PF server ntpd error

gutiersa

Member

Reaction score: 6
Messages: 82

I am using FreeBSD 12.1-RELEASE, amd64. After installing the PF firewall, I am now getting this message:
server ntpd: error resolving pool 0.freebsd.pool.ntp.org: Name does not resolve (8)
I am not new to FreeBSD, but I am new to PF firewall.

Also, I have blocked myself out of ssh and my webmin application.

I would appreciate any help.
Thanks in advance. Here is my pf.conf
Code:
pub_ip="xxx.yyy.zzz.aaa"
work_ip="192.168.1.zzz"
ext_if="em0"
int_if="lo1"
int_net="192.168.1.yyy/255"
icmp_type = "{ echoreq unreach }"
table <spamd-white> persist
table <bruteforce> persist
table <webcrawlers> persist
table <rfc6890> { 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 \
         172.16.0.0/12 192.0.0.0/24 192.0.0.0/29 192.0.2.0/24 192.88.99.0/24 \
         192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 \
        255.255.255.255/32 }
set skip on lo
scrub in all fragment reassemble max-mss 1440
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
antispoof quick for { lo $ext_if }
block in quick on $ext_if from <rfc6890>
block return out quick on egress to <rfc6890>
block on $ext_if from <badhosts> to any
block all
pass in on $ext_if proto tcp from $work_ip to ($ext_if) port { 22 80 443 3306 10000 11000 } keep state (max-src-conn 15, max-src-conn-rate 3/1, overload <bruteforce> flush global)
pass out on $ext_if proto tcp from $ext_if to any port { 22 80 443 3306 10000 11000 } keep state
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type $icmp_type
pass inet proto icmp icmp-type $icmp_type
 

Duffyx

Active Member

Reaction score: 39
Messages: 107

You have probably locked yourself out caused by your firewall rules :D (been there done that)!
The hostname lookup failure indicates that your are not allowing DNS queries in nor out (UDP 53).
I'm not an expert in PF (I use IPFW) although I can link you this ruleset: https://forums.freebsd.org/threads/generic-nat-firewall-pf-config-template.60144/
Seems like a good place to start and it is commented for you to see what is allowed and denied by which rule, good luck!
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 82

Thanks, and yes, I locked myself out completely.
The good news, is that I also locked the attacker from Belgium, lol
 

Jose

Well-Known Member

Reaction score: 238
Messages: 392

...
table <bruteforce> persist
...
block on $ext_if from <badhosts> to any
...
I'm guessing that should be block on $ext_if from <bruteforce> to any. Might as well add a quick in there too. You probably don't want any other rules to apply to any packets from the bad guys.

There are other problems with your ruleset, but I'd like to get a clearer picture of your network topology before I "help"(haha) further. Is this a dedicated firewall, or is this the only server in your network?
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 82

This is a server in my home. I have a router from my ISP which also functions as a DHCP.
The server does have a static IP: 192.168.1.10. I am trying to start a business since I was laid off, like 30 million other American's.
I tried to use jails, but couldn't figure the configuration of the NIC. Anyway...
My server only has one NIC, but it also has an ilo (HPs integrated lights-out) which I don't know how to use.
I have set up a FEMP stack with IPFW but obviously have not done a good enough job, since I am still getting attacks.
I connect to my server from a windows computer in my LAN via ssh and webmin, and I also access the box itself via the command line.
Thank you!
 

Jose

Well-Known Member

Reaction score: 238
Messages: 392

The address 192.168.1.10 is not reachable over the Internet, so people outside your home network will not be able to reach your server. Details if you're interested: https://en.wikipedia.org/wiki/Private_network

In all likelihood your ISP's router is doing NAT for you, and that's how you can reach the Internet. Did your ISP give you a public, routeable, static IP address?

I'm in a slightly different boat. The virus killed my little consulting practice so I'm looking to work for the Man again.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 82

The Man?
I have forwarded a few ports to my server, so it can be reached from the outside. At any rate, it's ok if it is not reached from the outside yet. I am not ready to go live.
I don't have a static IP address yet. In the past, when I had a static IP address, I could not work on my server from my LAN, so, for now, it is ok. Furthermore, in my neck of the woods, it gets very pricy.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 82

lol
Hmm, I see, Yes, my ISP may be doing filtering, but is it checking out for bruteforce attacks? I think not. I need to look out for those myself.
Years ago English was my second language. Now I have two second languages and no first language, lol.
 

Jose

Well-Known Member

Reaction score: 238
Messages: 392

Hmm, I see, Yes, my ISP may be doing filtering, but is it checking out for bruteforce attacks? I think not. I need to look out for those myself.
I would do this for that one use case
Code:
ext_if="em0"

table <brutes> persist
set skip on lo
set block-policy drop
scrub in
block in
pass out keep state
block quick from <brutes>
#
# Need ICMP for path MTU
#
pass in quick inet proto icmp all icmp-type { echoreq, unreach }
#
# SSH(22) and HTTPS(443) access
#
pass in on $ext_if proto tcp from any port { 22 443 } flags S/SA keep state \
    (max-src-conn 10, max-src-conn-rate 15/5, overload <brutes> flush global)
I really hate how the forum eats (only most!) blank lines, BTW. Makes things much less readable.
 

VladiBG

Aspiring Daemon

Reaction score: 369
Messages: 850

You should start with network topology first. IT's hard to understand how your network is setup only from firewall configuration. You can use http://www.draw.io to draw a simple network topology to show how everything is connected and what are you trying to do.

In table <rfc6890> you have 192.168.0.0/16 (CLASS C) and you said that your work_ip address is work_ip="192.168.1.zzz"


table <rfc6890> { 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.0.0/29 192.0.2.0/24 192.88.99.0/24 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 \
255.255.255.255/32 }
So this rule
block in quick on $ext_if from <rfc6890>

will block all inbound ip addresses from table <rfc6890> which includes your $work_ip

p.s.
If you are going to use HPE iLO make sure that it's connected to separate management network.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 82

I don't know how to use HPE iLO. currently it's connected to the same gateway. I actually forgot to add it to the diagram because I never think about it. Here is the image:
home network.jpg
home network.jpg So I have a windows computer which like the server is attached to the ISP's router/gateway. And I have a windows laptop. Both get an address via dhcp. The server is the only static IP address and is listed as such. I have forwarded ports at the routers level to the server. If 192.168.1.0 is not a routable address, which address should I give my network?
Thanks for all the help.
 

mickey

Aspiring Daemon

Reaction score: 189
Messages: 577

I am using FreeBSD 12.1-RELEASE, amd64. After installing the PF firewall, I am now getting this message:
server ntpd: error resolving pool 0.freebsd.pool.ntp.org: Name does not resolve (8)
I am not new to FreeBSD, but I am new to PF firewall.

Also, I have blocked myself out of ssh and my webmin application.

I would appreciate any help.
Thanks in advance. Here is my pf.conf
Code:
pub_ip="xxx.yyy.zzz.aaa"
work_ip="192.168.1.zzz"
ext_if="em0"
int_if="lo1"
int_net="192.168.1.yyy/255"
icmp_type = "{ echoreq unreach }"
table <spamd-white> persist
table <bruteforce> persist
table <webcrawlers> persist
table <rfc6890> { 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 \
         172.16.0.0/12 192.0.0.0/24 192.0.0.0/29 192.0.2.0/24 192.88.99.0/24 \
         192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 \
        255.255.255.255/32 }
set skip on lo
scrub in all fragment reassemble max-mss 1440
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
antispoof quick for { lo $ext_if }
block in quick on $ext_if from <rfc6890>
block return out quick on egress to <rfc6890>
block on $ext_if from <badhosts> to any
block all
pass in on $ext_if proto tcp from $work_ip to ($ext_if) port { 22 80 443 3306 10000 11000 } keep state (max-src-conn 15, max-src-conn-rate 3/1, overload <bruteforce> flush global)
pass out on $ext_if proto tcp from $ext_if to any port { 22 80 443 3306 10000 11000 } keep state
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type $icmp_type
pass inet proto icmp icmp-type $icmp_type
I believe you are trying to accomplish too many things at once here, and probably used some example configurations that were meant to be used on a router, but your machine is a server behind a router. You should start with a much simpler config that only performs inbound filtering and lets everything outbound pass. Once you have that in place and it's working, you can add outbound filtering. Looking over your configuration I see a number of issues:
  1. Your machine seems to be behind a router that is likely to already perform NAT for your entire internal network, so there is no reason to do NAT on your server.
  2. This machine is no router, has only one network interface (em0) and does not forward packets, so there is only $ext_if but no $int_if, $int_net, etc
  3. An IPv4 address only has 32bits, what is "192.168.1.yyy/255" trying to accomplish?
  4. Your rfc6890 table includes your intenal network, effectively prohibiting any traffic to/from other machines on your internal network.
  5. The 'max-mss 1440' should not be necessary. If you are on a (v)dsl line with reduced MTU due to PPPoE framing, it's your router's job to perform that kind of stuff.
  6. Don't mess with ICMP unless you have a good reason to do so. pf is smart enough to match ICMP responses (unreach, timex, etc) to existing connections so the only thing you need to worry about is ICMP echoreq (ping). If you are ok with the machine being able to ping/be pinged just pass ICMP type echoreq in/out and pf's state table wiill take care of the return traffic.
  7. The 'block all' filter rule should probably be the first rule in your ruleset, so that anything that is not matched by the rules following it will get denied by default.
 

VladiBG

Aspiring Daemon

Reaction score: 369
Messages: 850

Do you have jails? And if you have how did you setup they interfaces using vnet or alias int on em0?

All ip addresses are routable. You only need to open the required ports on your router and NAT those ports to the ip address of the server inside your network. If i understand correctly your topology look like this:

Network topology
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 82

Do you have jails? And if you have how did you setup they interfaces using vnet or alias int on em0?

All ip addresses are routable. You only need to open the required ports on your router and NAT those ports to the ip address of the server inside your network. If i understand correctly your topology look like this:

Network topology
I believe you are trying to accomplish too many things at once here, and probably used some example configurations that were meant to be used on a router, but your machine is a server behind a router. You should start with a much simpler config that only performs inbound filtering and lets everything outbound pass. Once you have that in place and it's working, you can add outbound filtering. Looking over your configuration I see a number of issues:
Yes, you are right, I started out using a tutorial from digitalocean (this one: https://www.digitalocean.com/community/tutorials/how-to-configure-packet-filter-pf-on-freebsd-12-1 )
And yes, my box has only one interface. However, I needed to add NAT, because I needed to use jails. I am in healthcare, which is a very regulated industry. I would like a low cost operation such that I need not turn anyone away or depend on grants which would get me even more regulated. I am just a solo provider. I am also a big believer in open source (and am not independently wealthy).
My ultimate goal is to set up the web based electronic health records (also open source) in one jail, and the database in another.
Can that be done with only one interface?
As it is, without the Pf I keep getting login attempts from 212.166.54.110. I would like to block those.

Because I was not able to get the jails to work, I reverted back to setting up the web server in the host the old fashioned way. But I still would like to set up the jails. I would like to use vnet but don't know how. Would alias be riskier?

Finally yes, VladigBG, that is my topology exactly. I could not get the link you sent me to work. I got "some of the features you are requesting are not available." I almost sent you a hand written drawing. Ha ha.
 

PMc

Aspiring Daemon

Reaction score: 367
Messages: 847

And yes, my box has only one interface. However, I needed to add NAT, because I needed to use jails. I am in healthcare, which is a very regulated industry. I would like a low cost operation such that I need not turn anyone away or depend on grants which would get me even more regulated. I am just a solo provider. I am also a big believer in open source (and am not independently wealthy).
Hey, here it starts to get mixed up. You're probably going too fast. ;) You don't need NAT for jails. You need NAT for outbound, no matter if the outbound comes from your windows piece or from the jails or something else. But in Your case there is already a router that must do the NAT.

My ultimate goal is to set up the web based electronic health records (also open source) in one jail, and the database in another.
Can that be done with only one interface?
I think yes.

As it is, without the Pf I keep getting login attempts from 212.166.54.110. I would like to block those.
For what port? ssh? And what do they try to achieve? Thats a belgium guy, that's a bit unusual. I don't get login attempts on my telco-provided connection, but on the hosted one there is an endless stream of them:
Code:
May  6 08:43:17 <auth.info> oper sshd[20927]: Invalid user default from 37.49.226.23 port 53928
May  6 08:43:23 <auth.info> oper sshd[20972]: Invalid user apache from 37.49.226.23 port 35592
May  6 08:43:28 <auth.info> oper sshd[20975]: Invalid user guest from 37.49.226.23 port 45396
May  6 08:43:34 <auth.info> oper sshd[20978]: Invalid user guest from 37.49.226.23 port 55210
May  6 08:45:09 <auth.info> oper sshd[21199]: Invalid user user11 from 200.58.144.228 port 23304
May  6 09:16:19 <auth.info> oper sshd[25028]: Invalid user guest from 103.79.141.158 port 19160
May  6 09:16:23 <auth.info> oper sshd[25032]: Invalid user support from 103.79.141.158 port 19349
May  6 09:16:27 <auth.info> oper sshd[25041]: Invalid user test from 103.79.141.158 port 19541
May  6 09:16:31 <auth.info> oper sshd[25044]: Invalid user user from 103.79.141.158 port 19760
It is not really helpful to lock out that specific IP, because others may appear at any time. What is helpful is to configure the software in a way so nobody can login (and then let them try as long as they want). For ssh, create some keys and disable password login entirely. And set something like MaxStartups = 3.

Because I was not able to get the jails to work, I reverted back to setting up the web server in the host the old fashioned way. But I still would like to set up the jails. I would like to use vnet but don't know how. Would alias be riskier?
You won't get all this at once. I would suggest a bit of good oldfashioned german engineering ;) : Jails are a specific topic and need some design plan. A firewall is a specific topic and needs a design plan. Your application layout is a specific topic and needs a proper design plan. A webserver - same. Each of these done individually, adressing the specific concerns, and then integrated, and then everything will nicely fall into it's designated place. Server layout is an architectural task like planning for the rooms in your house, it's not just installing a computer (people happen to think that, but then they give up and go to a cloud provider.)
 

VladiBG

Aspiring Daemon

Reaction score: 369
Messages: 850

Ok if this server will be only for tests then it's ok to be connected to the same network where are the rest of the computers, it's better to be in separate DMZ network connected on your router.
Regarding the jails you can setup them as alias interfaces on em0 and each jail will have 192.168.1.x/24 or use vnet and put each jail to the bridge interface under different subnet like 10.0.0.0/8 then you will need NAT for them. But if you don't going to have another services on this server you may not use jails at all.

Here's the simple configuration for your pf.conf

Code:
# macros
ext_if="em0"

tcp_services="{ 22, 80, 443 }"
icmp_types="echoreq"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
#nat on $ext_if inet from !($ext_if) -> ($ext_if:0)

# filter rules
block in
block drop in quick on $ext_if inet proto tcp from 212.166.54.0/24 to any

pass out

antispoof quick for { lo }

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
 

Jose

Well-Known Member

Reaction score: 238
Messages: 392

Ok if this server will be only for tests then it's ok to be connected to the same network where are the rest of the computers, it's better to be in separate DMZ network connected on your router...
A DMZ adds unnecessary complexity.
Here's the simple configuration for your pf.conf
This does not filter out brute-force attacks, as specifically requested.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 82

Hey, here it starts to get mixed up. You're probably going too fast. ;) You don't need NAT for jails. You need NAT for outbound, no matter if the outbound comes from your windows piece or from the jails or something else. But in Your case there is already a router that must do the NAT.



I think yes.



For what port? ssh? And what do they try to achieve? Thats a belgium guy, that's a bit unusual. I don't get login attempts on my telco-provided connection, but on the hosted one there is an endless stream of them:
Code:
May  6 08:43:17 <auth.info> oper sshd[20927]: Invalid user default from 37.49.226.23 port 53928
May  6 08:43:23 <auth.info> oper sshd[20972]: Invalid user apache from 37.49.226.23 port 35592
May  6 08:43:28 <auth.info> oper sshd[20975]: Invalid user guest from 37.49.226.23 port 45396
May  6 08:43:34 <auth.info> oper sshd[20978]: Invalid user guest from 37.49.226.23 port 55210
May  6 08:45:09 <auth.info> oper sshd[21199]: Invalid user user11 from 200.58.144.228 port 23304
May  6 09:16:19 <auth.info> oper sshd[25028]: Invalid user guest from 103.79.141.158 port 19160
May  6 09:16:23 <auth.info> oper sshd[25032]: Invalid user support from 103.79.141.158 port 19349
May  6 09:16:27 <auth.info> oper sshd[25041]: Invalid user test from 103.79.141.158 port 19541
May  6 09:16:31 <auth.info> oper sshd[25044]: Invalid user user from 103.79.141.158 port 19760
It is not really helpful to lock out that specific IP, because others may appear at any time. What is helpful is to configure the software in a way so nobody can login (and then let them try as long as they want). For ssh, create some keys and disable password login entirely. And set something like MaxStartups = 3.



You won't get all this at once. I would suggest a bit of good oldfashioned german engineering ;) : Jails are a specific topic and need some design plan. A firewall is a specific topic and needs a design plan. Your application layout is a specific topic and needs a proper design plan. A webserver - same. Each of these done individually, adressing the specific concerns, and then integrated, and then everything will nicely fall into it's designated place. Server layout is an architectural task like planning for the rooms in your house, it's not just installing a computer (people happen to think that, but then they give up and go to a cloud provider.)
I am not giving up. I have been shy to speak up, but I have been at this for more than 10 years learning FreeBSD. Whoever it is from Belgium is trying to get into my webmin application using all sorts of user: root, admin, webmin etc etc . I am already using keys for ssh. I know webmin is a liability for my box but I don't know any other server management system.
I am trying to figure out how to set up Nagios with nginx.

Yes, I am reading the Jails book so I can learn it, however, in the meantime I have been let go from my job and I do have a relative urgency.
 

VladiBG

Aspiring Daemon

Reaction score: 369
Messages: 850

yes but it's also not stated against what type of services are those attacks.
fail2ban will do a nice job against such a random connection.
 

Jose

Well-Known Member

Reaction score: 238
Messages: 392

yes but it's also not stated against what type of services are those attacks.
fail2ban will do a nice job against such a random connection.
The ruleset I proposed protects all open ports against brute-force attacks.
 

Jose

Well-Known Member

Reaction score: 238
Messages: 392

Yes I agree with you. You can slow down the brute-force attack limiting the connection rate but you also need IPS to filter the ip totally. Where the log monitoring tools like fail2ban are great for this job.
Filter out the ip "totally" is exactly what
Code:
pass in on $ext_if proto tcp from any port { 22 443 } flags S/SA keep state \
    (max-src-conn 10, max-src-conn-rate 15/5, overload <brutes> flush global)
does. Anyone trying to connect too fast or too many times gets bounced and their IP gets added to the "brutes" table. Any further packets of any sort from an IP in the "brutes" table are silently dropped.
 
Top