pf firewall - cry for help

[fred974]

Hello everyone,

I have been trying to create a pf.conf for 3 weeks now but failed miserably...
My problem is that I have found lots of example of pf.conf on the internet but I I don't seem to be able to understand how pf work. I downloaded 'The book of Pf' but again there is no mention of the vocabulary used in Open PF.

So far the best resource that I found that had very clear explanation for beginners like me is on this video...
http://www.youtube.com/watch?v=E4c6ZJz_zbE

The problem is that if I want to learn more I need to pay $99.00 for a month subscription. Which at the moment is a very expensive price to pay. My plan is to set a PF firewall on my FreeBSD 10 ZFS host that will control all the traffic for my 3 jails (web,DB, mail, DNS). As this box will be facing the internet I need to be sure that it is set up correctly.

Could anyone please share their knowledge , links, tutorial...
Or if anyone as similar setup as mine, could you post your pf.conf file so I can try to work it out

Thank you all in advance
Fred

 

[abishai]

The idea is to create cloned interface for jails (lo1 for example), assign addresses for host and jails and setup rdr to daemons inside jail. If you want to secure your server in case of jail compromise, you can filter outbound connections from lo1 to ensure that jails are communicating with host or with another jails in proper way.
Also, you may want to disable statefull inspection for jail interface if you have some load - to prevent state table be _very_ big.

 

[fred974]

Hi @abishai
So far this is what I managed to do...
I'm fairly sure that this is not secure for my scenario

ext_if = em0
int_if = lo1
jail_ip_0 = 192.168.10.10
jail_ip_1 = 192.168.10.20
jail_ports_0 = "{ http,https }"
jail_ports_1 = "{ 6667,6669 }"


nat on $ext_if from 192.168.10.0/24 to any -> ($ext_if)
table <fail2ban> counters persist file "/var/db/pf/bf.table"

rdr on $ext_if proto tcp from any to $ext_if port $jail_ports_0 -> $jail_ip_0
rdr on $ext_if proto tcp fron any to $ext_if port $jail_ports_1 -> $jail_ip_1

block drop in quick inet from <fail2ban> to any
antispoof for $ext_if # prevent several spoofing attacks

 

[fred974]

Hello,

Are the 3 lines nat code below achieve the same output?

### Interfaces ###
 ExtIf ="bge0"
 IntIf ="lo1"

### Hosts ###
 webjail ="192.168.0.05"
 sqljail ="192.168.0.06"

nat on $ExtIf from $webjail       to any -> ($ExtIf) static-port
---
nat on $ExtIf from $IntIf:network to any -> ($ExtIf)
---
nat on $ext_if from 192.168.0.0/24 to any -> ($ext_if)

 

[SirDice]

For a first go that actually doesn't look too bad at all. You seem to get the hang of it

You may want to add something like these:

# don't process anything on lo0
set skip on lo0

# just block everything incoming
block in on $ext_if any
# Then allow what we need, remember that NAT happens before the rules so you need to use the internal IP addresses as destination
pass in on $ext_if from any to $jail_ip_0 port $jail_ports_0
pass in on $ext_if from any to $jail_ip_1 port $jail_ports_1

# Allow SSH to the host
pass in on $ext_if from any to $ext_if port 22

 

[SirDice]

nat on $ExtIf from $webjail       to any -> ($ExtIf) static-port

This one's different. It only NATs when traffic comes from the specific IP address of $webjail. It also tries to use the same source ports. Normally PF will pick it's own random source port.

nat on $ExtIf from $IntIf:network to any -> ($ExtIf)
---
nat on $ext_if from 192.168.0.0/24 to any -> ($ext_if)

These two are essentially the same if $int_if has an IP address on the 192.168.0.0/24 network. The first is more flexible as it automatically changes if the IP address (and network) of $ext_if changes, the second is more 'static' and would require adjusting pf.conf.

 

[abishai]

Here is awesome article about pf https://calomel.org/pf_config.html
It answers virtually to all questions about this wonderful firewall and have an example from actual host.

 

[fred974]

@SirDice thank you very much for answering the questions. its a big help to me
@abishai, I've read it but still finding it hard to understand. I guess the more I play with it, the more it will make sense

 

[throAU]

To understand what you're actually doing with pf or any other firewall it will be beneficial to learn what the IP stack is and an overview of how it works.

This may help: http://www.ipprimer.com/overview.cfm


The configuration syntax is the easy part - knowing what you are trying to do and why is what will serve you well in future whatever firewall package you decide to run.

 

[fred974]

To understand what you're actually doing with pf or any other firewall it will be beneficial to learn what the IP stack is and an overview of how it works.

This may help: http://www.ipprimer.com/overview.cfm


The configuration syntax is the easy part - knowing what you are trying to do and why is what will serve you well in future whatever firewall package you decide to run.

This is probably a good starting point.. I agree.
Thank you for the link :beergrin

 

[fred974]

Could anyone please explain the difference between

block drop in quick inet from <fail2ban> to any

and

 block in quick on $ext_if from <fail2ban> to any

My understanding is that the 2nd onion will block all incoming packet from outside that exist in the <fail2ban> table and make it persistent for later
I assume that 1st option will be silmillar but don't understand the following vocab:
drop inet

 

[abishai]

drop option is override for block-policy (more about return policy - http://openbsd.das.ufsc.br/faq/pf/options.html).
You my want to use set block-policy drop globally. It makes OS fingerprinting more difficult.
inet points to IPv4 protocol (inet6, obviously for IPv6).