PF More eyes and suggestions

Factor

Factor

All:
I am new to pf and FreeBSD. I have read most of the man, Absolute Freebsd and the book of pf. I am currently reading Design and Implementation of the FreeBSD Operating System as well. I just want someone to tell me am I even close with what I have. In general I might have overkill here or I might have items in the wrong order. I have pf and spamd setup. Questions:
I have is how best to send bruteforce, abuseipdb, and geo blocks straight to blocked since translation has to come before filtering?
Do I really need the ftp passive ports listed in the macro if I have it set below in filtering?

Here is what I have currently.
Code: 
#######################################################################
#                       PF Firewall                                   #
#######################################################################
# updated 12302020                                                    #
#######################################################################
#                       Macros                                        #
#######################################################################
server="vtnet0"

icmp_types = "{ echoreq, unreach }"
tcp_in_pass = "{ 20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999 }"
tcp_out_pass = "{ 20,21,22,25,43,53,80,110,113,443,587,993,995,2222,8081,11335,35000:35999 }"
udp_in_pass = "{ 20,21,53 }"
udp_out_pass = "{ 20,21,53,113,123,11335 }"
watch_ports = "{ 21,25,587,2222 }"

#######################################################################
#                      Tables                                         #
#######################################################################
table <geoblock> persist
table <bruteforce> persist
table <abuseipdb> persist
table <trusted> persist file "/usr/local/etc/whitelist_ips"
table <rfc1918>  const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
table <spamd> persist
table <spamd-white> persist

#######################################################################
#                      Options                                        #
#######################################################################
set loginterface vtnet0
set optimization aggressive
set block-policy return
set fail-policy return
set state-policy if-bound
set skip on lo0

#######################################################################
#                      Normalization                                  #
#######################################################################
scrub in on $server all fragment reassemble max-mss 1440

#######################################################################
#                      Translations                                   #
#######################################################################
#------Spamd Settings
rdr pass on $server inet proto tcp from <spamd> to \
      { $server } port smtp -> 127.0.0.1 port 8025
rdr pass on $server inet proto tcp from !<spamd-white> to \
      { $server } port smtp -> 127.0.0.1 port 8025

#######################################################################
#                      Packet Filter                                  #
#######################################################################
block in quick on $server from <rfc6890>
block return out quick on egress to <rfc6890>
block log quick from <geoblock>
block log quick from <abuseipdb>
block log quick from <bruteforce>
antispoof log quick for $server
anchor "blacklistd/*" in on $server
# ----"Block all in or out"
block
# ---- Allow ssh traffic from Trusted send bruteforcers to table
pass quick proto tcp from <trusted> to $server port { 22 } \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
# ---- Allow incoming TCP
pass in proto tcp from any to $server port $tcp_in_pass
# ---- Allow incoming UDP
pass in proto udp from any to $server port $udp_in_pass
# ---- Allow tcp out
pass out proto tcp from $server to any port $tcp_out_pass
# ---- Allow UDP out
pass out proto udp from $server to any port $udp_out_pass
# ---- Allow Ftp and Passive
pass in on egress proto tcp to port 21
pass in on egress proto tcp to port 35000:35999
# ---- Watch for attacks and block bruteforcers
pass proto { tcp, udp } from any to $server port $watch_ports \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 50/15, \
overload <bruteforce> flush global)
# ---- Allow ICMP
pass on $server inet proto icmp icmp-type $icmp_types

Thanks for being here.
 
In reading some other post I assume I dont need the
<rfc1918> stuff
and only need
Code: 
tcp_in_pass = "{ 20,21,22,25,53,80,110,143,443,465,587,993,995,2222 }"
on IN

Thanks.

Hopefully you all won't have to moderate my post much longer.:cool:
 
Factor said:
Code: 
rdr pass on $server inet proto tcp from <spamd> to \ { $server } port smtp -> 127.0.0.1 port 8025 
rdr pass on $server inet proto tcp from !<spamd-white> to \ { $server } port smtp -> 127.0.0.1 port 8025
Click to expand...
Don't use rdr pass if you want to be able to block later on. A rdr pass will allow the traffic and ignore all other filter rules.
Code: 
    If the pass modifier is given, packets matching the translation rule are
     passed without inspecting the filter rules:

Code: 
block in quick on $server from <rfc6890>
block return out quick on egress to <rfc6890>
Table isn't defined.

Code: 
pass in proto tcp from any to $server port $tcp_in_pass
Why are you allowing a truckload of incoming ports here? I wouldn't allow FTP for starters, way to insecure. Learn to use SFTP (FTP over SSH).

Code: 
pass in proto udp from any to $server port $udp_in_pass
FTP is TCP only, why allow UDP 20 and 21? Don't even allow FTP, use SFTP as mentioned above. And unless you're hosting an authoritative DNS domain you don't want to allow incoming DNS requests (both UDP and TCP port 53).
 
SirDice said:
Don't use rdr pass if you want to be able to block later on. A rdr pass will allow the traffic and ignore all other filter rules.
Code: 
    If the pass modifier is given, packets matching the translation rule are
     passed without inspecting the filter rules:
Click to expand...
Dang it... The honorable Sir Dice responds on the first real post.. Thank you sir.. Second paragraph from . So true..Experience is something you don't get until just after you need it.

As Dad used to say "if we could drill a hole in your head and pour it in we would son."

so this

Code: 
rdr on $server inet proto tcp from <spamd> to \ { $server } port smtp -> 127.0.0.1 port 8025
rdr on $server inet proto tcp from !<spamd-white> to \ { $server } port smtp -> 127.0.0.1 port 8025

example from man
# RDR
# Translate incoming packets' destination addresses.
# As an example, redirect a TCP and UDP port to an internal machine.
rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \
-> 10.1.2.151 port 22
rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \
-> 10.1.2.151 port 53
awesome

Please any other stuff?

Update: Works like a champ..
 
SirDice said:
Code:
block in quick on $server from <rfc6890>
block return out quick on egress to <rfc6890>
Click to expand...
haha.. dang I am old. Do I even really need this? to block private addressing?

should be
block in quick on $server from <rfc1918>
block return out quick on egress to <rfc1918>
SirDice said:
I wouldn't allow FTP for starters, way to insecure. Learn to use SFTP (FTP over SSH).
Click to expand...
The software I use cant do sftp. I know bad..
SirDice said:
Why are you allowing a truckload of incoming ports here?
Click to expand...
it's a Hosting webserver
SirDice said:
why allow UDP 20 and 21?
Click to expand...
Right again..
 
Code: 
#######################################################################
#                       PF Firewall                                   #
#######################################################################
# updated 12302020                                                    #
#######################################################################
#                       Macros                                        #
#######################################################################
server="vtnet0"

icmp_types = "{ echoreq, unreach }"
tcp_in_pass = "{ 20,21,22,25,53,80,110,143,443,465,587,993,995,2222 }"
tcp_out_pass = "{ 20,21,22,25,43,53,80,110,113,443,587,993,995,2222,8081,11335,35000:35999 }"
udp_in_pass = "{ 53 }"
udp_out_pass = "{ 53,113,123,11335 }"
watch_ports = "{ 21,25,587,2222 }"

#######################################################################
#                      Tables                                         #
#######################################################################
table <geoblock> persist
table <bruteforce> persist
table <abuseipdb> persist
table <trusted> persist file "/usr/local/etc/whitelist_ips"
table <rfc1918>  const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
table <spamd> persist
table <spamd-white> persist

#######################################################################
#                      Options                                        #
#######################################################################
set loginterface vtnet0
set optimization aggressive
set block-policy return
set fail-policy return
set state-policy if-bound
set skip on lo0

#######################################################################
#                      Normalization                                  #
#######################################################################
scrub in on $server all fragment reassemble max-mss 1440

#######################################################################
#                      Translations                                   #
#######################################################################
#------Spamd Settings
rdr on $server inet proto tcp from <spamd> to \
      { $server } port smtp -> 127.0.0.1 port 8025
rdr on $server inet proto tcp from !<spamd-white> to \
      { $server } port smtp -> 127.0.0.1 port 8025

#######################################################################
#                      Packet Filter                                  #
#######################################################################
block in quick on $server from <rfc1918>
block return out quick on egress to <rfc1918>
block log quick from <geoblock>
block log quick from <abuseipdb>
block log quick from <bruteforce>
antispoof log quick for $server
anchor "blacklistd/*" in on $server
# ----"Block all in or out"
block
# ---- Allow ssh traffic from Trusted send bruteforcers to table
pass quick proto tcp from <trusted> to $server port { 22 } \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
# ---- Allow incoming TCP
pass in proto tcp from any to $server port $tcp_in_pass
# ---- Allow incoming UDP
pass in proto udp from any to $server port $udp_in_pass
# ---- Allow tcp out
pass out proto tcp from $server to any port $tcp_out_pass
# ---- Allow UDP out
pass out proto udp from $server to any port $udp_out_pass
# ---- Allow Ftp and Passive
pass in on egress proto tcp to port 21
pass in on egress proto tcp to port 35000:35999
# ---- Watch for attacks and block bruteforcers
pass proto { tcp, udp } from any to $server port $watch_ports \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 50/15, \
overload <bruteforce> flush global)
# ---- Allow ICMP
pass on $server inet proto icmp icmp-type $icmp_types

Ok unless I missed something this is what I have now.
 
Factor said:
it's a Hosting webserver
Click to expand...
Only requires TCP 80 (HTTP) and 443 (HTTPS) incoming. As for incoming FTP, no need to open a big hole either. Only need to allow TCP 21 and use ftp-proxy(8) to open the data channel dynamically.

With regards to the authoritative DNS, make sure to disallow recursion or you're going to find your server will take part in DDoS attacks: DNS Amplification Attacks
 
You must log in or register to reply here.
Back
Top