through the transition between one design and the other and has any advice on how to change my way of thinking?
Reply With Quote
  #2   (View Single Post)  
Old 9th July 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

You can easily force first-match by using the pf quick keyword. I do that quite a lot.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 9th July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

A poetic comparison from Jason Dixon in 2004: http://marc.info/?m=108507584013046

Seven years ago, there was a technical performance comparison. Because it's so old, I woudn't consider it necessarily valid/useful today:

http://undeadly.org/cgi?action=artic...20020617203813
Reply With Quote
  #4   (View Single Post)  
Old 9th July 2009
zelut zelut is offline
Port Guard
 
Join Date: Oct 2008
Posts: 11
Default

Perhaps I should post my pf.conf here for some critique and improvement. To give you an idea of what I'm working with here I have seven jails on the system, each providing a service. Everything from mail, dns, dhcp, monitoring (nagios), git, etc. I've added comments for the sake of this thread regarding what I'm attempting to do with each set of rules. Perhaps I can get some feedback on the accuracy and efficiency of this ruleset:

Quote:
### MACROS
# defining the interface and each of the jails + host by hostname/address
interface=hme0
mohinder=192.168.0.10
parkman=192.168.0.11
peter=192.168.0.12
molly=192.168.0.13
mail=192.168.0.14
angela=192.168.0.99
claire=192.168.0.100
rebel=192.168.0.200

### TABLES
# defining my intranet/24 as secure, defining jails (which I realize is never called)
table <secure> { 192.168.0.0/24 }
table <jails> { $parkman, $peter, $molly, $mail, $angela, $claire, $rebel }

### GLOBAL OPTIONS
# skip anything on loopback, set policy to drop
set skip on lo0
set block-policy drop

### TRAFFIC NORMALIZATION
# normalize traffic (still a bit fuzzy on scrub)
scrub in all

### FILTER RULES
# allow all outbound tcp, udp and icmp traffic
pass out quick on $interface proto { tcp, udp, icmp } all keep state

# SSH
# $claire and $rebel should be available from anywhere.
# $parkman should be available from anywhere in the LAN
# $mohinder should only be accessible from $parkman
pass in on $interface proto tcp from any to $claire port = 22222 keep state
pass in on $interface proto tcp from any to $rebel port = 2200 keep state
pass in on $interface proto tcp from <secure> to $parkman port = 22 keep state
pass in on $interface proto tcp from $parkman to $mohinder port = 22 keep state

# MAIL
# smtp/imap(s) open to anyone
pass in on $interface proto tcp from any to $mail port = 25 keep state
pass in on $interface proto tcp from any to $mail port = 143 keep state
pass in on $interface proto tcp from any to $mail port = 993 keep state

# allow mail full connectivity to itself
pass in on $interface proto { tcp, udp } from $mail to $mail keep state

# HTTPD
# https available for webmail to anyone, $angela http only available in LAN
pass in on $interface proto tcp from any to $mail port = 443 keep state
pass in on $interface proto tcp from <secure> to $angela port = 80 keep state

# DNS
# allow tcp/udp to $molly for DNS from anyone
pass in on $interface proto { tcp, udp } from any to $molly port = 53 keep state

# DHCP
# do I need this if $molly is the DHCP server? or is it covered by the outbound?
pass in on $interface proto {tcp, udp } from <secure> to $molly port = 67 keep state
(yes my Jails are named after "Heroes" characters. I have another server + jails all named after BSG characters if that is any consolation)

Thanks
Reply With Quote
  #5   (View Single Post)  
Old 10th July 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

You should have named your happy meal interface sylar.
Reply With Quote
  #6   (View Single Post)  
Old 12th July 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

For efficiency, you should use quick

You also should use flags S/SA keep state for TCP traffic to make sure that state will be created on the first TCP packet of the three-way TCP handshake. The reason is explained in the "Filter statefully" section of http://undeadly.org/cgi?action=artic...20060927091645.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ipfw ruleset double check l2fl2f FreeBSD Security 3 26th March 2009 06:32 AM
PF can't match on TOS? ivanatora FreeBSD General 1 15th February 2009 10:34 AM
FTP ruleset questions hitete OpenBSD Security 2 25th November 2008 05:30 PM
spoofing with iptables dk_netsvil General software and network 6 29th October 2008 08:22 PM
iptables fw redundancy revzalot Other BSD and UNIX/UNIX-like 3 17th June 2008 04:51 PM


All times are GMT. The time now is 03:06 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick