|
|||
please check my pf.conf
Below is my pf.conf which I put together reading the man page and googling around.
It seems to work fine, I'm using it since quite a few months. I have a restricted user "amule" which I use to run amule (rarely, actually), do the lines in my pf.conf make sense (it seems they do, I remember trying to changing them and thus blocking amule traffic). I use this computer basically as a desktop, but is on 24h/day, so, I need it to be safe. In google I found this script to block brute-force attacks, which works very well: Code:
pfctl -t ssh-violations -T flush for ips in `cat /var/log/authlog | grep sshd | grep "Invalid" | awk '{print $10}' | uniq -d` ; do pfctl -t ssh-violations -T add $ips done cat /var/log/authlog | grep sshd | grep "Failed" | rev | cut -d\ -f 4 | rev | sort | uniq -c | \ ( while read num ips; do if [ $num -gt 5 ]; then if ! pfctl -s rules | grep -q $ips ; then pfctl -t ssh-violations -T add $ips fi fi done ) Code:
ext_if="gem0" ssh= "{ 22 }" table <ssh-violations> persist file "/etc/ssh-violations" # options set block-policy drop set state-policy if-bound set loginterface $ext_if set optimization normal set skip on lo0 # scrub scrub in on $ext_if all pass quick on lo0 all antispoof for $ext_if block in log all block out all block in quick log from <ssh-violations> to any pass on $ext_if proto tcp from any to any port $ssh pass on $ext_if proto tcp from any to any port 4662 user amule pass on $ext_if proto udp from any to any port 4665 user amule pass on $ext_if proto udp from any to any port 4672 user amule pass on $ext_if proto tcp from any to any port 4712 user amule pass on $ext_if proto tcp from any to any port 4661 user amule pass out quick on $ext_if inet martians = "{ 127.0.0.0/8, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians Any comments or suggestions will be greatly appreciated |
|
|||
Having a macro named $ssh is unnecessary, service names listed in /etc/services are perfectly acceptable substitutes for port numbers.
pass quick on lo0 all is redundant, you already tell pf to ignore local traffic. I like keeping the block and pass rules separate... block rules first, pass rules after. Code:
# internet connected interface ext_if="gem0" table <ssh-violations> persist file "/etc/ssh-violations" table <martians> const persist { 127/8, 192.168/16, 172.16/12, 10/8, 0/8, \ 169.254/16, 192.0.2/24, 240/4 } # options set block-policy drop set loginterface $ext_if set skip on lo0 # scrub scrub in on $ext_if all # antispoof antispoof for $ext_if # catch-all block in log all block out all # block evil people block in log quick from <ssh-violations> to any block in quick on $ext_if from <martians> to any block out quick on $ext_if from any to <martians> # allow ssh connections pass in on $ext_if proto tcp from any to any port ssh # AMule incoming pass in on $ext_if proto tcp from any to any port 4662 user amule pass in on $ext_if proto udp from any to any port 4665 user amule pass in on $ext_if proto udp from any to any port 4672 user amule # pass out all traffic pass out on $ext_if inet all |
|
|||
Note; I changed the macro $martians into a table.. this makes things cleaner, and.. saves pf from needlessly creating 2 temporary tables anyway.
|
|
|||
Thanks a lot BSDfan666,
I see that declaring a drop policy was also redundant, since it is default behaviour. But why don't I need the "quick" in "pass out on $ext_if inet all"? |
|
|||
Because you're misunderstanding the purpose of the keyword, in pf.. the last rule wins, the block rules require the quick because otherwise the pass rules would override them.
..or at least, that's my understanding. Hope it helps. |
|
|||
I see, now I understand.
Another question, is there a way to block allow outgoing traffic on a "per application" basis, like most windows firewalls do? And does it make any sense? |
|
|||
Also, why do I need to "block out all" if at the end I allow all outgoing traffic?
|
|
|||
No, that doesn't seem very feasible.. Windows firewalls are more of a "port monitor", not a packet filter.
Using systrace(1) might be one way of doing what you want, but.. not exactly perfect. Apologies.. |
|
|||
Quote:
It's better to simply block traffic, and then.. permit things on a case-by-case basis. |
|
|||
Are windows firewalls made that way because of the pletora of malaware that runs on it...?
|
|
|||
very nice, I've made clear quite a few things to day, thanks a lot
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Check this out (funny contest). | fbsduser | Off-Topic | 6 | 4th March 2009 10:48 PM |
Best way to check and fix corrupt disk? | bsdme2 | FreeBSD General | 5 | 29th January 2009 06:10 PM |
check for badblocks | ccc | FreeBSD General | 5 | 30th October 2008 07:00 PM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |
how to check package dependencies? | bsdnewbie999 | OpenBSD Packages and Ports | 5 | 31st July 2008 04:05 AM |