Hi,
I use FreeBSD 9.0 on 64bit HP server. I use ALTQ, so I recompiled the kernel with added instructions:
Reboot is ok. Then I configured PF for in/out filtering, QoS, brute-force protection.
This is my /etc/rc.conf file:
PF is actived. PFTOP show connections. But, after some ssh command, PF blocks all connections. I look at the log with:
[cmd=]tcpdump -n -e -ttt -r /var/log/pflog[/cmd]
and
[cmd=]tcpdump -vv -s 256 -n -e -ttt -i pflog0[/cmd]
There is nothing in this log and nothing in table <http_abuse>, nothing in /var/log/messages.
Does this behaviour seem correct? Does anyone have a problem like this? Could you help me find my mistake?
Have a nice day.
I use FreeBSD 9.0 on 64bit HP server. I use ALTQ, so I recompiled the kernel with added instructions:
Code:
# Packet Filter
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
#options ALTQ_NOPCC # En SMP uniquement (machines multi-processeurs)
Reboot is ok. Then I configured PF for in/out filtering, QoS, brute-force protection.
Code:
ext_if = "em0"
tcp_port_ftp = "{ 20, 21 }"
udp_port_dns = "{ 53 }"
udp_port_snmp = "{ 161 }"
tcp_port = "{ 20, 21 , 25, 80, 110 , 143, 8025 , 4949}"
tcp_port_ssh = "{ 22 }"
icmp_types = "echoreq"
# Ne pas filtrer sur l'interface de bouclage
set skip on lo0
# Normalisation de tous les paquets entrants.
scrub in all
#QoS paquets sortants
#http://www.freebsdonline.com/content/view/512/531/
# adjust to your taste 25Mo/s
altq on $ext_if cbq bandwidth 25Mb queue { dflt, ssh }
queue dflt bandwidth 70% cbq( default )
queue ssh bandwidth 20% cbq
# Mise en place d'une politique d'interdiction par defaut.
block in all
block out all
# Activation de la protection contre l'usurpation sur toutes les interfaces.
antispoof log quick for $ext_if inet
#antispoof log for { $ext_if, lo0 } inet
# activate spoofing protection for all interfaces
block in quick from urpf-failed
#Regles pour ICMP
pass in inet proto icmp all icmp-type $icmp_types
# Regle pour laisser passer les connections entrantes vers le serveur
pass in on $ext_if proto tcp from any to $ext_if port $tcp_port queue dflt
#pour SSH (regle à part si QoS)
#pass in on $ext_if proto tcp from any to $ext_if port $tcp_port_ssh
pass in on $ext_if proto tcp from any to $ext_if port $tcp_port_ssh queue ssh
#Autoriser les requetes SNMP entrantes
pass in on $ext_if proto udp from 91.212.205.0/24 to $ext_if port $udp_port_snmp
#Activer la regle suivante si le serveur comporte un serveur DNS
#avec des clients externes qui requetent dessus
#pass in on $ext_if proto udp from any to $ext_if port $udp_port_dns
pass out on $ext_if proto udp from $ext_if port $udp_port_dns to any
#Activer les requetes DNS a des serveurs distant
pass out on $ext_if proto udp from $ext_if to any port $udp_port_dns
#autorise tout le traffic sortant issu des services installe
pass out on $ext_if proto tcp from $ext_if port $tcp_port to any queue dflt
pass out on $ext_if proto tcp from $ext_if port $tcp_port_ssh to any
#pass out on $ext_if proto tcp from $ext_if port $tcp_port_ssh queue ssh to any
# on autorise les connexions 4242 sur le reseau local
pass in on $ext_if proto tcp from 91.212.205.0/24 to $ext_if port 4242
pass out on $ext_if proto tcp from $ext_if to 91.212.205.0/24 port 4242
#on autorise les connexions vers des serveurs web distants
pass out on $ext_if proto tcp from $ext_if to any port 80
pass out on $ext_if proto tcp from $ext_if to any port 443
pass out on $ext_if proto tcp from $ext_if to any port 25
#autorisation connexion serveur de temps distant
pass in on $ext_if proto udp from 195.220.94.163 port 123 to $ext_if
pass out on $ext_if proto udp from $ext_if to 195.220.94.163 port 123
# On charge les regles de ftpsesame pour l'IPconntrack FTP
anchor "ftpsesame/*" on $ext_if
#Protection contre le brut-force
# On crée deux tables
#table <ssh_abuse> persist
table <http_abuse> persist
table <whitelist> persist file "/etc/pf_whitelist"
table <blacklist> persist file "/etc/pf_blacklist"
# On bloque ceux qui sont dans la table sur les ports concernés
# Le 'quick' permet d'ignorer toute autre rêgle de filtrage
# concernant ces paquets
#on laisse passer immediatement les IP whitelistées
pass in quick on $ext_if from <whitelist>
#on bloque passer immediatement les IP blacklistées
block in quick log on $ext_if from <blacklist>
#block in quick on $ext_if proto tcp from <ssh_abuse> to $ext_if port 22
block in quick log on $ext_if proto tcp from <http_abuse> to $ext_if port 80
#si on veux tout bloquer sur les IP brute force
block quick from <http_abuse>
block quick to <http_abuse>
# si on a plus de 2 connection toutes les 10 secondes sur
# le port ssh, on rajoute l'IP concernée dans la table ssh_abuse
#pass in inet proto tcp to any port 22 flags S/SA keep state (max-src-conn-rate 2/10, overload <ssh_abuse> flush global)
# Si on a plus de 100 connection HANDSHAKE avec cet IP ou plus de 20 connexion
# en 5 secondes, alors on met l'IP concernée dans la table http_abuse
pass in inet proto tcp to $ext_if port 80 flags S/SA keep state (max-src-conn 100, max-src-conn-rate 20/5, overload <http_abuse> flush)
This is my /etc/rc.conf file:
Code:
pf_enable="YES"
pf_rules="/etc/pf_in_out.conf" # rules definition file for pf
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags=""
PF is actived. PFTOP show connections. But, after some ssh command, PF blocks all connections. I look at the log with:
[cmd=]tcpdump -n -e -ttt -r /var/log/pflog[/cmd]
and
[cmd=]tcpdump -vv -s 256 -n -e -ttt -i pflog0[/cmd]
There is nothing in this log and nothing in table <http_abuse>, nothing in /var/log/messages.
Does this behaviour seem correct? Does anyone have a problem like this? Could you help me find my mistake?
Have a nice day.