PF rules for webserver, something missing?

Mikael

Member


Messages: 21

Hi!

As a getting-to-know FreeBSD project I'm setting up a small personal webserver. The PF rules I have for the moment:
Code:
# Macros
EXT="em0"

# Block everything by default
block all

# Allow everything to/from localhost
pass in quick on lo0 all
pass out quick on lo0 all

# In
pass in on $EXT proto tcp from any to port {22, 80}

# Out
pass out on $EXT all
Am I missing something that really should be there? Connection limiting seems hard with proxies etc.

Slightly OT, the only optimization I've done (FreeBSD 8, Generic amd64) is:
kern.ipc.somaxconn=1024
The same question applies here, am I missing something important?

PS. Nginx+PHP+MySQL on FreeBSD is blazingly fast :)
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 6,969
Messages: 28,966

You may want to use "keep state" on your pass rules. That will 'automagically' allow the response through the firewall.

As for your other question read the tuning(7) man page.
 
OP
OP
Mikael

Mikael

Member


Messages: 21

"keep state" is added "automagically", no?
Code:
# pfctl -s rules
No ALTQ support in kernel
ALTQ related functions disabled
block drop all
pass in quick on lo0 all flags S/SA keep state
pass out quick on lo0 all flags S/SA keep state
pass in on em0 proto tcp from any to any port = http flags S/SA keep state
pass in on em0 proto tcp from any to any port = https flags S/SA keep state
pass out on em0 all flags S/SA keep state
Thanks for the man page link, I've glanced at it before but will give it a real look this time.
 

J65nko

Well-Known Member

Reaction score: 127
Messages: 453

My suggestions:
  • Change block all to block log all

    Now blocked packets will show up on the pflog0 device. You can watch them with tcpdump -eni pflog0. Great for debugging.

  • A simple set skip on lo0 to replace pass in quick on lo0 all and pass out quick on lo0 all

  • You can use quick to circumvent pf's last matching rule wins strategy.

  • If you are not using IPv6 use inet to only allow IPv4 traffic.
The revised version:
Code:
# Macros
EXT="em0"

set skip on lo0

# Block everything by default
block log all

# In
pass in quick on $EXT inet proto tcp from any to port {22, 80}

# Out
pass out quick on $EXT inet  all
A test load
Code:
# pfctl -vvnf test.pf
EXT = "em0"
set skip on { lo0 }
@0 block drop log all
@1 pass in quick on em0 inet proto tcp from any to any port = ssh flags S/SA keep state
@2 pass in quick on em0 inet proto tcp from any to any port = www flags S/SA keep state
@3 pass out quick on em0 inet all flags S/SA keep state
 
Top