PF Quick pf.conf review?

[kalleboy]

Hello there.

I've a tiny FreeBSD VPS with two jails running within it. I'm reaching out the jails remotely via SSH (First jail: My.public.IP.addr:4215 - 2nd one: my.public.IP.addr:4214) by having the config below.

lo1 = My Jails' virtual local interface I created via rc.conf. I don't know if "set skip on lo1" correct for such case? Should the scrub line come before all as below?

Is the below configuration seems correctly implemented and fine? Any suggestions on further network stability or security-focus would be much appreciated and respected.

Some kind PF experts around here? Thank you in advance.

ext_if = "em0"
int_if = "lo1"

scrub in all fragment reassemble

set skip on lo0
set skip on lo1

#Open my Jails to the Internet
nat on $ext_if from ($int_if:network) to any -> ($ext_if:0)

#Direct SSH access to Jail 1
rdr pass on $ext_if inet proto tcp from any to ($ext_if:0) port 4215 -> 10.0.0.2 port 22

#Direct SSH access to Jail 2
rdr pass on $ext_if inet proto tcp from any to ($ext_if:0) port 4214 -> 10.0.0.3 port 22

pass out all

 

[diizzy]

You probably don't want open access to sshd, otherwise it looks okay for what it is I guess.
By reading https://forums.freebsd.org/threads/generic-nat-firewall-pf-config-template.60144/ you might get some more ideas.

 

[kalleboy]

Thanks diizzy,

I'd like to ask;

Is "scrub" really needed for lo1 (int_if) in my case? lo1 is the virtual interface of my jails on my host.

And is it important for scrub to come before "set skip on" or after it?

 

[VladiBG]

The statement order is detailed explained in pf.conf(5)

macros, tables, options, normalization, queueing, translation, filtering.

"set skip" is in options section
"scrub" is in normalization

 

[kalleboy]

The statement order is detailed explained in pf.conf(5)

macros, tables, options, normalization, queueing, translation, filtering.

"set skip" is in options section
"scrub" is in normalization

Thank you very much, that was very useful!

And what categories are;
"nat on" line
"rdr" line
"antispoof" line?
I assume "pass" and "block" are filtering?

 

[VladiBG]

Open this link: pf.conf(5)
NAT and redirect are under translation.
Antispoof is link/macro which expand to block command. It's also very well explained with examples in the pf.conf manual. So "antispoof" is part of filtering.

 

[Alex Seitsinger]

Greetings!
pf.conf requires that each section be included in certain order. pf.conf(5) explains this under the section statement order. Below is the modified file.

# MACROS
#
ext_if = "em0"
int_if = "lo1"

# OPTIONS
#
set skip on lo0
set skip on lo1
set block-policy drop
set state-policy if-bound
set loginterface $ext_if

# NORMALIZTION
#
scrub in all fragment reassemble

# TRANSLATION
#
# Open my Jails to the Internet
nat on $ext_if from ($int_if:network) to any -> ($ext_if:0)
#Direct SSH access to Jail 1
rdr pass on $ext_if inet proto tcp from any to ($ext_if:0) port 4215 -> 10.0.0.2 port 22
#Direct SSH access to Jail 2
rdr pass on $ext_if inet proto tcp from any to ($ext_if:0) port 4214 -> 10.0.0.3 port 22

# FILTER
#
block drop log all
pass out log on $ext_if from ($ext_if) to any

 

[SirDice]

Just a heads-up, when you use rdr pass or nat pass, keep in mind that the pass there will allow all traffic and the rest of your ruleset is complete ignored. Which basically means you cannot block abusers any more.

rdr pass on $ext_if inet proto tcp from any to ($ext_if:0) port 4215 -> 10.0.0.2 port 22

block in on $ext_if inet from <blocklist> to 10.0.0.2 port 22

That block rule would never be evaluated, thus your blocklist would be useless. If you want to use this you will need to split up the rdr and pass rules.

rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 4215 -> 10.0.0.2 port 22

pass in on $ext_if inet from any to 10.0.0.2 port 22
block in on $ext_if inet from <blocklist> to 10.0.0.2 port 22

Also remember that NAT happens before the rules are evaluated.

 

[kalleboy]

Just a heads-up, when you use rdr pass or nat pass, keep in mind that the pass there will allow all traffic and the rest of your ruleset is complete ignored. Which basically means you cannot block abusers any more.

Very important details that I completely missed, SirDice thank you so much for this!

By the way, Alex Seitsinger it seems you added; "set state-policy if-bound" and "set loginterface $ext_if", what do they change/implement in my case?

Thank you!

 

[Alex Seitsinger]

Very important details that I completely missed, SirDice thank you so much for this!

By the way, Alex Seitsinger it seems you added; "set state-policy if-bound" and "set loginterface $ext_if", what do they change/implement in my case?

Thank you!

set state-policy if-bound: States are bound to an interface.
set loginterface $ext_if: Enable collection of packet and byte count statistics for the given interface or interface group.

 

[kalleboy]

Alex Seitsinger thanks for these.

So, in my case;

lo1 is virtual interface I created in rc.conf, for my Jails to have virtual IPs through that interface, and NAT for them so that they could be online through my external interface with public IP address, should I have set state-policy if-bound?

 

[Alex Seitsinger]

Alex Seitsinger thanks for these.

So, in my case;

lo1 is virtual interface I created in rc.conf, for my Jails to have virtual IPs through that interface, and NAT for them so that they could be online through my external interface with public IP address, should I have set state-policy if-bound?

I still think it's a good idea as the state(s) are still using the cloned loopback interface.

 

[kalleboy]

Thanks a lot Alex Seitsinger , my last question;

should scrub include all the interfaces (cloned loopback ones too) or only scrubbing ext_if would be the correct way?

Regards.

 

[VladiBG]

Normally you need it on the WAN facing interface where you want to do virtual packet reassembly before the NAT and IPsec. It doesn't hurt to leave it on all interfaces even if you won't get any fragmented packets from the internal interface.