PF rules for webserver, something missing?

Hi!

As a getting-to-know FreeBSD project I'm setting up a small personal webserver. The PF rules I have for the moment:
Code:
# Macros
EXT="em0"

# Block everything by default
block all

# Allow everything to/from localhost
pass in quick on lo0 all
pass out quick on lo0 all

# In
pass in on $EXT proto tcp from any to port {22, 80}

# Out
pass out on $EXT all

Am I missing something that really should be there? Connection limiting seems hard with proxies etc.

Slightly OT, the only optimization I've done (FreeBSD 8, Generic amd64) is:
kern.ipc.somaxconn=1024
The same question applies here, am I missing something important?

PS. Nginx+PHP+MySQL on FreeBSD is blazingly fast :)
 
You may want to use "keep state" on your pass rules. That will 'automagically' allow the response through the firewall.

As for your other question read the tuning(7) man page.
 
"keep state" is added "automagically", no?
Code:
# pfctl -s rules
No ALTQ support in kernel
ALTQ related functions disabled
block drop all
pass in quick on lo0 all flags S/SA keep state
pass out quick on lo0 all flags S/SA keep state
pass in on em0 proto tcp from any to any port = http flags S/SA keep state
pass in on em0 proto tcp from any to any port = https flags S/SA keep state
pass out on em0 all flags S/SA keep state

Thanks for the man page link, I've glanced at it before but will give it a real look this time.
 
My suggestions:
  • Change block all to block log all

    Now blocked packets will show up on the pflog0 device. You can watch them with tcpdump -eni pflog0. Great for debugging.

  • A simple set skip on lo0 to replace pass in quick on lo0 all and pass out quick on lo0 all

  • You can use quick to circumvent pf's last matching rule wins strategy.

  • If you are not using IPv6 use inet to only allow IPv4 traffic.

The revised version:
Code:
# Macros
EXT="em0"

set skip on lo0

# Block everything by default
block log all

# In
pass in quick on $EXT inet proto tcp from any to port {22, 80}

# Out
pass out quick on $EXT inet  all

A test load
Code:
# pfctl -vvnf test.pf
EXT = "em0"
set skip on { lo0 }
@0 block drop log all
@1 pass in quick on em0 inet proto tcp from any to any port = ssh flags S/SA keep state
@2 pass in quick on em0 inet proto tcp from any to any port = www flags S/SA keep state
@3 pass out quick on em0 inet all flags S/SA keep state
 
Back
Top