I have tried to enhance my FreeBSD desktop's security with some tweaks without knowing what they do ....Any other useful tweaks ?

john_rambo

john_rambo

I wanted to harden my FreeBSD install so I searched the web but nothing useful. The only wiki that I found was this https://wiki.ghostbsd.org/index.php/Security.

I have added the following lines to to /etc/sysctl.conf.
Code: 
hw.kbd.keymap_restrict_change=4
   kern.sugid_coredump=0
   net.inet.icmp.bmcastecho=0
   net.inet.icmp.drop_redirect=1
   net.inet.ip.accept_sourceroute=0
   net.inet.ip.check_interface=1
   net.inet.ip.forwarding=0
   net.inet.ip.process_options=0
   net.inet.ip.random_id=1
   net.inet.ip.redirect=0
   net.inet.ip.sourceroute=0
   net.inet.tcp.always_keepalive=0
   net.inet.tcp.blackhole=2
   net.inet.tcp.drop_synfin=1
   net.inet.tcp.icmp_may_rst=0
   net.inet.tcp.nolocaltimewait=1
   net.inet.tcp.path_mtu_discovery=0
   net.inet.udp.blackhole=1
   net.inet6.icmp6.rediraccept=0
   net.inet6.ip6.forwarding=0
   net.inet6.ip6.fw.enable=1
   net.inet6.ip6.redirect=0

I haven't yet added these fearing breakage

Code: 
 # The settings below will change the user experience
   security.bsd.hardlink_check_gid=1
   security.bsd.hardlink_check_uid=1
   security.bsd.see_other_gids=0
   security.bsd.see_other_uids=0
   security.bsd.stack_guard_page=1
   security.bsd.unprivileged_proc_debug=0
   security.bsd.unprivileged_read_msgbuf=0

I tried to find out what each of these line actually do by searching them using multiple search engines but unfortunately didn't find any useful information. Q1) If anyone can tell what's the function of these lines it will be awesome. I know there are quite a few of them so its going to require some effort and patience. Q2) The lines that are below the heading "The settings below will change the user experience" what do these line do & what kind of change in user experience can I expect ? I have only one desktop at home. I don't have a separate test machine where I can experiment. Q3) If you know about any other security tweaks that is not mentioned in that wiki please tell me about it.

Note : My primary goal is to enhance network security. Local security is secondary for me.
 
john_rambo said:
I haven't yet added these fearing breakage
Click to expand...
You're ahead of the curve, to your credit.

If it's not broke don't fix it.
john_rambo said:
"The settings below will change the user experience" what do these line do & what kind of change in user experience can I expect ?
Click to expand...
A bad one if you change settings without knowing what they do and don't yet know how to fix it if it breaks something.

I have examples of all the Security and System files I edit and a tight pf firewall ruleset fI use for general desktop purposes posted in my tutorial.

forums.freebsd.org

Beginners Guide - How To Set Up A FreeBSD Desktop From Scratch

I'm going to guide you though the process of getting a fully functional FreeBSD 13.0-RELEASE desktop up and running, complete with system files and security settings, step-by-step as if you've never used UNIX or the command line. Now let's get started: Insert your boot media and at the Welcome...
forums.freebsd.org forums.freebsd.org

I have this in /etc/rc.conf:
Code: 
tcp_drop_synfin="YES"

This in /boot/loader.conf
Code: 
security.bsd.allow_destructive_dtrace=0

/etc/sysctl.conf
Code: 
security.bsd.unprivileged_proc_debug=0
kern.randomid=1

That doesn't cover everything in the tutorial, it covers what I don't see in yours. The only thing you have listed I use is the one line in /etc/sysctl.conf.
There are sshd tweaks and such you don't list that I edit as standard practice.
 
Added the three tweaks that you have mentioned & rebooted. I read your tutorial where you mention how to configure PF. The rules that you suggest is basically the exact same rule that I was using when I was using Linux. Its simple deny all in and allow all out. I am using IPFW & didn't find that particular rule for IPFW. If you read the IPFW wiki page you will find these presets

The available types are:
  • open: passes all traffic.
  • client: protects only this machine.
  • simple: protects the whole network.
  • closed: entirely disables IP traffic except for the loopback interface.
  • workstation: protects only this machine using stateful rules.
  • UNKNOWN: disables the loading of firewall rules.
  • filename: full path of the file containing the firewall ruleset.
Click to expand...

I am using the workstation type. This is what the workstation type does

Code: 
~ [69]> sudo ipfw list
Password:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
01100 check-state :default
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state :default
01400 allow udp from me to any keep-state :default
01500 allow icmp from me to any keep-state :default
01600 allow ipv6-icmp from me to any keep-state :default
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01800 allow udp from any 67 to me 68 in
01900 allow udp from any 67 to 255.255.255.255 68 in
02000 allow udp from fe80::/10 to me 546 in
02100 allow icmp from any to any icmptypes 8
02200 allow ipv6-icmp from any to any icmp6types 128,129
02300 allow icmp from any to any icmptypes 3,4,11
02400 allow ipv6-icmp from any to any icmp6types 3
65000 count ip from any to any
65100 deny { tcp or udp } from any to any 135-139,445 in
65200 deny { tcp or udp } from any to any 1026,1027 in
65300 deny { tcp or udp } from any to any 1433,1434 in
65400 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any 520 in
65500 deny tcp from any 80,443 to any 1024-65535 in
65500 deny ip from any to any
65535 allow ip from any to any
 
This is what mine does:
Code: 
root@bakemono:/ # pfctl -s all
FILTER RULES:
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.74 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state

STATES:
all tcp 192.168.1.74:42959 -> 34.214.1.68:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.74:52319 -> 204.109.59.195:443       TIME_WAIT:TIME_WAIT
all tcp 192.168.1.74:48612 -> 204.109.59.195:443       FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.1.74:30955 -> 204.109.59.195:443       TIME_WAIT:TIME_WAIT

INFO:
Status: Enabled for 49 days 03:59:43          Debug: Urgent

State Table                          Total             Rate
  current entries                        4               
  searches                        35744378            8.4/s
  inserts                           136549            0.0/s
  removals                          136545            0.0/s
Counters
  match                             306949            0.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            60000 states
adaptive.end             120000 states
src.track                     0s

LIMITS:
states        hard limit   100000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit   200000

OS FINGERPRINTS:
762 fingerprints loaded
root@bakemono:/ #
 
Trihexagonal
Okay I just disabled IPFW and enabled PF. I followed your tutorial. Right now I am using the rules that you mentioned in your tutorial which is

Code: 
block in all
pass out all keep state

What I want to do next is block all outgoing ports by default and allow only specific ports like 80, 443, 53, etc.
Please show me how to that with any one example like port 80. By following that I will create rules for the remaining ports like 443, 53 & so on.
 
Oh, this stuff is circulating now for a long time. A lot of points are just obsolete (so, there was an issue some time in the past). Some points don't make sense whatsoever. Maybe some valid points could be found there as well, but yeah, who cares, it's not like you can't configure your system the way you want. E.g. none of my installs has sendmail ;)
 
Well for me it's been more than enough when I read his rant about the broken RNG... which was part of -current only. I mean that's what -current is being for, development and bleeding edge - use at your own risk! Whoever runs -current should expect things to be broken. So ranting for nothing!
 
There is one point in that link which found to be true & that's about PF. The PF that is included in FreeBSD is not accepting any rules. What I mean is I just applied the rules mentioned here >> https://imaprettykitty.com/wof/ & did
sudo pfctl -f /etc/pf.conf & after that I lost all connectivity. Firefox won't load any pages. So the lesson that I learned is if you want to use PF under FreeBSD you will have to learn how write rules which is specific to FreeBSD's PF not OpenBSD's PF. I am back to IPFW.
 
Yes, -CURRENT is broken "by definition".

There's more nonsense: building ports as root? Only if you choose to do so! The times when that was obligatory are LONG gone. And poudriere nowadays defaults to using nobody.

All the stuff about OpenSSH is old as well.

IMHO, there might be a valid point about sendmail, including such a complex thing in base IMHO isn't the best choice. But for quite some time, there's also dma, so users can just opt out of sendmail.

Ah, let's not talk about the rest…
 
I have tried to enhance my FreeBSD desktop's security with some tweaks without knowing what they do
Click to expand...
In general, I'd say that's a sure way to weaken security.

It's a lot of work, but for every setting you want to change from defaults, do some research to understand what it really does. That's the only possible way for informed decisions…
 
Zirias said:
In general, I'd say that's a sure way to weaken security.

It's a lot of work, but for every setting you want to change from defaults, do some research to understand what it really does. That's the only possible way for informed decisions…
Click to expand...
What I did was I copy pasted those lines on multiple search engines but couldn't find anything useful. So I created this topic here in hope that someone will explain what each of those lines do.
 
The "workstation" config for IPFW is very similar, but not identical to what Trihexagonal has in his pf ruleset.
It is basically "block in all, allow out all" with keep state.
It also explicitly blocks a bunch of the windows and other .

And the whole FreeBSD PF is not OpenBSD PF, is true, but a lot of the syntax should work. One could go ask on the FreeBSD PF mailing list "what version of OpenBSD PF is the FreeBSD PF syntax" or something similar. That is the important part for the rules.
Under the hood, there are going to be differences because FreeBSD and OpenBSD are different with regards to SMP, locking in the kernel, probably even down the networking paths.
FreeBSD PF mailing list

This is the security section in the handbook. In sec 14.2.7 it has some info about the meaning of some of the sysctl you have set.
docs.freebsd.org

Chapter 16. Security

Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must
docs.freebsd.org docs.freebsd.org

This is a link to a hardening script from 2010: DO NOT APPLY IT BLINDLY. I'm linking it because it seems to be well commented and may help you understand some of the things you're asking about.
gist.github.com

FreeBSD System Hardening Script

FreeBSD System Hardening Script. GitHub Gist: instantly share code, notes, and snippets.
gist.github.com gist.github.com
 
tux2bsd said:
There is no confusion and it is not an opinionated rant, it is a critique by someone with a security focus. Note: that page is at least 4 years old.
Click to expand...
It is an opionated rant. Just look for example on his complaint about the broken RNG - this happened in Freebsd-current. While this is a serious matter, -current comes with a clear warning:

24.4.1 Staying Current with FreeBSD​

As you read this, keep in mind that FreeBSD-CURRENT is the “bleeding edge” of FreeBSD development. FreeBSD-CURRENT users are expected to have a high degree of technical skill, and should be capable of solving difficult system problems on their own. If you are new to FreeBSD, think twice before installing it.

But that guy doesn't care and treats current like it is stable. So it's not critique, but a rant. He's got some ideal on mind, which is OpenBSD. But he doesn't care about that FreeBSD might have other goals, and his text is full of such stuff when taking a closer look his complaint more or less poofs away.
 
hardworkingnewbie said:
He's got some ideal on mind, which is OpenBSD.
Click to expand...
No, you are choosing to frame it as OpenBSD vs FreeBSD. His frame was security. I don't give a shit if he went with CURRENT at the time, you are choosing to use that detail as your pivotal evidence to decry him further.

It was simply a good piece of information that fernandel posted.
 
No, it's mostly misleading crap, a mixture of completely outdated things, things that never made sense, and maybe very few relevant things, if any.
 
Quoting Zirias from another thread on firewalls and security:
forums.freebsd.org

Other - Confusing documentation

decuser I think the expectation to get "recipes" just doesn't apply too well to firewalling. For a real firewall, you WILL write a ruleset, and it will be your own. On my firewall box, supporting several zones (internal clients, internal servers, guests, management and dmz), it currently looks...
forums.freebsd.org forums.freebsd.org
OP should really pay attention to a couple pitfalls mentioned in that post.

And I just don't know how to react to this thread's title... On one hand, shame on OP for not doing his homework before applying the tweaks... That might fly on a personal machine, but not in a work environment. On another - at least OP fessed up to that. Even leaning that way (in the direction of OP acknowleding his own messup), I would strongly encourage OP to read the Handbook to get started before looking around on the Internet. On these forums, I would think that most members would be quite willing to coach OP through the process of reading the Handbook, trying out what's there, understanding what's there, and formulating the questions in ways that invite constructive and helpful responses.
 
john_rambo said:
Right now I am using the rules that you mentioned in your tutorial which is

Code: 
block in all
pass out all keep state
Click to expand...
That's the basic ruleset and pf will provide Stateful Packet Inspection.

john_rambo said:
What I want to do next is block all outgoing ports by default and allow only specific ports like 80, 443, 53, etc.
Click to expand...
Why? It's already performing SPI.

john_rambo said:
Please show me how to that with any one example like port 80. By following that I will create rules for the remaining ports like 443, 53 & so on.
Click to expand...
I already have my full ruleset posted in my tutorial and show you how to block incoming and outgoing traffic on TCP and UDP port 0. It also shows how to block IPv6.

Please refer to that as I show you how to use macros and tables with the CUPD version I wrote afterward.
 
Trihexagonal said:
I already have my full ruleset posted in my tutorial and show you how to block incoming and outgoing traffic on TCP and UDP port 0. It also shows how to block IPv6.

Please refer to that as I show you how to use macros and tables with the CUPD version I wrote afterward.
Click to expand...
I tried searching for the specific post in that thread where you have shown how to block incoming and outgoing traffic on TCP and UDP port 0 but I can't find it. See problem is the PF that FreeBSD has is not accepting rules that are available on the web. For example I used the rules mentioned in this website & then when I used the command pfctl -f /etc/pf.conf I lost all connectivity. Firefox refused to load websites.

All I want to know is how to block all outgoing ports & how add allow rule for a specific outgoing port.

So from what I have learned so far my configuration should look like this

Code: 
block out all
block in all
<What should I type here to allow outgoing port 80 ?? >

Just show me that one line which is for port 80. I will follow that & just keep adding that same line replacing 80 with 443 & so on.
 
tux2bsd said:

How To Configure Packet Filter (PF) on FreeBSD 12.1 | DigitalOcean

PF is a renown firewall application that is maintained upstream by the security-driven OpenBSD project. It is more accurately expressed as a packet filtering…
www.digitalocean.com www.digitalocean.com

That will help you (it will be fine for FreeBSD 13 too)
Click to expand...
That's just awesome ! Success ! Thanks a lot for that.
This is my PF conf.
Code: 
block all
pass out proto { tcp udp } to port { 53 80 443 995 }
pass out inet proto icmp icmp-type { echoreq }
 
You must log in or register to reply here.
Back
Top