Nothing is Being Blocked by PF

T

tpar44

Hi,

I am trying to set up PF on a remote machine to be my primary firewall as an experiment. I'm not too familiar with PF so I'd like to test it out before I deploy it. The steps I use are:

1. vi /etc/sysctl.conf and I append "net.inet.ip.forwarding=1" to that file to enable packet forwarding.
2. kldload pf
3. create my pf.conf in /etc
4. /etc/rc.d/pf onestart (this way i can reboot my box when I mess up the rules)

My pf.conf file is:

Code: 
#block the inbound traffic from the server itself
block in log quick from webserver to any
block in log quick from imap to any
block in log quick from snortips to any
block in log quick from windows to any
block in log quick from NFS to any
block in log quick from FreeBSD to any

#allow ICMP traffic to get through the firewall
block in log quick proto icmp from any to any 
block out log quick proto icmp from any to any

#allow inbound traffic to ssh, http, NFS
	#webserver
	pass in log quick proto tcp to webserver port 80
	#NFS Server
	pass in log quick proto tcp to NFS port 2049
	#SSH Server
	pass in log quick proto tcp to webserver port 22

	pass in log quick proto tcp to imap port 22
	pass in log quick proto tcp to snortips port 22
	pass in log quick proto tcp to windows port 22
	pass in log quick proto tcp to nfs port 22
	 
#allow new outbound traffic to ssh and web servers
	pass out log quick proto tcp from any to any port 22
	pass out log quick proto tcp from any to any port 80

#pasively ignore all other traffic 
#block in all
#block out all

Any help that could be given as to why nothing is being blocked or that if I uncomment the block in all and block out all rules I lose contact with the box (since I work remotely).

Thank you!
 
1) is easier to set using gateway_enable="YES" in /etc/rc.conf.

Start off with a block all and add rules for traffic you want to allow.
 
Just to be sure: if this is your real pf.conf I expect that in your /etc/hosts you have something like this:
Code: 
windows   10.1.1.1
webserver 10.1.1.2
FreeBSD   10.1.1.3
...

Otherwise, pf knows nothing about "windows" and "webserver".
 
Hi,

First thing, you need define servers IP's and external/internal interfaces:

Code: 
webserver="xxx.xxx.xxx.xxx"
imapserver="xxx.xxx.xxx.xxx“...

ext_if="your_interface_facing_internet_like_fx0"
int_if="interface_facing_servers_for_example_fx1"

Then you block and log blocked traffic:
Code: 
block log all

And grant ssh connection (I guess you connect with ssh remotely):
Code: 
pass in quick on $ext_if inet proto tcp from any to any port 22

Further you need allow traffic in to firewall and redirect it to servers (if needed-ssh too), for example to web server:
Code: 
pass in on $ext_if inet proto tcp from any to any port 80 rdr-to $webserver

Of course, you should allow traffic from servers trough firewall and outbound traffic:
Code: 
pass in on $int_if all
pass out all

This is not that hard, but you need some good reading with examples
http://home.nuug.no/~peter/pf/

CoTones
 
You must log in or register to reply here.
Back
Top