PF how to block all at sysctl and pf

M

max21

I’m trying to BLOCK ALL. Could you check my rules and remove any other redundant lines. It works well but I been afraid to taper with it since breaking it down from my standard pf rules.

My goal is block all incoming and outgoing connections on my FreeBSD host; including PING and SSH. I don’t need to go into details that I use Virtualbox in bridge-mode for a few major FreeBSD guests that will be upgraded until the end of time, and such.

Question (1): What do I need to remove? I want to block ssh and ping as well. I don’t even want it to log a single packet because I know it looks great already. Do I really need to scrub or set skip? Do it really need sshguard? I don't think so but I need to be sure because there will be no turning back.

Code: 
ext_if="re0"
### table <sshguard> persist
set skip on lo0
####  scrub in all
#### scrub reassemble tcp
block drop in quick inet6
####  antispoof log quick for { $ext_if } inet
block in all
block out all
#### block in quick on $ext_if from <sshguard> label "ssh bruteforce"
Some may say this idea is insufficient. Regardless, I don’t think it will hurt to BLOCK-ALL at system level. It should only prove that vBox in bridge-mode has nothing to do with the host, as far as INTERNET connection, the entire conversation.. It took me a life time to see most of this working.

This is all I know and use so far.

Question (2): what are ALL the sysctl commands to BLOCK-ALL ipv4, tcp, udp, ssh, ssl, ping and anything else I miss? Should I even disable /etc/ssh?

Code: 
net.inet6.ip6.auto_linklocal=0    # no ipv6
 
max21 said:
My goal is block all incoming and outgoing connections on my FreeBSD host; including PING and SSH.
Click to expand...
So, why does it have a network interface in the first place? If you're going to block everything going in or out you might as well remove or shutdown the interface.
 
SirDice said:
So, why does it have a network interface in the first place? If you're going to block everything going in or out you might as well remove or shutdown the interface.
Click to expand...
I don’t understand. Are you saying I should pull the Ethernet plug or make packets go directly to the guest? If so I don’t have a clue of how to do that. Could you tell me more, or show me how? Have anyone ever tried this things I done?

I thought bridge-mode did all of that through Virtualbox and it been works perfectly for over two weeks now in bridge-mode. When I do this it show it is blocking everything to the host, but FreeBSD in Virtualbox runs like a bat out of hell on the INTERNET in bridge-mode and it has its own full featured pf.conf running. Forget about my goals. I’m just concern about narrowing things down with question 1 and 2.
Code: 
/usr/sbin/tcpdump -n -tttt -e -r /var/log/pf.log
I watch everything like a hawk. Now I want to see even less. That is all I want to do.
 
max21 said:
I don’t understand. Are you saying I should pull the Ethernet plug or make packets go directly to the guest?
Click to expand...
No, I understood you wanted to block all traffic going in or out of a FreeBSD guest. That's why I suggested removing the interface from the guest.
 
SirDice said:
No, I understood you wanted to block all traffic going in or out of a FreeBSD guest. That's why I suggested removing the interface from the guest.
Click to expand...
Why would I want to block anything going to the FreeBSD guest?
My goal is block all incoming and outgoing connections on my FreeBSD host
Click to expand...
All the things you do. You work to hard my dear Sir. I suggest you take a vacation from all of us noobs for a few weeks, you deserve it.
 
It WORKS!
Since I came this far I went ahead to do more trial and error and would you believe it is possible to eliminate all of these things on your host and all Virtualbox guest will still connect to the internet with their own firewall and stuff:

But I’m still interested in the list of command that I can use to turn off as much as possible that is network and internet related at sysctl level. All I need is the complete list concerning tcp-udp and such and I’ll break it down from there. Below is more than enough but I am greedy. It’s better to know what it can add than not.

The host rc.conf
It doesn’t even need to be a gateway:
Code: 
dumpdev="NO"
hostname="my.example.host"
ifconfig_re0="DHCP"
sshd_enable="NO"
sshguard_enable="NO"
gateway_enable="NO"

ip6addrctl_enable="NO"
ip6addrctl_policy="ipv4_prefer"
ipv6_activate_all_interfaces="NO"
auto_linklocal="NO"
network_interfaces=""
rpcbind_enable="NO"
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="NO"
inetd_enable="NO"
rpcbind_enable="NO"
nfs_server_enable="NO"
nfs_client_enable="NO"
nfs_reserved_port_only="YES"
rpcbind_statd_enable="NO"
rpcbind_lockd_enable="NO"

The Host Packet Filter Rules
Code: 
ext_if="re0"
block drop in quick inet6
block in all
block out all
# just to see that it is still blocking.  As long as I
# know it works there is no need to work
# the host kernel to log blocked packets.
block in log quick on $ext_if all

Now that I know VM are running and the fact that nothing will ever touch the FreeBSD host, I am happy and there are no leaks so it really don't need nothing more, but I still need to learn sysctl for server security and optima performance.

Edit: Too many personal opinions from too much excitement.

Anyway, here I found some bits and pieces for sysctls. Values set for workstation and servers may be would be difference. Between sysctl(8), sysctl(9) and all the biogs that can I find it will be enough to keep me busy for quite a while.
Code: 
# net.inet6.ip6.forwarding=0
# net.inet6.ip6.auto_linklocal=0
# net.link.lagg.failover_rx_all=1
# net.inet.tcp.rfc1323=1
# net.inet.tcp.delayed_ack=0
# net.inet.tcp.sendspace=65535
# net.inet.tcp.recvspace=65535
# net.inet.udp.recvspace=65535
# net.inet.udp.maxdgram=57344
# net.local.stream.recvspace=65535
# net.local.stream.sendspace=65535
# net.inet.tcp.blackhole=1

#  net.inet.ip.forwarding=1
#  net.inet.tcp.sendbuf_max=4194304
#  net.inet.tcp.recvbuf_max=4194304
#  net.inet.tcp.cc.algorithm=htcp
#  net.inet.tcp.cc.htcp.adaptive_backoff=1
#  net.inet.tcp.cc.htcp.rtt_scaling=1

#  net.inet.tcp.mssdflt=1460
#  net.inet.tcp.minmss=1300
#  net.inet.tcp.rfc1323=1
#  net.inet.tcp.rfc3390=1
#  net.inet.tcp.sack.enable=1
#  net.inet.tcp.tso=0
#  net.inet.tcp.nolocaltimewait=1
#  net.inet.tcp.experimental.initcwnd10=1
#  net.inet.tcp.syncache.rexmtlimit=0
#  net.inet.ip.rtexpire=2
#  net.inet.ip.rtminexpire=2
#  net.inet.tcp.syncookies=0

#  net.link.tap.user_open=1
#  net.link.tap.up_on_open=1
#  net.inet6.ip6.auto_linklocal=0

# ....................................................................
# ....................................................................
# kernel support:
# kern.ipc.soacceptqueue=1024  .......................not included
#  may fix extreme clock drift for vps. Or if fbsd is running under LVM
# kern.timecounter.hardware=i8254

# kern.ipc.maxsockbuf=4194304
# kern.ipc.maxsockbuf=2097152

# kern.ipc.somaxconn=8192
# kern.ipc.somaxconn=4096

# kern.maxfiles=65536
# kern.maxfiles=49312

# kern.ipc.maxsockets=16424
# kern.maxfilesperproc=32768
# kern.sched.preempt_thresh=224
# kern.coredump=0
#
# ....................................................................
# ....................................................................
# support for pci Ethernet adapters
# dev.igb.0.fc=0
# dev.igb.1.fc=0
# dev.igb.2.fc=0
# dev.igb.3.fc=0
 
Last edited:
You must log in or register to reply here.
Back
Top