Packet Filter configuration

[leboeuf]

Hi everybody,

I installed a firewall on my new server. This is the configuration:

ext_if  = "em0"
myserver = "myserverip"

# Déclaration du tableau référençant toutes les adresses IP affectées au
# pare-feu.
table <firewall> const { self }

# Ne pas filtrer sur l'interface de bouclage
set skip on lo0

# Normalisation de tous les paquets entrants.
scrub in all

# Mise en place d'une politique d'interdiction par défaut.
block all

# Activation de la protection contre l'usurpation sur toutes les
# interfaces.
block in quick from urpf-failed

# Antispoof bloque les paquets usurpés
antispoof quick for em0 inet

# Créer la table abusive_hosts pour bloquer les IP floodeuses
table <flooders> persist
block in quick from <flooders>
table <abusive_hosts> persist file "/etc/abusive_hosts"
block in quick from <abusive_hosts>

# Autoriser connexions mais les surveiller via mandataire TCP SYN et les limiter
pass in log on $ext_if proto tcp to $myserver port www synproxy state \
	(max-src-conn 100, max-src-conn-rate 15/5, overload <flooders> flush)

# Autoriser les connexions sortantes tcp, udp et icmp sur l'interface
# externe.
# les connexions tcp seront modulées, et udp/icmp auront un suivi
# d'état.
pass out on $ext_if proto { tcp udp icmp } all modulate state

# Autoriser les connexions ssh sur l'interface externe du moment
# qu'elles ne sont pas destinées au pare-feu lui-même. Journaliser le
# paquet qui initie la session afin de pouvoir déterminer qui s'est
# connecté. Activer un service mandataire SYN.
# Les drapeaux par défaut "S/SA" seront automatiquement appliqués à la
# règle par PF.
pass in log on $ext_if proto tcp to port ssh synproxy state \
	(max-src-conn 100, max-src-conn-rate 15/5, overload <flooders> flush)

# MySQL
pass in quick on $ext_if proto tcp from any \
	to $ext_if port 3306 synproxy state

I just want to open web ports and mysql port. So the rules works for that. But I would like some advice. Do the rules seem effective to protect the server? I think about this part:

(max-src-conn 100, max-src-conn-rate 15/5, overload <flooders> flush)

Is it effective against attacks like little ddos or flood SYN? I would like to protect my server against ddos attacks and flood SYN or just limit their impact. So are there other rules to protect the server against ddos attacks? How can I improve the syntax?

And I created the file /etc/abusive_hosts to use in combination with a script. I would like to know if there is some scripts which look at the port tcp to ban some IP and put them in this file. If you know some scripts like this, are they effective and can you show me some of them?

 

[leboeuf]

I would open some ports but just for the local (for the ip 127.0.0.1).

pass in on $ext_if proto tcp from 127.0.0.1 to $myserver port 22000

The syntax is correct? I think no because it seems not work. I just want open all the ports for the local (127.0.0.1). Can you help me please?

 

[SirDice]

Packets from 127/8 are not allowed to exit an interface. Similarly 127/8 is not accessible from outside the machine. Hence a rule like "127.0.0.1 to any" will not work.

 

[leboeuf]

So how can I open some ports ? Do you say something like this :

pass in on $ext_if proto tcp from 127.0.0.1/8 to $myserver port 22000

I just want allow the local ip to use some ports.

 

[kpa]

Are your rules really blocking access to $myserver from the local machine (assuming $myserver is bound to an interface on the machine itself)? You already have "set skip on lo0" so I don't see how the connections could be blocked.

 

[Alt]

I just want allow the local ip to use some ports.

When connection is opening, system select an inerface nearest to destination. In your case (destination server == source server) packets will go via lo0. So to allow local connection you should allow packets going via lo0. And, because you have this

set skip on lo0

your packets to server itself will be passed without going through PF rules. // I think it's normal thing for lo0

 

[leboeuf]

Are your rules really blocking access to $myserver from the local machine (assuming $myserver is bound to an interface on the machine itself)? You already have "set skip on lo0" so I don't see how the connections could be blocked.

You're right, I'm not sure that the rules are blocking access to $myserver from the local machine. I think it works.

When connection is opening, system select an inerface nearest to destination. In your case (destination server == source server) packets will go via lo0. So to allow local connection you should allow packets going via lo0. So, cus you have this

set skip on lo0

your packets to server itself will be passed without going PF rules. // I think its normal thing for lo0

In fact, I want that my server could send packets with some ports. I don't know if you understand me, I would use some ports to send packets with my server. For example, open the port 23000 to send packets with him but not allow external connexions to this port.

 

[SirDice]

I think it's a good idea to brush up on your TCP/IP networking skills before you start dealing with firewalls. When configuring a firewall it is imperative that you have a good solid understanding of how TCP/IP works.

http://www.tcpipguide.com/

 

[leboeuf]

Thank you, I solved my problem myself.

 

[gkontos]

Thank you, I solved my problem myself.

Take the advice and read about TCP/IP and firewalls. Dealing with Checkpoint firewalls, Cisco or PF doesn't have many differences once you understand the basics.
Regards,

George