PF Firewall sample rules

[tmpdmp]

From an article about OpenBSD they had the following lines of rules:

set block-policy drop
set skip on lo0
match in all scrub (no-df)
antispoof quick for (egress)
block in quick on egress from { no-route urpf-failed } to any
block in all
pass out quick inet keep state

And then from what I use now for FreeBSD, I have:

#tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
#udp_services = "{ domain }"
set skip on lo0
scrub in all
block in all
pass out all keep state

Which is better? Or can the one for OpenBSD not work on FreeBSD systems?

 

[gkontos]

There is no such thing as better or worse. The rules that you quoted have some anti spoofing options. Both rulesets have the same mistake, no logging and allow any traffic to pass out. (the quoted rules block outbound IPv6)

My rules usually begin like this:

scrub in on $ext_if all fragment reassemble
block log all

And outgoing IPv4 goes like this:

pass out quick log on $ext_if inet proto tcp from any to any port $tcp_outgoing modulate state
pass out quick log on $ext_if inet proto udp from any to any port $udp_outgoing keep state

I generally allow some ICMP codes but they are always placed last.

 

[tmpdmp]

#tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
#udp_services = "{ domain }"
set block-policy drop
set skip on lo0
scrub in on $ext_if all fragment reassemble
block log all
pass out quick log on $ext_if inet proto tcp from any to any port $tcp_outgoing modulate state
pass out quick log on $ext_if inet proto udp from any to any port $udp_outgoing keep state

How does my revised rule set look now? And is it suppose to be just block log all or block in log all or block log in all?

 

[junovitch@]

Both 'block log all' and 'block in log all' are fine and would effectively do the same thing since the next rule is to allow outbound. The last is a syntax error. I usually start with the very general 'block log all' and break it down with more and more granular rules from there. Some traffic I want to block but is expected noise so I don't want any logging to pflog(4). If it's not the expected noise then the initial 'block log all' matches it and I can figure out if it is unusual or not.

It's also worth mentioning there are a bunch of examples to draw from in /usr/share/examples/pf/ and the pf.conf(5) manual is very detailed.

 

[diizzy]

https://forums.freebsd.org/threads/fine-tuning-pf-ruleset.50364/#post-282357
Might be useful as a template for a more complete ruleset or at least give you some ideas
//Danne

 

[gkontos]

Both 'block log all' and 'block in log all' are fine and would effectively do the same thing since the next rule is to allow outbound. The last is a syntax error. I usually start with the very general 'block log all' and break it down with more and more granular rules from there. Some traffic I want to block but is expected noise so I don't want any logging to pflog(4). If it's not the expected noise then the initial 'block log all' matches it and I can figure out if it is unusual or not.

It's also worth mentioning there are a bunch of examples to draw from in /usr/share/examples/pf/ and the pf.conf(5) manual is very detailed.

That's how I get rid of the "noise"

### get rid quick of Internet noise like microsoft netbios service.
### This accounts to 80% of dropped traffic. We don't need to log this also
block in quick on $ext_if proto tcp from any to any port $netbios_tcp
block in quick on $ext_if proto udp from any to any port $netbios_udp

 

[SirDice]

One thing I'd like to mention is that OpenBSD's PF is newer than FreeBSD's. So be careful when following OpenBSD based tutorials. It may use features of PF FreeBSD may not have. But besides that you can usually follow most tutorials, the new features are mostly advanced settings or options, basic rule sets should be fairly similar.