Ok,
So I've been working with Freebsd now for 2 months. I'm currently running a couple of 7.0 servers including a PF firewall. Everyday I follow the same routine.
RUN CVSUP
Followed by pkgdb -F, portsdb -Uu, portversion -l '<'
I then read both /usr/src/UPDATING and /usr/ports/UPDATING
Once I think everything is fine, I run portupgrade -arR and then portaudit -Fda.
Is this considered a proper approach to keeping the system to date?
I was also looking for some feedback on my PF.conf file. It took me a long time to understand everything but I feel somewhat secure with what I've constructed. Here it is:
ext_if="rl0"
int_if="rl1"
dmz_if="fxp0"
bad_guys="{125.60.241.227, 205.234.225.159}"
internal_nets="192.168.0.0/24"
dmz_nets="172.16.0.0/24"
rdp_server="172.16.0.89"
www_server="172.16.0.80"
www_ssh="172.16.0.80"
trusted_rdp="{}"
trusted_www="{}"
norouteip = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
trusted_nets = "{ 192.168.0.0/24 }"
trusted_hosts = "{192.168.0.69/32}"
client_out="{ftp-data, cvspserver, ftp, ssh, domain, pop3, auth, nntp, http, https, 8080, 8000}"
www = "{80, 443}"
udp_services = "{domain, ntp}"
sshport="22669"
rdp="3389"
# Set Optimizations: Set some values to better utilize memory.
set block-policy drop
set limit { frags 5000, states 2500, src-nodes 2000 }
set loginterface $ext_if
set optimization aggressive
set timeout { interval 10, frag 30 }
#Normalization: reassemble fragments and resolve or reduce traffic #ambiguities.
scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
scrub on $ext_if reassemble tcp
nat on $ext_if from $dmz_nets to any -> ($ext_if)
nat on $ext_if from $internal_nets to any -> ($ext_if)
rdr on $ext_if proto {tcp, udp} from $trusted_rdp to any port $rdp -> $rdp_server
rdr on $ext_if proto tcp from $trusted_rdp to any port $www -> $www_server
block all
#needed this or nmap scans showed ports as filtered
block in quick on rl0 proto {tcp, udp} from any to any flags FUP/FUP
block quick on $ext_if from $bad_guys
pass in inet proto tcp from any to $ext_if port $sshport
pass in inet proto tcp from $trusted_www to $www_server port $www keep state
pass in inet proto {tcp, udp} from $trusted_rdp to $rdp_server port $rdp keep state
pass out quick on $dmz_if proto tcp from $trusted_rdp to $www_server port $www keep state
pass out quick on $dmz_if proto tcp from $trusted_rdp to $rdp_server port $rdp keep state
pass out quick on $dmz_if proto tcp from $trusted_hosts to $www_ssh port 22 keep state
#Let traffic out for the External Interface
pass out quick on $ext_if inet proto tcp from $ext_if to any flags S/SA keep state
pass out quick on $ext_if inet proto udp from $ext_if to any keep state
pass out quick on $ext_if inet proto icmp from $ext_if to any keep state
#Outbound Rules for the Firewall
#Pass ISAKMP out
pass out quick on $ext_if inet proto udp from $ext_if to any port = 500 keep state
pass out quick on $ext_if inet proto udp from $ext_if to any port = 4500 keep state
pass out quick on $ext_if inet proto esp from $ext_if to any keep state
#Allow cvsup to dmz hosts
pass in quick on $dmz_if inet proto tcp from any to any port cvsup keep state
pass out quick on $dmz_if inet proto tcp from any to any port cvsup keep state
#Let Internal Traffic Flow Freely to DMZ
pass in quick on $dmz_if inet proto tcp from $trusted_hosts to $dmz_nets keep state
pass inet proto tcp from $www_ssh to !$internal_nets port $sshport
pass inet proto tcp from 172.16.0.1 to $www_ssh keep state
#Let Internal Traffic Flow out
pass inet proto tcp from $internal_nets to any port $client_out
pass inet proto udp from $internal_nets to any port $udp_services
#Let Trusted Host Anywhere
pass inet proto {tcp, udp, icmp} from $trusted_hosts to any keep state
Thanks for reading and hopefully I'll be able to contribute to this forum as time passes.
Sincerely,
Fatman
So I've been working with Freebsd now for 2 months. I'm currently running a couple of 7.0 servers including a PF firewall. Everyday I follow the same routine.
RUN CVSUP
Followed by pkgdb -F, portsdb -Uu, portversion -l '<'
I then read both /usr/src/UPDATING and /usr/ports/UPDATING
Once I think everything is fine, I run portupgrade -arR and then portaudit -Fda.
Is this considered a proper approach to keeping the system to date?
I was also looking for some feedback on my PF.conf file. It took me a long time to understand everything but I feel somewhat secure with what I've constructed. Here it is:
ext_if="rl0"
int_if="rl1"
dmz_if="fxp0"
bad_guys="{125.60.241.227, 205.234.225.159}"
internal_nets="192.168.0.0/24"
dmz_nets="172.16.0.0/24"
rdp_server="172.16.0.89"
www_server="172.16.0.80"
www_ssh="172.16.0.80"
trusted_rdp="{}"
trusted_www="{}"
norouteip = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
trusted_nets = "{ 192.168.0.0/24 }"
trusted_hosts = "{192.168.0.69/32}"
client_out="{ftp-data, cvspserver, ftp, ssh, domain, pop3, auth, nntp, http, https, 8080, 8000}"
www = "{80, 443}"
udp_services = "{domain, ntp}"
sshport="22669"
rdp="3389"
# Set Optimizations: Set some values to better utilize memory.
set block-policy drop
set limit { frags 5000, states 2500, src-nodes 2000 }
set loginterface $ext_if
set optimization aggressive
set timeout { interval 10, frag 30 }
#Normalization: reassemble fragments and resolve or reduce traffic #ambiguities.
scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
scrub on $ext_if reassemble tcp
nat on $ext_if from $dmz_nets to any -> ($ext_if)
nat on $ext_if from $internal_nets to any -> ($ext_if)
rdr on $ext_if proto {tcp, udp} from $trusted_rdp to any port $rdp -> $rdp_server
rdr on $ext_if proto tcp from $trusted_rdp to any port $www -> $www_server
block all
#needed this or nmap scans showed ports as filtered
block in quick on rl0 proto {tcp, udp} from any to any flags FUP/FUP
block quick on $ext_if from $bad_guys
pass in inet proto tcp from any to $ext_if port $sshport
pass in inet proto tcp from $trusted_www to $www_server port $www keep state
pass in inet proto {tcp, udp} from $trusted_rdp to $rdp_server port $rdp keep state
pass out quick on $dmz_if proto tcp from $trusted_rdp to $www_server port $www keep state
pass out quick on $dmz_if proto tcp from $trusted_rdp to $rdp_server port $rdp keep state
pass out quick on $dmz_if proto tcp from $trusted_hosts to $www_ssh port 22 keep state
#Let traffic out for the External Interface
pass out quick on $ext_if inet proto tcp from $ext_if to any flags S/SA keep state
pass out quick on $ext_if inet proto udp from $ext_if to any keep state
pass out quick on $ext_if inet proto icmp from $ext_if to any keep state
#Outbound Rules for the Firewall
#Pass ISAKMP out
pass out quick on $ext_if inet proto udp from $ext_if to any port = 500 keep state
pass out quick on $ext_if inet proto udp from $ext_if to any port = 4500 keep state
pass out quick on $ext_if inet proto esp from $ext_if to any keep state
#Allow cvsup to dmz hosts
pass in quick on $dmz_if inet proto tcp from any to any port cvsup keep state
pass out quick on $dmz_if inet proto tcp from any to any port cvsup keep state
#Let Internal Traffic Flow Freely to DMZ
pass in quick on $dmz_if inet proto tcp from $trusted_hosts to $dmz_nets keep state
pass inet proto tcp from $www_ssh to !$internal_nets port $sshport
pass inet proto tcp from 172.16.0.1 to $www_ssh keep state
#Let Internal Traffic Flow out
pass inet proto tcp from $internal_nets to any port $client_out
pass inet proto udp from $internal_nets to any port $udp_services
#Let Trusted Host Anywhere
pass inet proto {tcp, udp, icmp} from $trusted_hosts to any keep state
Thanks for reading and hopefully I'll be able to contribute to this forum as time passes.
Sincerely,
Fatman
