DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th August 2009
Stellar Stellar is offline
Port Guard
 
Join Date: Aug 2009
Posts: 26
Thanked 1 Time in 1 Post
Default pf config error

my box setup only have 1 nic detected as em0,i will add more ethernet card as soon i finished all the server setup,for know the nic i used both for internal and internet traffic,search arround found an article on : http://bash.cyberciti.biz/firewall/pf-firewall-script/ , added some slight modification,here we goes :
Code:
#### First declare a couple of variables ####
### Outgoing tcp / udp port ####
### 43 - whois, 22 - ssh ###
tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}"
udp_services = "{ domain, ntp }"
### allow ping / pong ####
icmp_types = "{ echoreq, unreach }"
 
#### define tables. add all subnets and ips to block
table <blockedip> persist file "/etc/pf.blockip.conf"
 
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
 
### admin server ranges ###
adminrange = "192.168.1.1/24"
 
# connected to internet
ext_if = "em0"
 
##### ftp proxy
#proxy="127.0.0.1"
#proxyport="8021"
 
#### Normalization
#scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments
scrub in all
 
#### NAT and RDR start
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
 
# redirect ftp traffic
#rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
 
# Drop incoming everything
block in all
block return 
 
# keep stats of outgoing connections
pass out keep state
 
# We need to have an anchor for ftp-proxy
#anchor "ftp-proxy/*"
 
# unlimited traffic  for loopback and lan / vpn
set skip on {lo0, $ext_if}
 
# activate spoofing protection for all interfaces
block in quick from urpf-failed
 
#antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
antispoof log for $ext_if
 
#Block RFC 1918 addresses
block drop in log (all)  quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians
 
# Block all ips
# pfctl -t blockedip -T show
block drop in log (all)  quick on $ext_if from <blockedip> to any
block drop out log (all) quick on $ext_if from any to <blockedip>
 
# allow outgoing
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services
 
# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
 
# Allow admin to get into box
pass in on $ext_if from $adminrange to any
 
# Allow incoming ssh, http, bind traffic
# pass in  on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port ssh  flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy modulate state
pass inet proto icmp all icmp-type $icmp_types keep state
## add your rule below ##
boom!error
Quote:
-bash-3.2# pfctl -vf /etc/pf.conf
tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
table <blockedip> persist file "/etc/pf.blockip.conf"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
adminrange = "192.168.1.1/24"
ext_if = "em0"
/etc/pf.conf:27: syntax error
set skip on { lo0 em0 }
/etc/pf.conf:54: syntax error
/etc/pf.conf:81: syntax error
pfctl: Syntax error in config file: pf rules not loaded
as you can see there is 3 error,but i have no idea to debug the error,like the first error if translate correctly 27 as line no? line 27 is empty space,line 54 is this comment "#Block RFC 1918 addresses" ,and 81 is eof :/

Last edited by J65nko; 29th August 2009 at 08:20 PM. Reason: Replaced php code block by normal code
Reply With Quote
  #2   (View Single Post)  
Old 29th August 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,432
Thanked 214 Times in 189 Posts
Default

Please don't use php code blocks for code which is not actually PHP. The useless colors it produces are distracting, to say the least.

I think there is a line number transposition. Can you upload the file somewhere, rather than copy/paste it? When I run your code through pfctl here, I get syntax errors in lines 4,5,7, and 10.

Your link is invalid, by the way. But it doesn't matter, Stellar. Since I recommended you not use 3rd party "howto" documents, and you ignored my advice, perhaps you could ask the author of the guide you decided to follow for assistance, instead?
Reply With Quote
  #3   (View Single Post)  
Old 29th August 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,432
Thanked 214 Times in 189 Posts
Default

It's your damned php block. When I grab the raw text out of the php code block, rather than copy/pasting from the browser, then I can see the correct errors: lines 26 and 78: scrub and a synproxy error

Your "scrub" is in error because, I believe, you are running -current. See the April 6 entry of the Following -current FAQ. See the man page for pf.conf(5).

Your "synproxy modulate state" is in error because synproxy is a state. See the man page for pf.conf(5).

Last edited by jggimi; 29th August 2009 at 09:46 PM.
Reply With Quote
  #4   (View Single Post)  
Old 30th August 2009
Stellar Stellar is offline
Port Guard
 
Join Date: Aug 2009
Posts: 26
Thanked 1 Time in 1 Post
Default

relax man... ,sory i wass asleep for 2 days lol,didn't see when i paste into the ssh client it has some wrong terminated string,thx worked as your advice,here is the config,any advice for redundant rules elimination?,need help to make the security more tight(block port scanner/syn stealth scan?)
Code:
#### First declare a couple of variables ####
### Outgoing tcp / udp port ####
### 43 - whois, 22 - ssh ###
tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}"
udp_services = "{ domain, ntp }"
### allow ping / pong ####
icmp_types = "{ echoreq, unreach }"
 
#### define tables. add all subnets and ips to block
table <blockedip> persist file "/etc/pf.blockip.conf"
 
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
 
### admin server ranges ###
adminrange = "192.168.1.101"
 
# connected to internet
ext_if = "em0"
 
##### ftp proxy
#proxy="127.0.0.1"
#proxyport="8021"
 
#### Normalization
#scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments
scrub in all
 
#### NAT and RDR start
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
 
# redirect ftp traffic
#rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
 
# Drop incoming everything
block in log (to pflog0) all
block return 
 
# keep stats of outgoing connections
pass out log(all) keep state
 
# We need to have an anchor for ftp-proxy
#anchor "ftp-proxy/*"
 
# unlimited traffic  for loopback and lan / vpn
set skip on {lo0, $ext_if}
 
# activate spoofing protection for all interfaces
block in quick from urpf-failed
 
#antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
antispoof log (to pflog0) for $ext_if
 
#Block RFC 1918 addresses
block drop in log (to pflog0)  quick on $ext_if from $martians to any
block drop out log (to pflog0) quick on $ext_if from any to $martians
 
# Block all ips
# pfctl -t blockedip -T show
block drop in log (to pflog0)  quick on $ext_if from <blockedip> to any
block drop out log (to pflog0) quick on $ext_if from any to <blockedip>
 
# allow outgoing
pass out log(to pflog0) on $ext_if proto tcp to any port $tcp_services
pass out log(to pflog0) on $ext_if proto udp to any port $udp_services
 
# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
 
# Allow admin to get into box
pass in log(to pflog0) on $ext_if from $adminrange to any
 
# Allow incoming ssh, http, bind traffic
# pass in  on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port ssh  flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state
pass inet proto icmp all icmp-type $icmp_types keep state
## add your rule below ##
attached below,anyway got other problem the pflogd seem writing into /var/log/pflog but strangely the pf cann't pass the log into pflog0 interface as defined on rules.it just nothing happened on pflog0 when iam using tcpdump
my interface
Quote:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33204
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:07:9b:68
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 192.168.1.88 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::20c:29ff:fe07:9b68%em0 prefixlen 64 scopeid 0x1
enc0: flags=0<> mtu 1536
priority: 0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33204
priority: 0
groups: pflog
pftop just 0
Quote:
pfTop: Up State no entries, View: default, Order: none, Cache: 10000 16:23:05

PR DIR SRC DEST STATE AGE EXP PKTS BYTES
runned the pf,and checked it's not displayed in process list???
Quote:
# ps -aux | grep pf
root 5525 0.0 0.0 612 392 ?? Is 3:17PM 0:00.00 pflogd: [priv] (pflogd)
_pflogd 2219 0.0 0.0 676 308 ?? S 3:17PM 0:00.06 pflogd: [running] -s 116 -i pflog0 -f /var/log/pflog (pflogd)
root 32108 0.0 0.2 1616 1888 p0 T 4:05PM 0:00.01 pftop
root 22696 0.0 0.2 1604 1908 p0 T 4:23PM 0:00.01 pftop
Attached Files
File Type: conf pf.conf (2.7 KB, 35 views)
Reply With Quote
  #5   (View Single Post)  
Old 3rd September 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

Code:
# Allow incoming ssh, http, bind traffic
# pass in  on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port ssh  flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state
pass inet proto icmp all icmp-type $icmp_types keep state
## add your rule below ##
consider,

Code:
# Allow incoming ssh, http, bind traffic
# pass in  on $ext_if proto tcp from any to any port 25
pass in on $ext_if inet proto tcp \
 from !<blockedip> to ($ext_if) port ssh flags S/SA synproxy state
pass in on $ext_if inet proto udp \
 from !<blockedip> to ($ext_if) port domain
pass in on $ext_if inet proto tcp \
 from !<blockedips> to ($ext_if) port domain flags S/SA synproxy state
pass in on $ext_if inet proto tcp \
 from !<blockedips> to ($ext_if) port http flags S/SA synproxy state
Among the alternatives to consider, "($ext_if)" is far better then "any."
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #6   (View Single Post)  
Old 3rd September 2009
Stellar Stellar is offline
Port Guard
 
Join Date: Aug 2009
Posts: 26
Thanked 1 Time in 1 Post
Default

ok thank you...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Xorg 7.3 -> 7.4 config problems jbhappy FreeBSD Ports and Packages 4 29th April 2009 03:34 AM
Annoying blue config dialog _hmp_ FreeBSD Ports and Packages 11 28th December 2008 05:37 PM
Wireless Network Config working -- almost JMJ_coder General software and network 4 20th November 2008 05:10 PM
ports config and makefile scripting boincv FreeBSD Ports and Packages 6 1st October 2008 07:57 AM
Libpurple 2.4.2 config failure. KernelPanic FreeBSD Ports and Packages 3 23rd May 2008 06:19 PM


All times are GMT. The time now is 07:01 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick