Hardening bsd.

You may want to disable core dumps. They are storing large areas in disc and for a normal computer user(I dont think normal users uses FreeBSD, mostly developers and hackers etc.) but for a developer core dumps can be useful so:
This disables coredump:
kern.corefile=/tmp
changes core dumps path to /tmp so will removed soon or
kern.coredump=0
kern.coredump=/dev/null

for disabling core dumps.
 
If you don't run a server a firewall is not needed.
To see the services you are running,...
I know exactly what services are running on all 7 of the laptops I have running FreeBSD. (I never have gotten around to converting my T61 Kali box to FreeBSD, but will eventually.)

Code:
root@bakemono:/ # sockstat -46
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS    
jitte    firefox    6594  33 tcp4   192.168.1.24:36322    172.217.8.214:443
jitte    firefox    6594  69 tcp4   192.168.1.24:19951    192.0.73.2:443
jitte    firefox    6594  74 tcp4   192.168.1.24:41533    104.26.9.142:443
jitte    firefox    6594  90 tcp4   192.168.1.24:19949    172.217.4.110:443
jitte    firefox    6594  114 tcp4  192.168.1.24:43428    35.165.120.205:443
jitte    firefox    3560  69 tcp4   192.168.1.24:20731    104.26.9.142:443
jitte    firefox    3560  73 tcp4   192.168.1.24:45701    172.217.8.214:443
jitte    firefox    3560  74 tcp4   192.168.1.24:21964    194.1.236.159:443
jitte    firefox    3560  99 tcp4   192.168.1.24:32835    172.217.4.110:443
jitte    firefox    3560  114 tcp4  192.168.1.24:43428    35.165.120.205:443
jitte    firefox    3560  121 tcp4  192.168.1.24:52357    104.91.166.200:80
jitte    firefox    3560  127 tcp4  192.168.1.24:12513    185.248.101.126:443
jitte    firefox    3560  191 tcp4  192.168.1.24:59240    194.1.236.213:443
jitte    firefox    2551  33 tcp4   192.168.1.24:56266    173.194.54.73:443
jitte    firefox    2551  69 tcp4   192.168.1.24:20731    104.26.9.142:443
jitte    firefox    2551  73 tcp4   192.168.1.24:45701    172.217.8.214:443
jitte    firefox    2551  99 tcp4   192.168.1.24:32835    172.217.4.110:443
jitte    firefox    2551  114 tcp4  192.168.1.24:43428    35.165.120.205:443
jitte    firefox    96329 68 tcp4   192.168.1.24:32834    172.217.8.214:443
jitte    firefox    96329 99 tcp4   192.168.1.24:32835    172.217.4.110:443
jitte    firefox    96329 114 tcp4  192.168.1.24:43428    35.165.120.205:443
jitte    firefox    96329 124 tcp4  192.168.1.24:32836    104.26.9.142:443
jitte    firefox    96329 141 tcp4  192.168.1.24:32837    173.194.162.200:443
jitte    firefox    96329 144 tcp4  192.168.1.24:32838    173.194.162.200:443
jitte    firefox    96329 161 tcp4  192.168.1.24:32839    172.217.6.110:443
jitte    firefox    96329 167 tcp4  192.168.1.24:32840    142.250.190.1:443
jitte    firefox    94365 54 tcp4   192.168.1.24:43423    34.107.221.82:80
jitte    firefox    94365 55 tcp4   192.168.1.24:23631    99.84.160.40:443
jitte    firefox    94365 68 tcp4   192.168.1.24:30388    34.107.221.82:80
jitte    firefox    93712 25 tcp4   192.168.1.24:41055    204.109.59.195:443
jitte    firefox    93712 74 tcp4   192.168.1.24:41533    104.26.9.142:443
jitte    firefox    93712 90 tcp4   192.168.1.24:19949    172.217.4.110:443
jitte    firefox    93712 114 tcp4  192.168.1.24:43428    35.165.120.205:443
root     sendmail   33515 3  tcp4   127.0.0.1:25          *:*
avahi    avahi-daem 31540 14 udp4   *:5353                *:*
avahi    avahi-daem 31540 15 udp6   *:5353                *:*
avahi    avahi-daem 31540 16 udp4   *:40212               *:*
avahi    avahi-daem 31540 17 udp6   *:50354               *:*
ntpd     ntpd       26589 20 udp6   *:123                 *:*
ntpd     ntpd       26589 21 udp4   *:123                 *:*
ntpd     ntpd       26589 22 udp4   192.168.1.24:123      *:*
ntpd     ntpd       26589 23 udp6   ::1:123               *:*
ntpd     ntpd       26589 24 udp6   fe80::1%lo0:123       *:*
ntpd     ntpd       26589 25 udp4   127.0.0.1:123         *:*
root@bakemono:/ #

I also know exactly what traffic my ruleset will and will not allow. I've ran a rule-based firewall for over 20 years and carried my port 0 rule over from my Win98 box running ConSeal PC Firewall:

Code:
root@bakemono:/ # pfctl -s all
FILTER RULES:
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.24 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state

STATES:
all tcp 192.168.1.24:43428 -> 35.165.120.205:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.24:59330 -> 204.109.59.195:443       FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.1.24:54387 -> 104.78.127.155:443       TIME_WAIT:TIME_WAIT
all tcp 192.168.1.24:46509 -> 192.0.73.2:443       TIME_WAIT:TIME_WAIT
all tcp 192.168.1.24:14910 -> 104.26.9.142:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.24:40342 -> 204.109.59.195:443       FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.1.24:46074 -> 204.109.59.195:443       FIN_WAIT_2:FIN_WAIT_2

INFO:
Status: Enabled for 1 days 10:49:40           Debug: Urgent

State Table                          Total             Rate
  current entries                        7             
  searches                          617292            4.9/s
  inserts                             3767            0.0/s
  removals                            3760            0.0/s
Counters
  match                               8825            0.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            60000 states
adaptive.end             120000 states
src.track                     0s

LIMITS:
states        hard limit   100000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit   200000

OS FINGERPRINTS:
762 fingerprints loaded
root@bakemono:/ #

I'll gladly post it again because I want to be able to support my argument with facts.

IPv6 is blocked both ways and I don't even set it up during the build. I don't enable SSH during the build either or allow any remote access even for myself, because I only need local access.

I still get my daily Security Report and TCP Port 25 is blocked from outside access. As is avahi-daemon, NTP, everything is fully functional and the ruleset doesn't break anything.

Could you explain to me, why one would want a firewall running on a desktop? I have all my devices sitting behind my pfsense-router with restrictive firewall and suricata-IDS (for the servers). If I don't explicitly make a mistake, no device should ever (try to) communicate with the internet in a way not intended by me. And then there is still the firewall on my router.
I don't watch videos people post to make their case.

I have a commercial NetGear router with a firewall running SPI between a passthru cable modem and my laptops. I usually keep 3 online and am going to have to set up one to run some interface for the upcoming Online Touring Test June 5th Demonica is participating in I believe wants TCP port 8000.

Could either of you explain to me on the basis of facts alone, backed up with said facts, why I would not want a tight pf ruleset running on my laptops?

Opinion based statements like "If you don't run a server a firewall is not needed." just don't move me like cold hard facts. Not like they did the guy in chat when I told him the LAN designation of every one of his machines on it:


That was years ago but it was available in the ports tree until relatively recently and still is on Kali.
 
An interesting aspect of security, especially for networks, is redundancy.
You have a firewall between your home network and your broadband connection? Fantastic, that is step 0 in keeping your systems secure.
But what if it goes down or is compromised? The rest of your assets are at risk.
Having a firewall on each individual machine is the redundant part.
A simple "workstation" profile that basically is default deny and only allows a few things out or in is not going to be noticeable unless you are running explicit 10G speed tests on the network.
If your home network is a mix of FreeBSD and Windows and Macs, running a firewall on your workstation can drop all the noise that a Win10 machine makes for no good reason.

Keep in mind how most machines are compromised now: phishing/scams/malware that a user winds up loading onto their machine. That compromised machine will try and reach out to others on the same network, so again a firewall on a machine can help mitigate that.

I am not trying to convince anyone they must or must not run a firewall on a workstation. Simply "I have always done so, even though the network is behind a firewall device". The above is my reasoning, because my systems, my choice. Conversely, your systems, your choice.
 
Could either of you explain to me on the basis of facts alone, backed up with said facts, why I would not want a tight pf ruleset running on my laptops?

Of course you can do it, the CPU and memory load has now become minimal and it does not give negative side effects (as long as you can physically connect to the console in case of troubles. Luxury you don't have managing remote machines, where a mistake can cost you hundreds of bucks, for service block and KVM rental over IP. And it happens).
As far as I'm concerned, desktop firewalls are essentially useful for logging (debugging), not much more.
As well known, if something is not there ...it cannot malfunction, this is especially true for services and software in general.
If I don't have an FTP server, I don't really need a firewall blocking its ports.
Just an example.

However, it would be interesting, conversely, for you to explain how the security of a normal desktop PC connected to a normal router (like FRITZ!Box or whatever) from 50-200 euros would improve.

In practice, and not just in theory.
 
Of course you can do it, the CPU and memory load has now become minimal and it does not give negative side effects (as long as you can physically connect to the console in case of troubles. Luxury you don't have managing remote machines, where a mistake can cost you hundreds of bucks, for service block and KVM rental over IP. And it happens).
As far as I'm concerned, desktop firewalls are essentially useful for logging (debugging), not much more.
As well known, if something is not there ...it cannot malfunction, this is especially true for services and software in general.
If I don't have an FTP server, I don't really need a firewall blocking its ports.
Just an example.

However, it would be interesting, conversely, for you to explain how the security of a normal desktop PC connected to a normal router (like FRITZ!Box or whatever) from 50-200 euros would improve.

In practice, and not just in theory.
As a desktop user from FreeBSD 6.? I have firewall active all the time and I didn't have any problems and my wife running Windows on her computer all her computer life and she didn't have any problems too.
Now I am using IPFW firewall and IMO is very "tight" but it is because I am learning on my days network and firewall too :). BTW, I am running unbound too which help me to block some Firefox default links.
And as mer wrote, my firewall catches all noise from my wife machine.
 
Could you explain to me, why one would want a firewall running on a desktop
How about more generally, why would you want to run a firewall behind a firewall.
Here is my real life example. I use a xSense firewall behind my cable modem.
But on my NanoBSD Wireless Access Point I also use pf for NAT.
So my though was, since I am using pf why not lock down wireless with a different set of rules. More restrictive.
It makes it harder for my wireless clients but I like it.
It all comes down to creating a security posture you are happy with.
 
How about more generally, why would you want to run a firewall behind a firewall.
Here is my real life example. I use a xSense firewall behind my cable modem.
But on my NanoBSD Wireless Access Point I also use pf for NAT.
So my though was, since I am using pf why not lock down wireless with a different set of rules. More restrictive.
It makes it harder for my wireless clients but I like it.
It all comes down to creating a security posture you are happy with.
I use firewall on laptop.
I don' have IPv6 (deleted from kernel including servers that I don't need) as this destroys anything related to privacy and still has a lot of bugs.
I use chained ssl tunneled VPNs and Tor if I need to protect my privacy.
For connecting I use only VM clients and browse internet with firefox that has heavily modified prefs.js and block default firefox connections at startup with pf (e.g. 3.0.0.0/8, 13.0.0.0/8, 34.0.0.0/8). But this is about privacy more than security. I doubt that I stand a chance against someone who would target my box so best not to piss of people online.
 
Could you explain to me, why one would want a firewall running on a desktop?
Defence-in-depth. Layer upon layer. Any flaws, mistakes, vulnerabilities in the higher layers caught by the lower layers. Redundancy. (EDIT: oops posted this before reading all the replies, so just repeated what others have said).
 
Aeterna said:
block default firefox connections at startup with pf (e.g. 3.0.0.0/8, 13.0.0.0/8, 34.0.0.0/8)
Why do you block these ranges? Or do you mean /24 instead of /8?
I don't use a firewall on the desktop other than for logging. I think it's better to keep an eye on server processes with # sockstat -46.
 
How about more generally, why would you want to run a firewall behind a firewall.
Redundancy and Layered Security.
Here is my real life example. I use a xSense firewall behind my cable modem.
But on my NanoBSD Wireless Access Point I also use pf for NAT.
So my though was, since I am using pf why not lock down wireless with a different set of rules. More restrictive.
It makes it harder for my wireless clients but I like it.
I have WiFi and Bluetooth diabled on every device and run an Ethernet LAN. Makes it twice as hard to hack my wireless as yours.

Who's to say my NetGear router is not going to become vulnerable to the Next Big Thingy? And who's to say how long that will go undetected/unannounced/unpatched?

It keeps logs and is stopping a lot of traffic. If I'm logged in here and spoof my MAC like in my tutorial and refresh the browser I'll lose Internet connectivity if that MAC doesn't appear in the tables of those allowed net access.
de:ad:be:ef:b0:0b doesn't fly unless I've already said let's go to McDonald's.


But I have Limited_Control over it and Can_Not_Block one NetGear_Administration_Port with a rule on Their_Firewall.


I have total control and full Admin Rights over pf and my ruleset works to protect those Rights.

I've had a pfSense router/firewall and liked it a lot. Except for the fact the Dell tower I was running gave me some of the highest electricity bills I've had in the 13 years I've lived here.

If I could run one off a Thinkpad with an inexpensive network card adaptor, like we talked about once, I'd have a pf FreeBSD router/firewall in between my cable modem and each laptop running my ruleset.


I have to host the Loebner Prize Protocol 2 (LPP2) socket standards interface, meaning it wants port 8080 which is a proxy hunters port, for Demonica on one of my machines and leave it on for 24 hours the day of the Online Turing Test.

I'll run pftop and tcpdump to see exactly what it wants and that only. I have a T400 with Intel Core2 Duo P8600 @ 2.4GHz and 8GB RAM that far exceeds the hardware of my Dell tower.

Because I know you're all going to vote for the best conversational bot. I'll be posting about it soon.

It all comes down to creating a security posture you are happy with.
I could have just stopped there but it's been a long time since Court Adjourned, Counselor.
 
Do someone really think that a firewall or two or ten that allow connections to 8080 is more secure?
This is a non sense, until you make a list of external IP.
I do all the day to allow only my static IPs to connect to costumers firewall (and log)
But if you run *something* on port X where are the benefits?
Lets say your netgear do a NAT 1:1 to your laptop.
So... what will happen?
This is the question I pose myself when dealing with security.
Really is hard to me to understand why block port 80 for example, if nothing is listening on that port

You cannot do the same thing on Windows, where you have dozens of services that silently open ports and even sends data to microsoft. In this case I prefer cheap zywall box because it is easyer to get periodical Html logs with the IP to be blocked (i am very lazy), but this is Windows

PS for Opnsense or whatever the best electrical choice is a ESXi server (consolidating servers nas whatever) or a little NUC if you do not like vsphere
Ps2 damned Chinese smartphone keyboard!!
 
Starting to sound like arguing in circles here.

Do firewalls protect against everything? No, of course not.
Do they help prevent things? Yes.
Does every single machine need to run one? Probably not.

So the point that I have been trying to make, is computer security is largely about what you feel you need. If running a firewall locally on your machine makes sense to you, it really doesn't matter what other people think or try to tell you.
 
Starting to sound like arguing in circles here.

Do firewalls protect against everything? No, of course not.
Do they help prevent things? Yes.
Does every single machine need to run one? Probably not.

So the point that I have been trying to make, is computer security is largely about what you feel you need. If running a firewall locally on your machine makes sense to you, it really doesn't matter what other people think or try to tell you.
I do not think so.
It is computer science, not music nor art.

The question is easy.
If you do not want to log, or restrict to 'someone' connecting to you (and you do not use Windows), what do in practice a desktop firewall?
How?

The answer is simple: nothing, if you do not have services (sharing something in your LAN) for example

In a mixed LAN, with Windows and maybe samba and maybe a NAS and maybe a IP printer and smartphones with ftp sharing and SMART TV a firewall on a Bsd machine does not make anything to protect the printer or the NAS or the fridge

Those are facts, non an opinion or feeling

Therefore desktop firewall yes or no?

Do as you like, but don't pretend to affirm opinion over facts
 
I think firewalls are totally useless for this kind of issue,
And you're right. A firewall is not the End All Answer To All solution to computer security. I never said it was.

That link is to a 2002 article on Flash being a delivery system for malware. Do a forum search for the mention of NoScript in my previous posts. I can't begin to guess how many times I've said the biggest threat to surfing the net is allowing JavaScript globally, but I should have been getting paid as a representative long ago.

Control of the clicking finger something only the user can implement in themselves.

Do someone really think that a firewall or two or ten that allow connections to 8080 is more secure?
This is a non sense, until you make a list of external IP.
That's why I'm going to run pftop and tcpdump to see exactly what it wants when I write a rule for it. I have to keep the interface loaded in Firefox and up 24 hours for the Touring Test.

You can believe I won't be allowing access to anything that isn't needed for it to run. It should only serve as a link to her Personality Forge chat page using my API to allow remote chat.

TCP ports 25, 80, 110, 3128, 8000, and 8080 are ports I've personally used as proxies on unsecured machines around the World, so I know that time it is in Irkutsk when it comes to leaving them open to random access.
 
Why do you block these ranges? Or do you mean /24 instead of /8?
I don't use a firewall on the desktop other than for logging. I think it's better to keep an eye on server processes with # sockstat -46.
1) reboot your desktop and run
sockstat -46
2) load firefox (configured with blank page at start so in theory firefox should not make any connections and (temporary) disabled extensions or configured without update checking)
run sockstat again
/24 will not work as address at restart will change (reason I blocked the range).
you can ignore this or not. These are firefox default connections,not something cryptic that should not happen. I just like to control as much as I can networking. I use firewall to block outgoing connections
 
run,
Code:
sockstat -46s
You will see a lot of connections are in CLOSE_WAIT state. But this is inherit on the tcp protocol.
 
If you do not want to log, or restrict to 'someone' connecting to you (and you do not use Windows), what do in practice a desktop firewall?
How?

The answer is simple: nothing, if you do not have services (sharing something in your LAN) for example
So - you never install anything on the desktop machine? There's NO chance of a virus or malware or a repository being taken over that installs something on your machine that makes it start listening on port 80 or a high port?

You check everything single line of code and binary before you install anything? After install you check for where files have gone, you check what ports are open?

You constantly check for open ports, you check every executable that is running, etc?

You never mis-configure anything and you never make any mistakes?

Your computer's operating system and firmware are perfect, all the software you install is perfect, you are perfect. Hurrah!

In that case - no need for a firewall on the desktop.

If maybe you think that you're not perfect, and maybe just this little extra layer might protect you - then why not? It's just another tool in the toolbox - make sure things aren't listening that don't need to be, be careful what you install, read the prompts, check your system's logs, investigate anything that you don't understand, use the lowest privileges, keep patched, and ... if you want, add that extra protection and block incoming (and why not outgoing if you want!) traffic (just in case something goes wrong or you miss something.)
 
No, in fact no.
I never check that something voodoo do a demoniac possession and open port 80 or whatever on a BSD machine.
Because a virus does not need an open port, just connect outside TO port 80 or 443 and start transmitting and receiving data
Therefore if you do not make application-specific firewall rules it is simply useless.
Because you log every application you install, don't you?

So no, your example does not seems realistic to me.
It does not add anything, and nothing at all for even a cheap FRITZ!box user or whatever

PS yeah, I AM 'perfect' because I know very well how software works and even how OS do.
I am not the only one in the world, of course.
 
i never bother with desktop firewalls and never had a problem because of it
however I rm-ed -r important stuff several times, or clobbered my just typed program/script with a a careless redirection
ran huge sql table update with the wrong *where* (read without one)
live installed shared libs with cp and everything segv-ed
so in my experience the most fuckups were self induced
 
This is an example of a useful firewall: what (an unused) Windows 10 will do?
micro.jpg
 
covacat said:
so in my experience the most fuckups were self induced

Same experience here, and I'm sure we are not alone. The biggest problem usually sits between the chair and the keyboard. Users are a bigger risk then a few outgoing connections to Microsoft sites. It's better to make sure you don't run browsers with known security issues, because these will be exploited (and not by Microsoft sites). And is automounting usb-sticks a good idea when users have access to a system...

P.S.: Of course I mean OTHER users only.
 
Back
Top