DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st January 2010
wesley wesley is offline
Real Name: Wesley
Fdisk Soldier
 
Join Date: Aug 2009
Location: Reunion Island
Posts: 71
Thanked 1 Time in 1 Post
Post improve ruleset

Hello,

I'm using OpenBSD 4.6, i have this ruleset in production.
Is there someone that can help me to improve it ?
Thank's

Code:
# MACROS AND TABLES
wifi="vr0"
lan="fxp0"
dmz="rl0"
wan="vr1"
gwftp="192.168.0.46"
server="172.17.2.100"
dhcpwifi="{ 10.10.10.10 - 10.10.10.15 }"
table <publicts> persist
table <publicftp> persist

#NO FILTERING LOOPBACK
set skip on lo

#BLOCK POLICY
set block-policy drop

#TRAFFIC STANDARDIZATION
match in all scrub (no-df max-mss 1440) 

#NAT
nat on egress -> egress

#TRANSLATIONS
# ANCHOR TO PROTECT OUR FTP SERVER 
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

#LAN TO FTP SERVER 
rdr on $lan proto tcp from $lan:network to \
	$server port 21 -> $gwftp \
	port 21

#FTP ACCESS FROM A SPECIFIC IP ADDRESS
rdr on egress proto tcp from <publicftp> to any port 21 -> $gwftp port 21 

#TS ACCESS FROM A SPECIFIC IP ADDRESS
rdr on egress proto tcp from <publicts> to any \
port 3389 -> $server port 3389
 
#FILTERING
# BLOCK ALL AND LOG !
block log all

#PROTECTION
antispoof for { $dmz, $lan, $wifi, egress } 

#ALLOW PINGS FROM LAN
pass inet proto icmp from $lan:network \
to any icmp-type { echoreq, unreach }

#FW OUT
pass out quick on egress proto tcp from egress 
pass out quick on egress proto udp from egress 

# WIFI PORTS OUT https, smtp, et pop3
pass in quick on { !$lan, !$dmz } proto tcp from $dhcpwifi \
	to any port { https, smtp, pop3 }

# WIFI DOMAIN PORT OUT
pass in quick on { !$lan, $dmz } proto udp from $dhcpwifi \
	to any port domain

# ALLOW LAN TO ANYTHING
pass in quick on { !$wifi, !dmz } proto tcp from $lan:network
pass in quick on { !$wifi, $dmz } proto udp from $lan:network

#DMZ TS ACCESS FROM LAN AND WAN
pass out on $dmz proto tcp from $lan:network to $server port 3389
pass out on $dmz proto tcp from <publicts> to $server port 3389
pass in on egress proto tcp from <publicts> to $server port 3389 

#DMZ FTP ACCESS
pass in on egress inet proto tcp from <publicftp> to $gwftp port 21 \
	flags S/SA keep state
pass out on $dmz inet proto tcp to $server port 21 \
	user proxy flags S/SA keep state
anchor "ftp-proxy/*"

Last edited by Carpetsmoker; 22nd January 2010 at 12:23 AM. Reason: Added [code] tags
Reply With Quote
  #2   (View Single Post)  
Old 21st January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,432
Thanked 214 Times in 189 Posts
Default

Wesley, that is a clear and easy to read set of rules; nice job!

The following are for consideration, they are just my suggestions:

  • I prefer block-policy return to block-policy drop. From my experience, such "stealth" settings do not hide your system from port scanning script kiddies very well, and cause delay to legitimate users who either select the wrong port or the right port when a service is down. And, in the same way, I permit ICMP traffic to flow both ways, not just outbound, as you have.
  • Syntax error?
Code:
pass in quick on { !$wifi, !dmz } proto tcp from $lan:network
pass in quick on { !$wifi, $dmz } proto udp from $lan:network
First line has "!dmz" and the second line has "$dmz".
  • I do not allow unrestricted SMTP output, as you have for your LAN users. I only permit TCP traffic to destination port 25 with a limited number of valid MTAs. This is to prevent any platform on my networks from becoming an effective spam-spewing robot. They may still get p0wned, but they will not be able to simulate being their own MTA and spew spam randomly; any e-mail output must go through a valid MTA, where such things should be quickly noticed.

Last edited by jggimi; 21st January 2010 at 07:16 PM.
Reply With Quote
  #3   (View Single Post)  
Old 21st January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

Some of your rules still could use quick.

If you do not use IPv6, you could use inet proto tcp in all rules. In some rules you already use it, so why not be consistent?

You still use S/SA keep state in some tcp rules. This has been the default for quite some time. Do a verbose listing of your rules to see this
Code:
# pfctl -vvnf /etc/pf.conf
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
pf use 4.6

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
first match vs last match ruleset design (pf vs iptables) zelut FreeBSD Security 5 12th July 2009 08:13 AM
Improve searches maxrussell Feedback and Suggestions 3 19th June 2009 09:45 AM
ipfw ruleset double check l2fl2f FreeBSD Security 3 26th March 2009 06:32 AM
FTP ruleset questions hitete OpenBSD Security 2 25th November 2008 05:30 PM
improve proxy cache and replace gif MIME milo974 OpenBSD General 1 10th July 2008 12:14 PM


All times are GMT. The time now is 12:21 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick