|
|||
I'm not going to post my pf.conf, I'm sure it's full of redundancies as well.. but I will answer your questions.
Quote:
IANA maintains a registry that OS vendors can use to maintain their /etc/services database, this file allows the OS and users to map numbers to names. http://www.iana.org/assignments/port-numbers Quote:
Quote:
Hope that helps... |
|
||||
Quote:
will work for most users. Quote:
Having in mind that I am setting skip on lo antispoof should do nothing on lo anyway. Am I mistaken? |
|
|||
Quote:
There are 2 primary types of rulesets (..probably more):
In my case, I pass all outgoing IPv4 TCP/UDP/ICMP traffic (..with state) from my /24 private LAN.. but I block all incoming traffic except for whatever I implicitly allow. Quote:
I know it can sound confusing, but reading the pf FAQ and the man pages can make it all become clearer.. I've been using OpenBSD+pf for a long time now, but I still tweak my rulesets occasionally. |
|
||||
Mine is actually quite extensive...
Code:
block in log pass out all Besides PF FAQ, for tweaking pf second place belongs to incredibly readable and very useful articles by Daniel Hartmeier (link's got all three articles): http://undeadly.org/cgi?action=artic...20060927091645 Skipping on lo means "dont filter on any lo interfaces at all"; whereas antispoof on lo0 concerns other interfaces. The way understand antispoof on lo0 is: block all incoming traffic from 127.0.0.0/8 net that doesn't go through lo0. One should not receive packets from this net on, say, vr0 interface that has 10.0.0.1/24 address Code:
rule expands to: block drop in on ! lo0 inet from 127.0.0.1/8 to any network 127.0.0.0/8 vr0 lo0 ----------------------> 10.0.0.1 - | 127.0.0.1 | | PF BOX |
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn. If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD |
|
||||
Quote:
Code:
ext_if="rl0" tcp_services = "{ssh, imaps, smtp, 587, domain, ntp, www, https}" udp_services= "{domain, ntp}" set skip on lo set loginterface $ext_if scrub in all random-id fragment reassemble block return in log all block out all antispoof quick for $ext_if pass out quick on $ext_if proto tcp to any port $tcp_services pass out quick on $ext_if proto udp to any port $udp_services Quote:
Last edited by Oko; 22nd September 2011 at 01:23 AM. |
|
|||
What is wrong with my pf.conf ?
Code:
#Macro int_if="rl0" #options set block-policy return set loginterface $int_if #Normalization scrub in all #Passing Traffic pass out quick on $int_if inet proto tcp from $int_if to any port www pass in quick log on $int_if inet proto tcp to $int_if port 21 keep state #Default Deny block all |
|
||||
You are only passing TCP packets, but not UDP, which are needed by say DNS or DHCP. So when you try to resolve IP address of google.com your pf is blocking those packets from exiting your box. Try with IP address in browser, or put a log word in the block rule, reload config and start tcpdump on pflog to see the blocked packets.
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn. If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD |
|
||||
Quote:
I would suggest you start with the above simplified pf.conf file that I posted and then remove services which you do not need. You must leave domain intact! On the another hand I see that you want to keep ftp open for outside access. Do you really have ftp server? Are you sure you really want to do that. You shouldn't be using anything else except sftp for transferring files and ssh for shell access. If FTP is really needed you need to do little bit more reading about ftp protocol. Namely ftp makes initial contact on port 21 and then randomly open another port for transfer of data. I know that sounds crazy but it is what it is. In order to set ftp properly even just for access to other servers you need to set up ftp proxy. In order for ftp proxy to work inetd must work. Inetd is security risk so you will have very carefully to trim down inetd.conf and remove all unnecessary things. |
|
|||
@bsdnewbie999
Quote:
__________________
The more you learn, the more you realize how little you know .... |
|
||||
Quote:
The first week I turned on outbound filtering in our hosting network we caught a slew of infected machines that had passed our other means of detection. Plus, it's part of being a good netizen- don't pass your infection on to others.
__________________
Network Firefighter |
|
|||
Quote:
|
|
||||
My example PF
Quote:
Code:
ethernet = "fxp0" #outside visible services services = "{auth,ntp,rpc }" #fix packets match in all scrub (no-df) # no bug on loopback device pass out quick on lo0 from any to any pass in quick on lo0 from any to any #deal with bad packets block in log quick on $ethernet inet proto icmp from any to any icmp-type redir block in quick on $ethernet from any to any # # Now the regular filtering rules # # allow for incoming ping and traceroute only (ICMP) # pass in quick on $ethernet inet proto icmp from any to any icmp-type { \ echorep, echoreq, timex, unreach } block in log quick on $ethernet inet proto icmp from any to any # TCP: Allow ssh, smtp, http and https incoming. Only match # SYN packets, and allow the state table to handle the rest of the # connection. I'm not currently using these services on this machine so it #is commented out # #pass in quick on $external inet proto tcp from any to any port #$services flags #S/SA keep state # Allow packets coming in as replies to my # connections so Ie keep state. Strictly speaking, with packets # coming from our network we don't have to only match SYN, but # what the heck ? # pass out quick on $ethernet inet proto tcp from any to any flags S/SA keep state pass out quick on $ethernet inet proto udp all keep state pass out quick on $ethernet inet proto icmp from any to any keep state # End of rules. Block everything to all ports, all protocols and return # RST (TCP) or ICMP/port-unreachable (UDP). # block return-rst in log quick on $ethernet inet proto tcp from any to any block return-icmp in log quick on $ethernet inet proto udp from any to any block in quick on $ethernet all # # End of file Last edited by Angevin; 17th February 2010 at 12:07 PM. |
|
||||
BTW, my current setup is only for a single workstation/desktop. There are no other computers using the firewall right now (I don't have a personal home office LAN as of right now). Only other people on my network would be other subnet IP block DHCP users from my highspeed cable internet service provider.
Last edited by Angevin; 17th February 2010 at 07:39 PM. Reason: fix minor grammar error |
|
|||
My remarks
Code:
# --- Macro definitions ethernet = "fxp0" # outside visible services services = "{auth,ntp,rpc }" set skip on lo0 # no bug on loopback device set block-policy return # for TCP return RST and for the rest ICMP UNREACHABLE # --- fix packets match in all scrub (no-df) # --- INCOMING traffic # incoming ping and traceroute (ICMP) pass in quick on $ethernet inet proto icmp from any to any icmp-type { \ echorep, echoreq, timex, unreach } # pass in quick on $external inet proto tcp from any to any port $services # --- OUTGOING traffic pass out quick on $ethernet inet proto tcp all pass out quick on $ethernet inet proto udp all pass out quick on $ethernet inet proto icmp all # --- BLOCK policy block in log quick on $ethernet inet proto icmp from any to any icmp-type redir block log quick on $ethernet all # # End of file
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
I'm connected with adsl/pppoe
Code:
nic0="em0" # lan1 1G/jumbo nic1="msk0" # lan2 100 nic2="em1" # pppoe port ext="pppoe0" torrent="6881:6899" table <spamd-white> persist set block-policy return set skip on { lo $nic0 $nic1 $nic2 bridge0 } altq on $ext priq bandwidth 800Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) block on $ext pass in on $ext inet proto { tcp udp } from any to ($ext) port ssh queue (q_def, q_pri) pass in on $ext inet proto tcp from any to ($ext) port { auth pop3s imaps } queue (q_def, q_pri) pass in on $ext inet proto tcp from any to ($ext) port { www https } queue (q_def, q_pri) rdr-to 192.168.0.2 pass in on $ext inet proto { tcp udp } from any to ($ext) port { $torrent } queue (q_def, q_pri) rdr-to 192.168.0.2 pass in on $ext inet proto tcp from any to ($ext) port smtp rdr-to 127.0.0.1 port spamd pass in on $ext inet proto tcp from <spamd-white> to ($ext) port smtp queue (q_def, q_pri) pass out on $ext inet proto tcp from ! 224/4 to any queue (q_def, q_pri) pass out on $ext inet proto udp from ! 224/4 to any queue (q_def, q_pri) block on $ext proto { tcp udp } from any to any port { netbios-ns netbios-dgm netbios-ssn microsoft-ds nfsd } match out on $ext scrub (max-mss 1440) match out on $ext from !($ext) nat-to ($ext:0) # vim: set filetype=pf:
__________________
HP ProCurve 1800-24G, Phenom 9750, Dual Opteron 265, AMD64 3000+, Dual P3-800, eMac G4 1.0GHz, Sun Blade 150, Alpha PWS 433 and more ... |
|
|||
Wilfried, any reason why you did not use any quick on those pass rules?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Quote:
unwanted bots, viruses etc.! |
|
|||
Quote:
You may get more of a response if you simply start a new thread. |
|
||||
Among other things it was IRC traffic originating from our network. Watching outbound traffic from machines (primarily the destination addresses and ports they were attempting to hit) was the key.
__________________
Network Firefighter |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf.conf | lumiwa | FreeBSD Security | 11 | 20th September 2008 01:01 AM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |
openVPN 2.1_rc7 (server) on openBSD 4.3 config examples | s2scott | Guides | 2 | 23rd May 2008 06:16 PM |