All:
I am new to pf and FreeBSD. I have read most of the man, Absolute Freebsd and the book of pf. I am currently reading Design and Implementation of the FreeBSD Operating System as well. I just want someone to tell me am I even close with what I have. In general I might have overkill here or I might have items in the wrong order. I have pf and spamd setup. Questions:
I have is how best to send bruteforce, abuseipdb, and geo blocks straight to blocked since translation has to come before filtering?
Do I really need the ftp passive ports listed in the macro if I have it set below in filtering?
Here is what I have currently.
Thanks for being here.
I am new to pf and FreeBSD. I have read most of the man, Absolute Freebsd and the book of pf. I am currently reading Design and Implementation of the FreeBSD Operating System as well. I just want someone to tell me am I even close with what I have. In general I might have overkill here or I might have items in the wrong order. I have pf and spamd setup. Questions:
I have is how best to send bruteforce, abuseipdb, and geo blocks straight to blocked since translation has to come before filtering?
Do I really need the ftp passive ports listed in the macro if I have it set below in filtering?
Here is what I have currently.
Code:
#######################################################################
# PF Firewall #
#######################################################################
# updated 12302020 #
#######################################################################
# Macros #
#######################################################################
server="vtnet0"
icmp_types = "{ echoreq, unreach }"
tcp_in_pass = "{ 20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999 }"
tcp_out_pass = "{ 20,21,22,25,43,53,80,110,113,443,587,993,995,2222,8081,11335,35000:35999 }"
udp_in_pass = "{ 20,21,53 }"
udp_out_pass = "{ 20,21,53,113,123,11335 }"
watch_ports = "{ 21,25,587,2222 }"
#######################################################################
# Tables #
#######################################################################
table <geoblock> persist
table <bruteforce> persist
table <abuseipdb> persist
table <trusted> persist file "/usr/local/etc/whitelist_ips"
table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
table <spamd> persist
table <spamd-white> persist
#######################################################################
# Options #
#######################################################################
set loginterface vtnet0
set optimization aggressive
set block-policy return
set fail-policy return
set state-policy if-bound
set skip on lo0
#######################################################################
# Normalization #
#######################################################################
scrub in on $server all fragment reassemble max-mss 1440
#######################################################################
# Translations #
#######################################################################
#------Spamd Settings
rdr pass on $server inet proto tcp from <spamd> to \
{ $server } port smtp -> 127.0.0.1 port 8025
rdr pass on $server inet proto tcp from !<spamd-white> to \
{ $server } port smtp -> 127.0.0.1 port 8025
#######################################################################
# Packet Filter #
#######################################################################
block in quick on $server from <rfc6890>
block return out quick on egress to <rfc6890>
block log quick from <geoblock>
block log quick from <abuseipdb>
block log quick from <bruteforce>
antispoof log quick for $server
anchor "blacklistd/*" in on $server
# ----"Block all in or out"
block
# ---- Allow ssh traffic from Trusted send bruteforcers to table
pass quick proto tcp from <trusted> to $server port { 22 } \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
# ---- Allow incoming TCP
pass in proto tcp from any to $server port $tcp_in_pass
# ---- Allow incoming UDP
pass in proto udp from any to $server port $udp_in_pass
# ---- Allow tcp out
pass out proto tcp from $server to any port $tcp_out_pass
# ---- Allow UDP out
pass out proto udp from $server to any port $udp_out_pass
# ---- Allow Ftp and Passive
pass in on egress proto tcp to port 21
pass in on egress proto tcp to port 35000:35999
# ---- Watch for attacks and block bruteforcers
pass proto { tcp, udp } from any to $server port $watch_ports \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 50/15, \
overload <bruteforce> flush global)
# ---- Allow ICMP
pass on $server inet proto icmp icmp-type $icmp_types
Thanks for being here.