DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 12th May 2009
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default pf.conf Examples

I am posting pf.conf file for my laptop in order to get some comments and feed back from more experienced users as well as encourage everybody to post the samples of their pf.conf files


Code:
#########
## Macros       
#########

ext_if="rl0"
#int_if=" "

tcp_services = "{ssh, imaps, smtp, 587,, domain, ntp, www, https}"
udp_services= "{domain, ntp}"


#########
## Tables
#########

#table <spamd-white> persist


##########
## Options
##########

set require-order yes
set block-policy return
set optimization normal
set skip on lo
set loginterface $ext_if


########################
## Traffic normalization
########################

scrub in all random-id fragment reassemble 
scrub out all random-id fragment reassemble


#######################
## Bandwidth management
#######################


##############
## Translation
##############


##############
## Redirection
##############

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#rdr-anchor "relayd/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#       -> 127.0.0.1 port spamd

#anchor "ftp-proxy/*"
#anchor "relayd/*" 


#######################################
## Packet filtering
## block and log everything by default
######################################

block log all


## DEBUG:
##  LOG Blocked Packets [uncomment above]:
##     block log all
##  VIEW LOG VIA:
##     tcpdump -n -e -ttt -i pflog0

### Theo's suggestions instead of pfstat
# systat pf 1
# and then use the right and left cursors to see additional
# interesting views
# this is also a good tool
# pfctl -s all


# Make sure all packets are clean and sane
antispoof quick for $ext_if
antispoof quick for { lo $ext_if }

# block anything coming form source we have no back routes for
block in from no-route to any

# block packets whose ingress interface does not match the one
# the route back to their source address
block in from urpf-failed to any

# block and log outfoing packates that do not have our address source
# they are either spoofed or something is misconfigured (NAT disabled, 
# for instance), we want to be nice and do not send out garbage
# block out log quick on $ext_if from ! 157.161.48.183 to any

# silently drop broadcasts (cable modem noise)
block in quick on $ext_if from any to 255.255.255.255



# block and log incoming packets from reserved address space and invalid
# addresses,they are either spoofed or misconfigured, we cannot reply to
# them anyway (hence, no return-rst).
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \
                          192.168.0.0/16, 255.255.255.255/32 } to any


####################################################
## Only allow outgoing services which are sensable..
####################################################

# ICMP

# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
# pass out on $ext_if inet proto icmp all icmp-type 8 code 0

# UDP
# pass out certain UDP connections and keep state (DNS)
pass out on $ext_if proto udp to any port $udp_services


# TCP
# pass out certain TCP connections and keep state (SSH, SMTP, DNS)
pass out on $ext_if proto tcp to any port $tcp_services
As you probably noticed I have some redundant rules. The file is the way it
is so that I can relatively easily modify for similar situation i.e. single
workstation.

I have couple of questions though. Do I have to have ntp listed in both
tcp and udp services in order for time synchronization to work properly?
I thought that ntp service is udp protocol.

I noticed that some people listing imap in udp services. Why do they do that?

Notice also that I have

Code:
pass out on $ext_if proto udp to any port $udp_services
while most set up I saw have

Code:
pass       on $ext_if proto udp to any port $udp_services
Can somebody explain the difference?


Also notice that I have
Code:
# Make sure all packets are clean and sane
antispoof quick for $ext_if
antispoof quick for { lo $ext_if }
even though I think that

Code:
antispoof quick for $ext_if
Can somebody explain the difference?

Last edited by Oko; 22nd September 2011 at 01:22 AM.
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf.conf lumiwa FreeBSD Security 11 20th September 2008 01:01 AM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM
openVPN 2.1_rc7 (server) on openBSD 4.3 config examples s2scott Guides 2 23rd May 2008 06:16 PM


All times are GMT. The time now is 04:52 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick