PF scrub in all on a Workstation

[Snubbi]

Hi
I come from linux so the firewall is very different. But I have made an attempt (suggestion) For a pf firewall for my desktop. I am running with ZFS file system. Is it set up correctly, otherwise correct me.

But first I would like to know what havd scrub in all means . From what I have been able to read, it has something to do with keeping the file system healthy and optimized?

Step 1:
Create /etc/pf.conf with following contents:

set skip on lo0
scrub in all
block in all
pass out all keep state

Step 2:
Add following code to /etc/rc.conf

firewall_enable="YES"
firewall_type="workstation"
# log denied packets to /var/log/security
firewall_logdeny="YES"
pf_enable="YES"
pf_program="/sbin/pfctl"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

Step 3. Add following content to /etc/pf.conf

### Macro name for external interface
ext_if = "Network Interface Designation Goes Here"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spoof
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any

### Keep and modulate state of outbound traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

 

[zirias@]

But first I would like to know what havd scrub in all means . From what I have been able to read, it has something to do with keeping the file system healthy and optimized?

Why should a firewall have anything to do with a filesystem? Context matters!

In ZFS context, scrub is a process you can start that will basically read everything in order to check for checksum errors.

In pf context, scrub is a rule that will do lots of sanity checks (and fixes) to network packets. The comment in your config already tells what the extra parameters to scrub do here.

 

[Kristof Provost]

From man pf.conf:

Traffic Normalization (e.g. scrub)
Traffic normalization protects internal machines against
inconsistencies in Internet protocols and implementations.

Also, this:

firewall_enable="YES"
firewall_type="workstation"
# log denied packets to /var/log/security
firewall_logdeny="YES"
pf_enable="YES"

means you're running both pf and ipfw. Do not do that.

 

[Snubbi]

Ziris said: In pf context, scrub is a rule that will do lots of sanity checks (and fixes) to network packets. The comment in your config already tells what the extra parameters to scrub do here.

You mean only

set skip on lo0
block in all
pass out all keep state

 

[Snubbi]

Kristof Provost
means you're running both pf and ipfw. Do not do that.
You mean only

firewall_enable="YES"
# log denied packets to /var/log/security
firewall_logdeny="YES"
pf_enable="YES"

 

[mer]

Kristof Provost​

means you're running both pf and ipfw. Do not do that.
You mean only

firewall_enable="YES"
# log denied packets to /var/log/security
firewall_logdeny="YES"
pf_enable="YES"

set firewall_enable=NO and set firewall_logdeny=NO in rc.conf and reboot to be sure everything is clean.
pf_enable="YES" to enable PF.

 

[Snubbi]

set firewall_enable=NO and set firewall_logdeny=NO in rc.conf and reboot to be sure everything is clean.
pf_enable="YES" to enable PF.

firewall_enable="No"
# log denied packets to /var/log/security
firewall_logdeny="NO"
pf_enable="YES"

Like this, slow perception But my brain probably doesn't work that well after 67 years

 

[Snubbi]

Is the firewall correct now.
Step 1: Create /etc/pf.conf with following contents:

[code]
set skip on lo0
block in all
pass out all keep state

Step 2: Add following code to /etc/rc.conf

firewall_enable="NO"
# log denied packets to /var/log/security
firewall_logdeny="NO"
pf_enable="YES"
pf_program="/sbin/pfctl"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags="

Step 3. Add following content to /etc/pf.conf

### Pass loopback
set skip on lo0

### Block spoof
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any

### Keep and modulate state of outbound traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

 

[SirDice]

antispoof for lo0

Useless. Mainly because you have a set skip on lo0 just above it.

 

[Kiiski]

One tip if you prefer to keep rc.conf simple.
You can remove settings with default values which are in /etc/defaults/rc.conf
This of course can be found from man rc.conf, but if you are new to FreeBSD you might not yet be familiar with it.

 

[Jose]

Is the firewall correct now.
Step 1: Create /etc/pf.conf with following contents:

[code]
set skip on lo0
block in all
pass out all keep state

This will do nothing until you either reboot or run doas pfctl -f /etc/pf.conf.

Unfortunately, Freebsd comes with three firewalls installed. Read all about it in the Handbook. The firewall_enable and firewall_logdeny configuration lines only affect the ipfw(4) firewall.

Step 2: Add following code to /etc/rc.conf

firewall_enable="NO"
# log denied packets to /var/log/security
firewall_logdeny="NO"

These are the defaults, no need to put them in /etc/rc.conf. You can look up what the default value is for any variable in /etc/defaults/rc.conf.

pf_program="/sbin/pfctl"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_logfile="/var/log/pflog"
pflog_flags="

All defaults that can be safely removed. Really all you need is

pf_enable="YES"
pflog_enable="YES"

You have to reboot after you change /etc/rc.conf or (re)start the services affected by your changes.

Step 3. Add following content to /etc/pf.conf

Why are you doing this in separate steps? Are you afraid of locking yourself out? If you're at the machine, you can always disable pf(4) with doas pfctl -d, and re-enable it with doas pfctl -e.

### Pass loopback
set skip on lo0

### Block spoof
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any

### Keep and modulate state of outbound traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

Again, you have to either reboot, run doas pfctl -f /etc/pf.conf (or doas /etc/rc.d/pf reload which is a little safer) every time you change your firewall rules.

Your antispoof for lo0 line does nothing, as SirDice has explained.

 

[Snubbi]

Ok I'll read a bit more about pf firewall before I ask more questions. My brain is boiling over right now

 

[mer]

Ok I'll read a bit more about pf firewall before I ask more questions. My brain is boiling over right now

Sometimes the best thing to do is put the computer down, go outside and take a walk or have a coffee or a beer or aquavit.