I have tried to enhance my FreeBSD desktop's security with some tweaks without knowing what they do ....Any other useful tweaks ?

Zirias
One last thing. Do you know how to run Firefox inside a JAIL ? After I replaced Linux with FreeBSD this the only thing left for me to do. I was using firejail under Linux to isolate Firefox. It was very easy you need to install firejail from the repos & run sudo firecfg which adds firejail to all the desktop launchers. I couldn't find anything like that under FreeBSD so I am really desperate to setup Firefox inside a jail. Should I create a new thread & give you the link ?
 
That's most likely a different topic and I'm not really interested in it – I just assume running a browser in a jail isn't exactly a new idea, so I'd suggest to search the forum first (as well as read the handbook on jails and the manpages) before creating a new thread…
 
That's most likely a different topic and I'm not really interested in it – I just assume running a browser in a jail isn't exactly a new idea, so I'd suggest to search the forum first (as well as read the handbook on jails and the manpages) before creating a new thread…
Is this theory correct that if Firefox is compromised an attacker can gain access to my personal data ? I mean on the one hand I am trying to choose the most restrictive rules for PF & on the other hand my browser if compromised is opening another way for the attacker to get it.
 
So my question is can a home desktop be made more secure than this ?
I'm not here for a Q&A session.

I'm here to help you with a tight ruleset.

You are breaking it.

As long as you don't require remote access using one of the ports blocked in my macros it cannot be more secure than it is now, or I would make it so.

Don't you think? I've been using it 16 years.

This is how yours should look using the wlan0 internet interface, copy and paste it in as is, save and exit:

Code:
### Macro name for external interface
ext_if = "wlan0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

Anything beyond that you do on your own.

And, yes, that is a Copy&Paste ruleset for the other 5 FreeBSD general purpose desktops I've got going right now.
 
As I see it, the likeliness of a successful attack is roughly ordered like this
  • Social engineering, tricking people into doing something stupid
  • Exploiting a weakness in some client software (especially browsers)
  • Exploiting some other remote weakness
Packet filtering will only help with the last one. So yes, "secure browsing" is an issue. Putting the browser in a jail is one possible measure. Keep in mind, it will still have all the data it collects itself. Extensions like "NoScript" are another idea: only trust selected sites to execute their scripts on your machine. Even Adblockers can help. And, of course, just staying away from any "shady" websites can help.
 
Extensions like "NoScript" are another idea: only trust selected sites to execute their scripts on your machine. Even Adblockers can help. And, of course, just staying away from any "shady" websites can help.
With NoScript, uBlock Origin, my other browser extensions and machines set up like they are there's no website I won't go to.

I had NoScript block an XSS Cross-Site Script attack downloading an .mp3 yesterday and went right on downloading them after that.

Of course I just made that up and would never download pirated .mp3's. I drink chocolate milk. Lot's of it.
 
Not only it blocks all incoming ports I have blocked outgoing ports too leaving the ones which are necessary for daily activities like web browsing, using an email client, IRC chat client, etc.

So my question is can a home desktop be made more secure than this ?
Sure - disconnect it from the internet, problem solved! It makes attacking your system much harder, but not impossible.

Security is not a product nor a feature - in reality it is a neverending process. The promise that you've got only to install Norton UltraSuperDuperInternetCleaner HyperSmart or stuff like that, or just some firewall and you're forever safe is a lie.

And in most of the times the biggest security problem between the screen and chair.

Also the idea when blocking outgoing ports is mostly to mitigate some of the potential damage which might happen once your machine is infested by let's say a trojan. You can block SPAM runs quite surely and other stuff.

What you will be unable to do is to block this machine from communicating with its command instance. Typically this is done either by standard ports like 443, so HTTPS, or 53/UDP - DNS. The art of punching holes into a firewall is also something which is well known since Skype utilized this at large scale for commercial use. So if the purpose of that trojan is to log your keyboard for security PINs, make nice screenshots of you watching porn and similar stuff it will most likely do it.

Such stuff you will only be aware off mostly with deep packet inspection, IDS in place or other systems. And in general if your machine is infected there is not without reason the golden rule to completely wipe it and start anew.
 
I want to ask a question. I read many articles about network security. Almost all of them suggests that closing all incoming ports is enough to protect a home network. Blocking outgoing ports doesn't really make any sense in a home environment.

That depends.

To think about security, you need to answer a lot of questions. Here are three basic ones: What are you trying to protect: what is the asset you don't want attackers to get access to? Who are your enemies: who are those attackers? Who are your friends: whom can you trust?

If you say that a sensible protection for a home environment is a firewall that doesn't allow any incoming connections, but allows all outgoing connections, that's sort of like giving the following three answers to these questions:
  • What are you trying to protect: All information that is stored or processed inside the home network.
  • Who are your enemies: Everyone who is outside the home network.
  • Who are your friends: You completely trust everything and anything inside the home network.
Is that a sensible security posture? To begin with, not in isolation. Even with these assumptions, common sense says that you should still do things like use passwords (or fingerprint sensors or 2FA tokens) in case someone gets hold of devices that you have trusted. And maybe you should encrypt disks that store data, in case of theft. And probably control access to the home network, for example a WPA password on your WiFi.

The really toothache comes when I look at your complete trust in the security of the internal network. The moment your security perimeter (for example your PF firewall, but also many other places) has been breached, all is lost. Allowing all outgoing connections is one symptom of that trust you place in internal devices. Modern network security thinking often works different. First, silo information, so not everyone can get at everything. Second, NoTrust: just because a device is on your internal network doesn't mean it has good intentions.
 
Allowing all outgoing connections is one symptom of that trust you place in internal devices.
Well, not sure "allow all outgoing" is the main problem here. What I do is place devices like my chinese vacuum robot in a separate network zone. They can still connect to the internet, but not to anything in any other network zone…
 
Well, not sure "allow all outgoing" is the main problem here. What I do is place devices like my chinese vacuum robot in a separate network zone. They can still connect to the internet, but not to anything in any other network zone…
While we're at it, you can place your Roomba in a box. Or better yet, don't buy the Roomba in the first place, and use a dumb Hoover to lick the floors clean. ;) Roombas are dangerous, they can phone back home to China, y'know.
 
Here are the Services I have running:
Code:
jitte@bakemono:/ $ sockstat -l46
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS   
avahi    avahi-daem 96008 14 udp4   *:5353                *:*
avahi    avahi-daem 96008 15 udp6   *:5353                *:*
avahi    avahi-daem 96008 16 udp4   *:26298               *:*
avahi    avahi-daem 96008 17 udp6   *:32433               *:*
root     sendmail   94363 3  tcp4   127.0.0.1:25          *:*
ntpd     ntpd       92089 20 udp6   *:123                 *:*
ntpd     ntpd       92089 21 udp4   *:123                 *:*
ntpd     ntpd       92089 23 udp6   ::1:123               *:*
ntpd     ntpd       92089 24 udp6   fe80::1%lo0:123       *:*
ntpd     ntpd       92089 25 udp4   127.0.0.1:123         *:*
ntpd     ntpd       92089 29 udp4   192.168.1.5:123       *:*
jitte@bakemono:/ $

Here are my macros, no IPv6 traffic is allowed in or out by a specific rule:
Code:
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

NTP on port 123 is allowed only when my machine initiates the connection (Stateful Packet Inspection) and I have TCP and UDP blocked as it's possible to use either.

No outside access to port 25 is allowed and I still get my daily Security and System logs.

avahi_deamon is port 5353, listed as msds in the pfctl -s all readout on page 1 and shown as blocked
avaki_deamon on UDP port 262298 is blocked by the default block log all firewall rule.

Stateful Packet Inspection comes in to block the random port that is always used in addition to port 5353.

That's why the 2 line ruleset works:
Code:
block in all
pass out all keep state

It's up to me to make sure nothing wants outside connections that shouldn't have them. Firefox and all that aside, that's considered normal operation for that browser.

I'm talking rootkits and run security/rkhunter as a cron job nightly with security/nmap checking for suspicious open ports when it does so.


As a side note, there are chromecast wi-fi signals in my building I can connect to but have no internet access from them.
 
Well, not sure "allow all outgoing" is the main problem here. What I do is place devices like my chinese vacuum robot in a separate network zone. They can still connect to the internet, but not to anything in any other network zone…
This is a fine idea. I actually do the opposite: I have devices (like laser printers) that need to be available on the internal network, so laptops and the print server can reach them, but there is no need for them to ever talk to the outside world. So I put those into a network zone that is deliberately not allowed outgoing external connections. In theory, Linux devices (in particular Raspberry Pis used as IoT nodes) should be in the same category, since I don't trust Linux all that much ... but that makes it hard to upgrade their OS, so I have reluctantly moved them back to the fully trusted tier. I guess I could adjust my PF configuration so the Linux boxes can only get to Debian upgrade servers and nowhere else, but that's extra work.

This is an example of a generally nasty category of nodes: those that need to be reached from the internal network, but also need some contact with the outside world. It also includes weather stations, sprinkler controllers, remote-controllable thermostats. To make them more secure, I could do fine-grain control of what protocols they can use to what nodes (inside and outside), but that level of detail will make the whole system brittle.

Another nasty category is that I actually have to run servers that are reachable from the outside internet, to allow me to remotely log in, and remotely retrieve data. I handle that by having exactly one machine, just two ports (ssh and https, on obscured ports), and lots of attention to detail, such as authentication.

If there is one thing the OP needs to understand: In security, there is no "one size fits all". One common case (single workstation or laptop, on the unsecured worldwide network, only used by a local user) can be handled by following recipes found on the internet. But that common case should be handled on that one machine itself, and is not where the complexity will be found.

P.S. No, I won't publish my pf configuration here. I don't want attackers to find holes in it.
 
Back
Top