DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th January 2009
gosha gosha is offline
Spam Deminer
 
Join Date: Jun 2008
Location: China
Posts: 256
Default please check my pf.conf

Below is my pf.conf which I put together reading the man page and googling around.
It seems to work fine, I'm using it since quite a few months. I have a restricted user "amule" which I use to run amule (rarely, actually), do the lines in my pf.conf make sense (it seems they do, I remember trying to changing them and thus blocking amule traffic).
I use this computer basically as a desktop, but is on 24h/day, so, I need it to be safe.
In google I found this script to block brute-force attacks, which works very well:

Code:
pfctl -t ssh-violations -T flush
for ips in `cat /var/log/authlog | grep sshd | grep "Invalid" | awk '{print $10}' | uniq -d` ; do
       pfctl -t ssh-violations -T add $ips
  done
cat /var/log/authlog | grep sshd | grep "Failed" | rev  | cut -d\  -f 4 | rev | sort | uniq -c | \
( while read num ips; do
    if [ $num -gt 5 ]; then
         if ! pfctl -s rules | grep -q $ips ; then
                pfctl -t ssh-violations -T add $ips
        fi
    fi
done
)
Code:
ext_if="gem0"
ssh= "{ 22 }"
table <ssh-violations> persist file "/etc/ssh-violations"
# options
set block-policy drop
set state-policy if-bound
set loginterface $ext_if
set optimization normal
set skip on lo0

# scrub
scrub in on $ext_if all
pass quick on lo0 all
antispoof for $ext_if

block in log all
block out all
block in quick log from <ssh-violations> to any
pass on $ext_if proto tcp from any to any port $ssh
pass on $ext_if proto tcp from any to any port 4662 user amule
pass on $ext_if proto udp from any to any port 4665 user amule
pass on $ext_if proto udp from any to any port 4672 user amule
pass on $ext_if proto tcp from any to any port 4712 user amule
pass on $ext_if proto tcp from any to any port 4661 user amule
pass out quick on $ext_if inet

martians = "{ 127.0.0.0/8, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"

block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

Any comments or suggestions will be greatly appreciated
Reply With Quote
  #2   (View Single Post)  
Old 29th January 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Having a macro named $ssh is unnecessary, service names listed in /etc/services are perfectly acceptable substitutes for port numbers.

pass quick on lo0 all is redundant, you already tell pf to ignore local traffic.

I like keeping the block and pass rules separate... block rules first, pass rules after.
Code:
# internet connected interface
ext_if="gem0"

table <ssh-violations> persist file "/etc/ssh-violations"
table <martians> const persist { 127/8, 192.168/16, 172.16/12, 10/8, 0/8, \
169.254/16, 192.0.2/24, 240/4 }

# options
set block-policy drop
set loginterface $ext_if
set skip on lo0

# scrub
scrub in on $ext_if all

# antispoof
antispoof for $ext_if

# catch-all
block in log all
block out all

# block evil people
block in log quick from <ssh-violations> to any
block in quick on $ext_if from <martians> to any
block out quick on $ext_if from any to <martians>

# allow ssh connections
pass in on $ext_if proto tcp from any to any port ssh

# AMule incoming
pass in on $ext_if proto tcp from any to any port 4662 user amule
pass in on $ext_if proto udp from any to any port 4665 user amule
pass in on $ext_if proto udp from any to any port 4672 user amule

# pass out all traffic
pass out on $ext_if inet all
Hope it helps, I do recommend reading the OpenBSD pf FAQ, and perhaps buying Peter NM Hansteen's new PF book.
Reply With Quote
  #3   (View Single Post)  
Old 29th January 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Note; I changed the macro $martians into a table.. this makes things cleaner, and.. saves pf from needlessly creating 2 temporary tables anyway.
Reply With Quote
  #4   (View Single Post)  
Old 29th January 2009
gosha gosha is offline
Spam Deminer
 
Join Date: Jun 2008
Location: China
Posts: 256
Default

Thanks a lot BSDfan666,
I see that declaring a drop policy was also redundant, since it is default behaviour.
But why don't I need the "quick" in "pass out on $ext_if inet all"?
Reply With Quote
  #5   (View Single Post)  
Old 30th January 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Because you're misunderstanding the purpose of the keyword, in pf.. the last rule wins, the block rules require the quick because otherwise the pass rules would override them.

..or at least, that's my understanding.

Hope it helps.
Reply With Quote
  #6   (View Single Post)  
Old 30th January 2009
gosha gosha is offline
Spam Deminer
 
Join Date: Jun 2008
Location: China
Posts: 256
Default

I see, now I understand.
Another question, is there a way to block allow outgoing traffic on a "per application" basis, like most windows firewalls do? And does it make any sense?
Reply With Quote
  #7   (View Single Post)  
Old 30th January 2009
gosha gosha is offline
Spam Deminer
 
Join Date: Jun 2008
Location: China
Posts: 256
Default

Also, why do I need to "block out all" if at the end I allow all outgoing traffic?
Reply With Quote
  #8   (View Single Post)  
Old 30th January 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

No, that doesn't seem very feasible.. Windows firewalls are more of a "port monitor", not a packet filter.

Using systrace(1) might be one way of doing what you want, but.. not exactly perfect.

Apologies..
Reply With Quote
  #9   (View Single Post)  
Old 30th January 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Quote:
Originally Posted by gosha View Post
Also, why do I need to "block out all" if at the end I allow all outgoing traffic?
It might seem redundant, but it's not.. you're blocking "all" outgoing traffic, the last rule is passing out all "IPv4" packets.

It's better to simply block traffic, and then.. permit things on a case-by-case basis.
Reply With Quote
Old 30th January 2009
gosha gosha is offline
Spam Deminer
 
Join Date: Jun 2008
Location: China
Posts: 256
Default

Are windows firewalls made that way because of the pletora of malaware that runs on it...?
Reply With Quote
Old 30th January 2009
gosha gosha is offline
Spam Deminer
 
Join Date: Jun 2008
Location: China
Posts: 256
Default

very nice, I've made clear quite a few things to day, thanks a lot
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Check this out (funny contest). fbsduser Off-Topic 6 4th March 2009 10:48 PM
Best way to check and fix corrupt disk? bsdme2 FreeBSD General 5 29th January 2009 06:10 PM
check for badblocks ccc FreeBSD General 5 30th October 2008 07:00 PM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM
how to check package dependencies? bsdnewbie999 OpenBSD Packages and Ports 5 31st July 2008 04:05 AM


All times are GMT. The time now is 03:39 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick