pf rule-set, your advice.

C

costasBSD

I am trying to compose a PF rule-set for my FreeBSD system. FreeBSD is installed in a stand alone desktop and fully equipped PC which will replace a windows XP SP3 box. The FreeBSD is just a personal workstation in a home network of a few Windows PCs and doesn't run any services.

The pf.conf that I am currently using is:
Code: 
set block-policy return
scrub in all
tcp_services="{ssh, smtp, domain, www, pop3, auth, pop3s, http, https, imap, imaps imap3, telnet, ntp}"
udp_serices="{domain}"
trusted="{193.239.214.227 192.168.1.11}"
#193.239.214.227 is a time server; 192.168.1.11 is a win PC in the home network

block all
pass in  log proto tcp to $trusted keep state
pass out log proto tcp to $trusted keep state
pass log proto udp to $trusted keep state

pass out proto tcp to any port $tcp_services keep state
pass proto udp to any port $udp_services keep state

pass proto icmp from any to any   # I will remove this line later, doing some tests now.

Though I am (a little bit familiar) with the Windows firewalls I am not confident with the PF rule set that I came up with. Could you please offer some advice on how to make safer? Am I missing something?
 
You fail to mention your FreeBSD version. This is important. You can drop the keep state from rules if memory serves me right, from 8.0+, so it's very likely you can drop them.

Caveat: trusting a Windows machine makes the firewall largely obsolete. :OOO

I would put trusted in a table, they're made for this:

Code: 
table <trusted> persist { 193.239.214.227, 192.168.1.11 }

Define interfaces and skip lo0:
Code: 
ext_if="vtnet0" # check ifconfig for interface name
set skip on lo

Typo:
Code: 
udp_serices => udp_services

Bind restrictions to the interface, don't log passes, since you'll be out of diskspace very soon, no need to restrict protocols on trusted machines:
Code: 
block log all
pass in on on $ext_if to <trusted>
pass out on $ext_if from <trusted> # from, not to

If you're looking for a better rule for ICMP:
Code: 
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex, echoreq }

And finally:
Code: 
# Silence windows traffic and keep it from spamming the logs.
block in on $ext_if proto { tcp, udp } from any to ($ext_if) port { netbios-ns, netbios-dgm, netbios-ssn }
Hope this helps.
 
You must log in or register to reply here.
Back
Top