first configuration:suggestions/ideas

[sorressean]

Hello all:

I just recently set up a basic pf rule configuration. I'm curious what else I can do to secure this at the firewall level. My main concern is being able to limit DOS attacks, as well as limit the damage an attacker could do if he/she were able to gain access to an account. Since only one account has su, I need to be able to block users from outbound. So the idea basically is to be able to block say www from sending outbound to anything but 25 since I need to send mail, and block every other user from using any outbound at all.
Any other tips, ideas/suggestions/etc on how I could make my ruleset better would be welcome. I'm aiming for the best setup I can possibly have.

if="em0"
tcp_services="{ 22, 80 }"
set block-policy drop
set skip on lo
set loginterface $if
block in log
#antispoof
#insures that packets supposedly coming from a loopback address aren't coming from external interfaces.
antispoof quick for { lo $if }
pass out from any to any
pass in on $if proto tcp from any to any port $tcp_services keep state

Thanks in advance,
~Sorressean

 

[CoTones]

PF-fu is nice thing, although it only HELPS secure your system and gives you very basic DOS protection.

Last two (not only) "BSD magazine" issues gives you some better information about security.

http://bsdmag.org/magazine

 

[gkontos]

@sorressean,

your idea of blocking outbound connections is really in the right way. Unfortunately, most admins think that their network is safe and allow all kind of outbound traffic.
However, I didn't see any policy for this in your rules. A good example is always to start by blocking everything and then allowing specific services (incoming / outgoing)

block log all

This policy is always present in my firewalls. PF, Checkpoint, Cisco etc.

Then you go by specifying what outbound and inbound services you want to allow. A good practice is to use PF's synproxy state ability.

#INCOMING
pass in log on $ext_if proto tcp from any to any port $tcp_in flags S/SA synproxy state
pass in log inet proto icmp all icmp-type $usefull_icmp
#OUTGOING
pass out log on $ext_if proto tcp from any to any port $tcp_out modulate state
pass out log on $ext_if proto udp from any to $my_dns port domain modulate state

DOS attacks can be somehow limited by using synproxy state but there is really very little you can do against a DDOS attack with a network firewall. In any case by filtering outgoing traffic, you limit the damage an intruder can do. You can also catch easier an intruder if you see dropped outgoing packets.

Hope this helps,
George