Professional Web Applications Themes

Configuring PF - FreeBSD

Hi Pat, > Is there any place I can find a good default ruleset for a server, and > just change what ports I want open? pf originates at openbsd. There you'll find lots of doentation, the pf-faq, and the (as always in the BSD world) excellent manpages. In addition there's the pf-repository at: [url]https://solarflux.org/pf/[/url] And there are some books which include examples. > Also, I've noticed that some rulesets will have different flags and > keep state on for certain TCP ports, but not others. For example, at > [url]https://www.section6.net/help/pf.php[/url] I found: > #WebServer, HTTPS, 8000 > pass in ...

  1. #1

    Default Re: Configuring PF

    Hi Pat,

    > Is there any place I can find a good default ruleset for a server, and
    > just change what ports I want open?
    pf originates at openbsd. There you'll find lots of doentation, the
    pf-faq, and the (as always in the BSD world) excellent manpages.

    In addition there's the pf-repository at: [url]https://solarflux.org/pf/[/url]

    And there are some books which include examples.

    > Also, I've noticed that some rulesets will have different flags and
    > keep state on for certain TCP ports, but not others. For example, at
    > [url]https://www.section6.net/help/pf.php[/url] I found:
    > #WebServer, HTTPS, 8000
    > pass in on $extif proto tcp from any to any port 80 flags S/SA
    > pass in on $extif proto tcp from any to any port $tcp_services flags
    > S/SA synproxy state
    >
    > tcp_services is {22, 443}
    >
    > I don't understand why they use synproxy state for 22 and 443, but not 80
    Because synproxy as a security feature has a drawback: speed. Do you
    understand what synproxy does? It completes the three-way-handshake at
    the firewall first and only if this succeds it forwards the connection
    to the (web)server. This takes some small amount of time.

    Acceptable with protocolls like ssh and https but mostly unacceptable
    with http.


    -volker
    Volker Kindermann Guest

  2. #2

    Default Re: Configuring PF

    I've managed to come up with something that works so far. I am having
    two problems though.

    The first is that I can't authenticate for IMAP anymore. No clue why,
    it just keeps rejecting my password. maillog shows imapd: LOGIN
    FAILED, that's it.

    Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of
    block in log on $ext_if proto udp all

    So all UDP ports should be shown as closed. Doesn't really make any
    sense to me. Anyone care to help?

    Thanks for the help so far.

    Pat


    On Wed, 16 Feb 2005 13:26:37 +0100, Volker Kindermann <mlps102.de> wrote:
    > Hi Pat,
    >
    >
    > > Is there any place I can find a good default ruleset for a server, and
    > > just change what ports I want open?
    >
    > pf originates at openbsd. There you'll find lots of doentation, the
    > pf-faq, and the (as always in the BSD world) excellent manpages.
    >
    > In addition there's the pf-repository at: [url]https://solarflux.org/pf/[/url]
    >
    > And there are some books which include examples.
    >
    >
    > > Also, I've noticed that some rulesets will have different flags and
    > > keep state on for certain TCP ports, but not others. For example, at
    > > [url]https://www.section6.net/help/pf.php[/url] I found:
    > > #WebServer, HTTPS, 8000
    > > pass in on $extif proto tcp from any to any port 80 flags S/SA
    > > pass in on $extif proto tcp from any to any port $tcp_services flags
    > > S/SA synproxy state
    > >
    > > tcp_services is {22, 443}
    > >
    > > I don't understand why they use synproxy state for 22 and 443, but not 80
    >
    > Because synproxy as a security feature has a drawback: speed. Do you
    > understand what synproxy does? It completes the three-way-handshake at
    > the firewall first and only if this succeds it forwards the connection
    > to the (web)server. This takes some small amount of time.
    >
    > Acceptable with protocolls like ssh and https but mostly unacceptable
    > with http.
    >
    > -volker
    > _______________________________________________
    > [email]freebsd-questionsfreebsd.org[/email] mailing list
    > [url]http://lists.freebsd.org/mailman/listinfo/freebsd-questions[/url]
    > To unsubscribe, send any mail to "freebsd-questions-unsubscribefreebsd.org"
    >
    Pat Maddox Guest

  3. #3

    Default Re: Configuring PF

    On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <pergesu> wrote:
    > I've managed to come up with something that works so far. I am having
    > two problems though.
    >
    > The first is that I can't authenticate for IMAP anymore. No clue why,
    > it just keeps rejecting my password. maillog shows imapd: LOGIN
    > FAILED, that's it.
    >
    > Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of
    > block in log on $ext_if proto udp all
    >
    > So all UDP ports should be shown as closed. Doesn't really make any
    > sense to me. Anyone care to help?
    >
    > Thanks for the help so far.
    >
    > Pat
    Start with a default policy to block and log all traffic

    # --- default policy
    block log from any to any

    Now you only have to open ports to let traffic in. If you don't know
    which port to open for a certain protocol, you can run "tcpdump -eni
    pfl0g". tcpdump will show which rule blocked, and on which port
    address combination.

    =Adriaan=
    J65nko BSD Guest

  4. #4

    Default Re: Configuring PF

    Can you guys let me know if this looks like a good conf file? I've
    got web, mail, ftp, ssh, and DNS that I need to have open.

    # Macros
    ext_if="fxp0"
    SYN_ONLY="S/FSRA"
    tcp_services = "{ 21, 22, 25, 53, 80, 143 }"
    icmp_types = "echoreq"

    # Default deny
    block all

    ## Filtering rules

    # Default TCP policy
    block return-rst in log on $ext_if proto TCP all
    pass in log quick on $ext_if proto TCP from any to $ext_if port
    $tcp_services flags $SYN_ONLY keep state

    # Default UDP policy
    block in log on $ext_if proto udp all
    pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state

    # Default ICMP policy
    block in log on $ext_if proto icmp all
    pass in inet proto icmp all icmp-type echoreq keep state

    block out log on $ext_if all
    pass out log quick on $ext_if from $ext_if to any keep state

    # Allow the local interface to talk unrestricted
    pass in quick on lo0 all
    pass out quick on lo0 all



    On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <j65nko> wrote:
    > On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <pergesu> wrote:
    > > I've managed to come up with something that works so far. I am having
    > > two problems though.
    > >
    > > The first is that I can't authenticate for IMAP anymore. No clue why,
    > > it just keeps rejecting my password. maillog shows imapd: LOGIN
    > > FAILED, that's it.
    > >
    > > Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of
    > > block in log on $ext_if proto udp all
    > >
    > > So all UDP ports should be shown as closed. Doesn't really make any
    > > sense to me. Anyone care to help?
    > >
    > > Thanks for the help so far.
    > >
    > > Pat
    >
    > Start with a default policy to block and log all traffic
    >
    > # --- default policy
    > block log from any to any
    >
    > Now you only have to open ports to let traffic in. If you don't know
    > which port to open for a certain protocol, you can run "tcpdump -eni
    > pfl0g". tcpdump will show which rule blocked, and on which port
    > address combination.
    >
    > =Adriaan=
    > _______________________________________________
    > [email]freebsd-questionsfreebsd.org[/email] mailing list
    > [url]http://lists.freebsd.org/mailman/listinfo/freebsd-questions[/url]
    > To unsubscribe, send any mail to "freebsd-questions-unsubscribefreebsd.org"
    >
    Pat Maddox Guest

  5. #5

    Default Re: Configuring PF

    On Fri, 18 Feb 2005 00:28:30 -0700, Pat Maddox <pergesu> wrote:
    > Can you guys let me know if this looks like a good conf file? I've
    > got web, mail, ftp, ssh, and DNS that I need to have open.
    >
    > # Macros
    > ext_if="fxp0"
    > SYN_ONLY="S/FSRA"
    > tcp_services = "{ 21, 22, 25, 53, 80, 143 }"
    > icmp_types = "echoreq"
    >
    > # Default deny
    > block all
    >
    > ## Filtering rules
    >
    > # Default TCP policy
    > block return-rst in log on $ext_if proto TCP all
    This block rule is not needed, You alreadt have a "default deny policy"
    > pass in log quick on $ext_if proto TCP from any to $ext_if port
    > $tcp_services flags $SYN_ONLY keep state
    >
    > # Default UDP policy
    > block in log on $ext_if proto udp all
    This block rule is not needed, You alreadt have a "default deny policy"
    > pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state
    >
    > # Default ICMP policy
    > block in log on $ext_if proto icmp all
    This block rule is not needed, You already have a "default deny policy"
    > pass in inet proto icmp all icmp-type echoreq keep state
    >
    > block out log on $ext_if all
    This block rule is not needed, You alreadt have a "default deny policy"
    > pass out log quick on $ext_if from $ext_if to any keep state
    >
    > # Allow the local interface to talk unrestricted
    > pass in quick on lo0 all
    > pass out quick on lo0 all
    >
    >
    > On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <j65nko> wrote:
    > > On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <pergesu> wrote:
    > > > I've managed to come up with something that works so far. I am having
    > > > two problems though.
    > > >
    > > > The first is that I can't authenticate for IMAP anymore. No clue why,
    > > > it just keeps rejecting my password. maillog shows imapd: LOGIN
    > > > FAILED, that's it.
    > > >
    > > > Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of
    > > > block in log on $ext_if proto udp all
    > > >
    > > > So all UDP ports should be shown as closed. Doesn't really make any
    > > > sense to me. Anyone care to help?
    > > >
    > > > Thanks for the help so far.
    > > >
    > > > Pat
    > >
    > > Start with a default policy to block and log all traffic
    > >
    > > # --- default policy
    > > block log from any to any
    > >
    > > Now you only have to open ports to let traffic in. If you don't know
    > > which port to open for a certain protocol, you can run "tcpdump -eni
    > > pfl0g". tcpdump will show which rule blocked, and on which port
    > > address combination.
    > >
    > >
    How about this?
    # ------- pf.conf skeleton for server
    # j65nko freebsdforums.org
    #
    # --------------- MACRO Section -----------------

    EXT_IF="fxp0"

    PING = "echoreq"

    # --- allowed incoming services initiated by clients

    TCP_IN = "{ ssh, smtp, pop3, imap, http, https }"
    #UDP_IN = "{ domain }"

    # --- allowed services initiated by server

    TCP_OUT = "{ smtp }"
    UDP_OUT = "{ domain }"

    # ------------------ TABLE Section --------------

    # ------------------ OPTIONS Section
    set loginterface $EXT_IF

    # --------- TRAFFIC NORMALIZATION ----------------
    scrub in all
    # ---------- TRANSLATION Section (NAT/RDR)

    # ---------- FILTER section

    # --- DEFAULT POLICY
    block log all

    # --- LOOPBACK
    pass quick on lo0 all

    # ======================= INCOMING ================
    # ----------- EXTERNAL INTERFACE

    # --- TCP
    pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
    $TCP_IN flags S/SA keep state

    # --- UDP
    #pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
    $UDP_IN keep state

    # --- ICMP
    #pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF
    icmp-type $PING keep state


    # ======================= OUTGOING ================
    # ----------- EXTERNAL INTERFACE

    # --- TCP
    pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
    $TCP_OUT flags S/SA keep state

    # --- UDP
    pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
    $UDP_OUT keep state

    # --- ICMP
    pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
    icmp-type $PING keep state

    # ----------------- end of pr.conf

    =Adriaan=
    J65nko BSD Guest

  6. #6

    Default Re: Configuring PF

    On Mon, Feb 14, 2005 at 09:32:25PM -0700, Pat Maddox wrote:
    > I want to install a firewall on my system. First of all, is PF the
    > one I should be using? It seems to get the most recommendations.
    >
    > I don't actually seem to have any problems configuring it - I just
    > have some problems testing the configuration. I can ssh to the box,
    > and I can access port 80...but I'd like to be able to just scan it to
    > quickly see what's up. When PF is disabled, I can nmap it in about 9
    > seconds. When I turn it on, it takes over 3 minutes to do. These
    > machines are on the same network, so the connection is obviously fast.
    This is a good thing, IMHO. Think about all those script kiddies
    sitting out there looking for a nice, juicy server to compromise. If it
    takes them 3 minutes to port scan your machine, they'll probably cancel
    it before it's finished and move on.

    I believe what's happening is that all ports that aren't open are
    configured to drop packets instead of reject them like is default.
    Reject means send back an error message saying port is closed where
    dropping just ignores it. The port scanner sends out a request and
    waits for a response, either "Hello," or "Sorry, I'm closed." It will
    wait quite a while before it decides that nothings there.
    >
    > Are there any good, pretty simple guides on setting up PF? I'm having
    > a tough time understanding what the rulesets all mean.
    > _______________________________________________
    > [email]freebsd-questionsfreebsd.org[/email] mailing list
    > [url]http://lists.freebsd.org/mailman/listinfo/freebsd-questions[/url]
    > To unsubscribe, send any mail to "freebsd-questions-unsubscribefreebsd.org"
    --
    I sense much NT in you.
    NT leads to Bluescreen.
    Bluescreen leads to downtime.
    Downtime leads to suffering.
    NT is the path to the darkside.
    Powerful Unix is.

    Public Key: [url]ftp://ftp.tallye.com/pub/lorenl_pubkey.asc[/url]
    Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C

    Loren M. Lang Guest

  7. #7

    Default Re: Configuring PF

    On Sun, 20 Feb 2005 06:23:39 -0800, Loren M. Lang <lorenlalzatex.com> wrote:
    > On Mon, Feb 14, 2005 at 09:32:25PM -0700, Pat Maddox wrote:
    > > I want to install a firewall on my system. First of all, is PF the
    > > one I should be using? It seems to get the most recommendations.
    > >
    > > I don't actually seem to have any problems configuring it - I just
    > > have some problems testing the configuration. I can ssh to the box,
    > > and I can access port 80...but I'd like to be able to just scan it to
    > > quickly see what's up. When PF is disabled, I can nmap it in about 9
    > > seconds. When I turn it on, it takes over 3 minutes to do. These
    > > machines are on the same network, so the connection is obviously fast.
    >
    > This is a good thing, IMHO. Think about all those script kiddies
    > sitting out there looking for a nice, juicy server to compromise. If it
    > takes them 3 minutes to port scan your machine, they'll probably cancel
    > it before it's finished and move on.
    That makes sense to me. I'd still like to be able to scan it the
    first time around to make sure everything's working, then I can just
    set it to drop packets, so it takes longer.

    I'd still like to find a good example config file that works well for
    a web server.


    >
    > I believe what's happening is that all ports that aren't open are
    > configured to drop packets instead of reject them like is default.
    > Reject means send back an error message saying port is closed where
    > dropping just ignores it. The port scanner sends out a request and
    > waits for a response, either "Hello," or "Sorry, I'm closed." It will
    > wait quite a while before it decides that nothings there.
    >
    > >
    > > Are there any good, pretty simple guides on setting up PF? I'm having
    > > a tough time understanding what the rulesets all mean.
    > > _______________________________________________
    > > [email]freebsd-questionsfreebsd.org[/email] mailing list
    > > [url]http://lists.freebsd.org/mailman/listinfo/freebsd-questions[/url]
    > > To unsubscribe, send any mail to "freebsd-questions-unsubscribefreebsd.org"
    >
    > --
    > I sense much NT in you.
    > NT leads to Bluescreen.
    > Bluescreen leads to downtime.
    > Downtime leads to suffering.
    > NT is the path to the darkside.
    > Powerful Unix is.
    >
    > Public Key: [url]ftp://ftp.tallye.com/pub/lorenl_pubkey.asc[/url]
    > Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C
    >
    >
    Pat Maddox Guest

  8. #8

    Default Re: Configuring PF

    On Sun, 20 Feb 2005 11:42:41 -0700, Pat Maddox <pergesu>
    >
    > I'd still like to find a good example config file that works well for
    > a web server.
    >
    I posted an easy to adapt config file 3 days ago, haven't you seen it?
    J65nko BSD Guest

Similar Threads

  1. configuring php on rh 8.0
    By UnixUser in forum PHP Development
    Replies: 0
    Last Post: November 10th, 03:52 AM
  2. Configuring php.ini
    By Dan Krajc in forum PHP Development
    Replies: 1
    Last Post: July 22nd, 06:01 PM
  3. Configuring PHP 4.3.2
    By eric in forum PHP Development
    Replies: 2
    Last Post: July 16th, 04:00 AM
  4. configuring ppp...
    By Sumedh Takbhate in forum Linux Setup, Configuration & Administration
    Replies: 5
    Last Post: July 5th, 04:03 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139