My packet filter configuration

T

thegolum35

Hello,

I'd like you to help me to improve my pf configuration. So what do you think about it ?

Code: 
int_if= "wlan0"
table <deny-hosts> persist
table <ssh-bruteforce> persist 

scrub in all
set skip on lo0

block in log all
pass out quick inet
block in quick on $int_if from {<deny-hosts>, <ssh-bruteforce>}
pass in quick on $int_if from ($int_if:network) to any
pass in quick log on $int_if inet proto tcp from any to ($int_if) port 22 flags S/SA keep
 state ( max-src-conn-rate 2/10, overload <ssh-bruteforce> flush global)

Thanks, Gollum
 
Code: 
pass in quick on $int_if from ($int_if:network) to any
pass in quick log on $int_if inet proto tcp from any to ($int_if) port 22 flags S/SA keep
 state ( max-src-conn-rate 2/10, overload <ssh-bruteforce> flush global)

The first rule already allows traffic from your internal network to the FreeBSD box. And it has a quick keyword so the ssh rule never gets hit.
 
Do you want to say that ssh rule won't never gets hit if connection come from local network ? How can I solve this issue ?
 
Code: 
pass in quick on $int_if from ($int_if:network) to any
pass in quick log on $int_if inet proto tcp from any to ($int_if) port 22 flags S/SA keep
 state ( max-src-conn-rate 2/10, overload <ssh-bruteforce> flush global)

That's okay ?
 
It seems that this firewall is protecting a single server. So, I would add another table:
Code: 
table <me> { self }
And few rules referring to [font="Courier New"]<me>[/font] instead of [font="Courier New"]any[/font].
I would change the name 'int_if' to something more explicit, like 'net_if1', the int_if name is suggesting a configuration with more than one network interfaces.
Another useful thing is to allow ICMP echo request packets, at least from few networks.
Code: 
[color="Red"]net_if1[/color]= "wlan0"
[color="Red"]icmp_allowed="echoreq"[/color]
table <deny-hosts> persist
table <ssh-bruteforce> persist 
[color="Red"]table <me> { self }[/color]

scrub in all
set skip on lo0
# What to do on 'block' rule? 
set block-policy return

block in log all
pass out quick inet
[color="Red"]pass in inet proto icmp all icmp-type $icmp_allowed[/color]
block in quick on $[color="Red"]net_if1[/color] from {<deny-hosts>, <ssh-bruteforce>}
pass in on $[color="Red"]net_if1[/color] from ($[color="Red"]net_if1[/color]:network) to [color="Red"]<me>[/color] keep state
pass in quick log on $[color="Red"]net_if1[/color] inet proto tcp from any to [color="Red"]<me>[/color] port 22 flags S/SA keep
 state ( max-src-conn-rate 2/10, overload <ssh-bruteforce> flush global)
 
Another useful thing is to allow ICMP echo request packets, at least from few networks.
Click to expand...

What is the purpose of that rule because my pc is natted behind my box so only local machines can ping me and it is allowed by
Code: 
pass in on $net_if1 from ($net_if1:network) to <me> keep state
?

Else, thanks for your help.

Gollum
 
If your machine is behind a NAT box, then <ssh-bruteforce> and <deny-hosts> are useful only if you want to block some local hosts and/or you use IP forwarding on the NAT box. I see now that the last rule contains 'quick', which is not needed in this context.
 
This should do it without the icmp packets:
Code: 
scrub in on $wlan0 all fragment reassemble

block log all

set skip on lo0
antispoof for $wlan0 inet

pass out log on $wlan0 proto { tcp, udp, icmp } from any to any modulate state

table <ssh_abuse> persist
block in log quick from <ssh_abuse>

pass in on $wlan0 proto tcp to any port ssh flags S/SA keep state (max-src-conn 6, max-src-conn-rate 3/5, overload <ssh_abuse> flush)
 
This is my pf.conf file.
Code: 
ext_if="re0"

scrub in on $ext_if all fragment reassemble

block all

set skip on lo0
antispoof for $ext_if inet

### log nmap queso xprobe fingerprint probes that can possibly determine our operating sys.
block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF

pass out on $ext_if proto { tcp, udp, icmp } from any to any flags any modulate state
pass in on tap0

table <ssh_abuse> persist
block in log quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)

TCP block rules are crude, but they sometimes help with OS scanning. Not all scans can be filtered such as scanning with TCP options since pf can't filter these. Still, it gives you option to log these TCP packets.
Might be useful.
 
You must log in or register to reply here.
Back
Top