How to filter incoming traffic when using rdr-anchor (bastille+sshguard)?

K

klauspeter

Hi,
I am trying to implement a shared interface jail setup using bastille and to stop bruteforcing using sshguard.

I am using the following configuration from the bastille documentation:

Code: 
ext_if="vtnet0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA modulate state

Where and how would I need to put the <sshguard> pf table that holds all blacklisted hosts, if I want the blacklisted hosts to be locked out from both all NATed services and the hosts services?

I manage to block access to the hosts services (like sshd), but fail to block access to the jails because the NAT rules are applied before the block rules.

Thank you,

klauspeter
 
Code: 
table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"

These three lines are used by Bastille to add jail IPs to the <jails> table. The purpose of the anchor rule, is so these rules can be placed at the anchor placeholder (before the block all rule) to allow the jails access to the outside world.

The flow is that the IPs get placed into the <jails> table.
NAT is being done to all IPs in that table.
The rdr/* is used for port redirects. (forwarding a host port to a jail port)

I don't know enough about rdr and tables to guide you to a best practice, but I do know enough about Bastille to tell you how it uses those rules.

Hoping someone could jump in here...
 
The "problem" is that bastille injects rdr pass rules when using bastille rdr .... Due to the addition of pass any and all other rules are skipped. In other words, there's no way to filter that traffic with additional rules in pf.conf.
 
So there is no other way for me than to use manual nat configuration instead of using bastille rdr, correct?
Thank you for your help!
 
Correct. You will have to add the needed rdr and pass as separate rules yourself. Then filtering will work as expected.

Just add
Code: 
table <sshguard> persist
For the sshguard table.

Then your first rules should be something like:
Code: 
block in on $ext_if all # Block everything incoming by default
block in quick on $ext_if proto tcp from <sshguard> to any # block any sshguard flagged connections
pass in on $ext_if proto tcp from any to ($ext_if) port 22

I typically just block everything if it's flagged by sshguard, not just the connection to ssh.
Code: 
block in quick on $ext_if from <sshguard> to any
 
Don't use bastille rdr command and put your own in /etc/pf.conf.
I am running a VPS with Bastille jails and here is how I proceed:
Code: 
# Jailed Hosts                                                                                 
mailsrv  = "192.168.0.5"                                                                       
wwwsrv   = "192.168.0.6"                                                                       

# SSHGuard attackers table
table <sshguard> persist

# Dynamic list of jails managed by BastilleBSD
table <jails> persist

nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr on $ext_if inet proto tcp to port $mail_services -> $mailsrv
rdr on $ext_if inet proto tcp to port $www_services -> $wwwsrv
rdr-anchor "rdr/*"

# Block attackers detected by SSHGuard.
block in quick from <sshguard>
.
.
.
# Allow access to our mail server.
pass in on $ext_if inet proto tcp to port $mail_services

# Allow access to our Web servers.
pass in on $ext_if inet proto tcp to port $www_services
I give you just an extract of my /etc/pf.conf, there is more rules in mine in production.
rdr-anchor "rdr/*" is here to avoid some Warning from Bastille.
 
You must log in or register to reply here.
Back
Top