PF server ntpd error

mickey

Aspiring Daemon

Reaction score: 152
Messages: 530

This is a server in my home. I have a router from my ISP which also functions as a DHCP.
...
I connect to my server from a windows computer in my LAN via ssh and webmin, and I also access the box itself via the command line.
I have forwarded a few ports to my server, so it can be reached from the outside.
However, I needed to add NAT, because I needed to use jails. I am in healthcare, which is a very regulated industry.
As it is, without the Pf I keep getting login attempts from 212.166.54.110. I would like to block those.
I don't see why you would need NAT to set up jails. NAT is done on the perimeter of your network for the entire internal network. As for the login attempts, your search would start by taking a look at which ports exactly you forwarded on your router. If there is no need for you to login from the outside, then don't forward port 22. For the web server to be reachable from the outside, it should be sufficient to forward ports 80 and/or 443. Generally it's not advisable to forward any traffic from the outside before your machine is ready to go 'live'.
 

VladiBG

Aspiring Daemon

Reaction score: 338
Messages: 795

Jose yes this will work great for a service which will close the connection after a fail login attempt like SSH, but what about HTTP service where you can keep trying login without terminating the TCP session to the web server? So for DDoS attack where you want to spam the server with many connection it make sense but when it came to brute-force password guessing you need to monitor the fail login attempts from the log file and return back this information to the firewall to block the host.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

So, this is what I tried, and I still locked myself out of my server. The local computer I use to manage the server is in the 192.168.1.xx LAN. My router is 192.168.1.1 What is the problem?

Code:
# External interface
ext_if="e0"

# tables
table <spamd-white> persist
table <bruteforce> persist

# tcp services
tcp_services="{ 80, 443 }"
adm_services="{ 22 3306 10000 11000 }"


# Set allowed ICMP types
# Blocking ICMP entirely is bad practice and will break things,
# FreeBSD does include rate limiting by default to mitigate attacks.
icmp_types="echoreq"

####################################
#### Options and optimizations #####
####################################

# Set interface for logging (statistics)
set loginterface $ext_if

# Drop states as fast as possible without having excessively low timeouts
set optimization aggressive

# Block policy, either silently drop packets or tell sender that request is blocked
set block-policy return

# Don't bother to process (filter) following interfaces such as loopback:
set skip on lo0

# Scrub traffic
# Add special exception for game consoles such as PS3 and PS4 (NAT type 2 vs 3)
# scrub from CHANGEME to any no-df random-id fragment reassemble
scrub in

#######################
#### NAT & Proxies ####
#######################

# Enable NAT and tell pf not to change ports if needed
# Add special exception for game consoles such as PS3 and PS4 (NAT type 2 vs 3)
# ie static-port mapping. Do NOT enable both rules.
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)

# filter rules
block in
block drop in quick on $ext_if inet proto tcp from 212.166.54.0/24 to any

pass out

antispoof quick for { lo }

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
pass in on $ext_if inet proto tcp from any to ($ext_if) port $adm_services
pass in inet proto icmp all icmp-type $icmp_types


# Allow DHCP
pass in quick on $ext_if inet proto udp to ($ext_if) port { 67, 68 }

# Allow ICMP
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types

# Allow admin services
pass in on $ext_if inet proto tcp from any to ($ext_if) port $adm_services keep state \
    (max-src-conn 15, max-src-conn-rate 3/1, overload <bruteforce> flush global)

# Allow web services
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services keep state \
    (max-src-conn 45, max-src-conn-rate 9/1, overload <webcrawlers> flush global)

# Block everything else
block in on $ext_if all
block in quick on $ext_if from <bruteforce> to any

#################################
#### Rules outbound (ext_if) ####
#################################
pass out on $ext_if proto tcp from any to any
 

Jose

Well-Known Member

Reaction score: 145
Messages: 291

So, this is what I tried, and I still locked myself out of my server. The local computer I use to manage the server is in the 192.168.1.xx LAN. My router is 192.168.1.1 What is the problem?

Code:
# External interface
ext_if="e0"
This really, really doesn't look right to me. Did you mean em0?
Code:
# tables
table <spamd-white> persist
Do you need this? Are you running spamd(8)?
Code:
table <bruteforce> persist

# tcp services
tcp_services="{ 80, 443 }"
adm_services="{ 22 3306 10000 11000 }"


# Set allowed ICMP types
# Blocking ICMP entirely is bad practice and will break things,
# FreeBSD does include rate limiting by default to mitigate attacks.
icmp_types="echoreq"
You should also allow "unreach" for path MTU discovery:
Code:
####################################
#### Options and optimizations #####
####################################

# Set interface for logging (statistics)
set loginterface $ext_if

# Drop states as fast as possible without having excessively low timeouts
set optimization aggressive

# Block policy, either silently drop packets or tell sender that request is blocked
set block-policy return
I prefer the drop block policy. It's somewhat less nice to legit users, but wastes would-be attackers' time.
Code:
# Don't bother to process (filter) following interfaces such as loopback:
set skip on lo0

# Scrub traffic
# Add special exception for game consoles such as PS3 and PS4 (NAT type 2 vs 3)
# scrub from CHANGEME to any no-df random-id fragment reassemble
scrub in

#######################
#### NAT & Proxies ####
#######################

# Enable NAT and tell pf not to change ports if needed
# Add special exception for game consoles such as PS3 and PS4 (NAT type 2 vs 3)
# ie static-port mapping. Do NOT enable both rules.
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
This makes no sense. You only have one interface. How are you ever going to get traffic not from your only interface? Also, you don't need NAT. Your router is already doing this for you.
Code:
# filter rules
block in
block drop in quick on $ext_if inet proto tcp from 212.166.54.0/24 to any

pass out
Add keep state here and your server will be allowed to initiate connections.

Code:
antispoof quick for { lo }
This does nothing. You set skip on lo.
Code:
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
pass in on $ext_if inet proto tcp from any to ($ext_if) port $adm_services
pass in inet proto icmp all icmp-type $icmp_types


# Allow DHCP
pass in quick on $ext_if inet proto udp to ($ext_if) port { 67, 68 }

# Allow ICMP
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types
Duplicate ICMP rule
Code:
# Allow admin services
pass in on $ext_if inet proto tcp from any to ($ext_if) port $adm_services keep state \
    (max-src-conn 15, max-src-conn-rate 3/1, overload <bruteforce> flush global)

# Allow web services
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services keep state \
    (max-src-conn 45, max-src-conn-rate 9/1, overload <webcrawlers> flush global)
Duplicate allow services rules
Code:
# Block everything else
block in on $ext_if all
block in quick on $ext_if from <bruteforce> to any
Duplicate block rules.
Code:
#################################
#### Rules outbound (ext_if) ####
#################################
pass out on $ext_if proto tcp from any to any
Duplicate pass outbound rules.

I want to echo what others have suggested: You're trying to do too much at once. Start with the simplest pf(4) ruleset that can possibly work, and start adding things to it one at a time.

Start with this:
Code:
ext_if="em0"
services="{ 22 }"
set skip on lo
set block-policy drop
scrub in
block in
pass out keep state
pass in quick inet proto icmp all icmp-type { echoreq, unreach }
pass in on $ext_if proto tcp from any port $services keep state
Verify that you can still ssh(1) to your server. Add "443" to services. Verify that you can reach your server using a browser and a "https://" URL.

Edit: Simplest rule set had a bug, heh.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

I don't see why you would need NAT to set up jails. NAT is done on the perimeter of your network for the entire internal network. As for the login attempts, your search would start by taking a look at which ports exactly you forwarded on your router. If there is no need for you to log in from the outside, then don't forward port 22. For the webserver to be reachable from the outside, it should be sufficient to forward ports 80 and/or 443. Generally, it's not advisable to forward any traffic from the outside before your machine is ready to go 'live'.
this is what gets printed to the screen:
May 6 14:51:46 server webmin[#####]: Non-existent login as webmin from 212.166.56.110
this repeats 4 times, then
May 6 14:51:53 server webmin[#####]: Security alert: Host 212.166.54.110 blocked after 5 failed logins for user webmin

So, I will not work on my server from outside my home anymore, and I just closed the ports at the router. I do keep 443 open because we must provide a patient portal. That needs to be accessible to patients.

Regarding NAT, I misspoke, I meant redirect. I read somewhere that traffic needed to be redirected when jails were used. I did not mean that I need NAT.
My idea is to have MySQL in one jail, Nginx in one jail, and the www directory with the server applications in another jail, and finally the data directories yet in another jail. I would like to have backups in a NAS.
Is this too ambitious a project?
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

This really, really doesn't look right to me. Did you mean em0?
No, I renamed my NIC in rc.conf to e0
Do you need this? Are you running spamd(8)?

No, I am not running spamd, but should I? I need to make my server very safe. I have nothing but time now...


You should also allow "unreach" for path MTU discovery:

I prefer the drop block policy. It's somewhat less nice to legit users, but wastes would-be attackers' time.

This makes no sense. You only have one interface. How are you ever going to get traffic not from your only interface? Also, you don't need NAT. Your router is already doing this for you.

Add keep state here and your server will be allowed to initiate connections.


This does nothing. You set skip on lo.

Duplicate ICMP rule

Duplicate allow services rules

Duplicate block rules.

Duplicate pass outbound rules.

I want to echo what others have suggested: You're trying to do too much at once. Start with the simplest pf(4) ruleset that can possibly work, and start adding things to it one at a time.

Start with this:
Code:
ext_if="em0"
services="{ 22 }"
set skip on lo
set block-policy drop
scrub in
block in
pass out keep state
pass in quick inet proto icmp all icmp-type { echoreq, unreach }
pass in on $ext_if proto tcp from any port $services keep state
Verify that you can still ssh(1) to your server. Add "443" to services. Verify that you can reach your server using a browser and a "https://" URL.

Edit: Simplest rule set had a bug, heh.
Very well, message received
thank you all
I will keep it simple
You can tell the doctor has a lot of anxiety! Just don't tell anybody.
 

Jose

Well-Known Member

Reaction score: 145
Messages: 291

No, I am not running spamd, but should I? I need to make my server very safe. I have nothing but time now...
Are you running a Mail Transfer Agent (MTA. Examples: postfix, sendmail)? If not, then no, you shouldn't.
this is what gets printed to the screen:
May 6 14:51:46 server webmin[#####]: Non-existent login as webmin from 212.166.56.110
this repeats 4 times, then
May 6 14:51:53 server webmin[#####]: Security alert: Host 212.166.54.110 blocked after 5 failed logins for user webmin

So, I will not work on my server from outside my home anymore, and I just closed the ports at the router. I do keep 443 open because we must provide a patient portal. That needs to be accessible to patients.
I don't use webmin, but I'm guessing it's accessible via port 443 as well?
Regarding NAT, I misspoke, I meant redirect. I read somewhere that traffic needed to be redirected when jails were used. I did not mean that I need NAT.
My idea is to have MySQL in one jail, Nginx in one jail, and the www directory with the server applications in another jail, and finally the data directories yet in another jail. I would like to have backups in a NAS.
Is this too ambitious a project?
I've only ever used inherit in jails. I believe the scenario you present would work fine with inherit because all the services use different ports.

No, this is not too ambitious, but you should start small. Get one thing at a time working on the same server. Then get one jail working. Then get one service working in one jail, and so on. It sounds laborious, and it is, but you'll gain confidence, knowledge, and speed with every small step.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

Code:
ext_if="em0"
services="{ 22 }"
set skip on lo
set block-policy drop
scrub in
block in
pass out keep state
pass in quick inet proto icmp all icmp-type { echoreq, unreach }
pass in on $ext_if proto tcp from any port $services keep state
syntax error line 10 why?
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

Are you running a Mail Transfer Agent (MTA. Examples: postfix, sendmail)? If not, then no, you shouldn't.

I don't use webmin, but I'm guessing it's accessible via port 443 as well?

I've only ever used inherit in jails. I believe the scenario you present would work fine with inherit because all the services use different ports.

No, this is not too ambitious, but you should start small. Get one thing at a time working on the same server. Then get one jail working. Then get one service working in one jail, and so on. It sounds laborious, and it is, but you'll gain confidence, knowledge, and speed with every small step.
Yes I am using postfix
Webmin uses port 10000
I have all the services working, and the jails. I just cant do firewall and networking.
And am currently unemployed, otherwise could pay for the final setup.
 

pyret

Active Member

Reaction score: 94
Messages: 192

That is not too ambitious. My setup at home is:
Code:
isp->firewall (FreeBSD IPF)->LAN->TV (Netflix, Hulu)
                      |          |->Windows
                      |->DMZ->mail server (OpenBSD OpenSMTPD on SmartOS kvm)
                         |-> Web server (SmartOS)
                         |-> another machine
                         |-> another machine
I run IPF now. I have a static IP from my ISP and LAN is on 192.168.1.0/24 and DMZ is on 192.168.2.0/24. LAN can reach DMZ but DMZ cannot reach LAN. I've setup jails on FreeBSD and have tried them, but my real world experience with virtualization comes from Solaris. But what you want is certainly doable.

At one time I used OpenBSD/pf for the firewall and this was my pf.conf
Code:
# Macros
ext_if="axe0"
prv_if="axe1"
dmz_if="axe2"
# prv_hosts -- the list of addresses of hosts on the screened LAN
prv_hosts = "{192.168.1.10, 192.168.1.15, 192.168.1.20 192.168.1.21 192.168.1.22}"
# dmz_hosts -- the list of addresses of hosts in the DMZ
dmz_hosts = "{192.168.2.21/32, 192.168.2.22/32, 192.168.2.23/32, 192.168.2.26/32, 192.168.2.27/32, 192.168.2.28/32}"
# dmz_www -- the address of the WWW server in the DMZ
dmz_www = "192.168.2.21/32"
# dmz_smtp -- the address of the SMTP server in the DMZ
dmz_smtp = "192.168.2.22/32"
# dmz_dns -- the address of the DNS server in the DMZ
dmz_dns = "192.168.2.23/32"
# Tables
table <rfc1918> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }
table <bruteforce> persist
# all IP addresses assigned to the firewall
table <firewall> const { self }
# Options
set require-order yes
set block-policy drop
set optimization aggressive
set loginterface $ext_if
set fingerprints "/etc/pf.os"
set ruleset-optimization none
set state-policy if-bound
set timeout { frag 30, tcp.established 120 }
set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
################ Queueing ##################################
altq on $ext_if bandwidth 984Kb hfsc queue { q_pri, q_def, q_mus, q_tor }
queue q_pri bandwidth 49% priority 7 hfsc
queue q_def bandwidth 49% priority 5 hfsc (linkshare 49%) {q_smtp,q_http,ssh_login,q_def1}
queue ssh_login bandwidth 96% priority 5 hfsc
queue q_http bandwidth 1% priority 4 hfsc
queue q_smtp bandwidth 1% priority 4 hfsc
queue q_def1 bandwidth 1% priority 3 hfsc (default)
queue q_mus bandwidth 1% qlimit 200 priority 4 hfsc
queue q_tor bandwidth  1% qlimit 25   priority 3 hfsc (upperlimit 272Kb)
################ Translation (NAT)  ##################################
# Translation rules are first match
# NAT internal hosts
nat on $ext_if inet from ! $ext_if to any -> $ext_if
# redirect connections to port 80 (HTTP) to DMZ
rdr on $prv_if inet proto tcp from $prv_hosts to $ext_if port {www, https} -> $dmz_www port 80
rdr on $ext_if inet proto tcp from any to $ext_if port {www, https} -> $dmz_www port 80
# redirect connections to port 25 (SMTP) to DMZ
#rdr on $prv_if inet proto tcp from $prv_hosts to $ext_if port smtp -> $dmz_smtp port smtp
rdr on $ext_if inet proto tcp from any to $ext_if port smtp -> $dmz_smtp port smtp
#rdr pass on $ext_if proto tcp from any to $ext_if port 25 -> $dmz_smtp port 25
# redirect connections to port 53 (DNS) to DMZ
rdr on $ext_if inet proto {tcp, udp} from any to $ext_if port 53 -> $dmz_dns
# DENY rouge redirections
no rdr
################ Traffic Normalizaton ##################################
# Set ttl to 254 to limit possible mapping of hosts behind firewall.
# Also set random-id to help with the same.
match in all scrub (no-df random-id min-ttl 254 max-mss 1440 reassemble tcp)
match out all scrub (no-df random-id)
################ Filtering ##################################
# don't filter on the loopback interface
set skip on lo0
# Block spoofed packets: enable "set state-policy if-bound" above
antispoof log quick for { lo0 $dmz_if $prv_if $ext_if }
block log all
pass quick on lo0 all
block drop in quick on $ext_if from <bruteforce>
block in quick on $ext_if from <rfc1918> to any
block out quick on $ext_if from any to <rfc1918>
block in quick on $ext_if inet from any to 255.255.255.255
block in log quick on $ext_if inet from urpf-failed to any
block in log quick on $ext_if inet from no-route to any
# Block anything coming from source we have no back routes for
block in log quick from no-route to any
# Anti-fake return scans
block return-rst out on $ext_if proto tcp all
block return-rst in on $ext_if proto tcp all
block return-icmp out on $ext_if proto udp all
block return-icmp  in on $ext_if proto udp all
# Block and log outgoing packets that don't have our address as source,
# they are either spoofed or something is misconfigured. NAT disabled,
# (for instance), we want to be nice and don't send out garbage.
block out log quick on $ext_if from ! $ext_if to any
# Block nmap os detection scans
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF
# only allow ssh connections from the local network if it's from the
# trusted computer, 192.168.1.10. use "block return" so that a TCP RST is
# sent to close blocked connections right away. use "quick" so that this
# rule is not overridden by the "pass" rules below.
block return in quick on $prv_if proto tcp from ! 192.168.1.10 \
to $prv_if port ssh
# allow ssh connections in on the external interface as long as they're
# NOT destined for the firewall (i.e., they're destined for a machine on
# the local network). log the initial packet so that we can later tell
# who is trying to connect. use the tcp syn proxy to proxy the connection.
# the default flags "S/SA" will automatically be applied to the rule by
# PF.
#pass in log on $ext_if proto tcp to ! <firewall> \
port ssh synproxy state
#pass in on $ext_if proto tcp from any to $ext_if port ssh flags S/SA keep state (max-src-conn 1, max-src-conn-rate 3/5, overload <bruteforce> flush global)
# pass all connections originating from the firewall
pass out quick on $ext_if inet from $ext_if to any flags S/SA modulate state
# pass all connections originating from the screened LAN
pass in quick on $prv_if from $prv_hosts to any flags S/SA
# pass all connections originating from the DMZ
pass in quick on $dmz_if from $dmz_hosts to any flags S/SA
pass out quick on $dmz_if from $prv_hosts to any flags S/SA
# pass all connections to the WWW host in the DMZ
pass in quick on $ext_if inet proto tcp from any to $dmz_www port {www, https} flags S/SA synproxy state
pass in quick on $ext_if inet proto tcp from any to $ext_if port {www, https} flags S/SA keep state
pass out quick on $dmz_if inet proto tcp from any to $ext_if port {www, https} flags S/SA keep state
pass out quick on $dmz_if inet proto tcp from any to any port {www, https} flags S/SA keep state
#pass all connections to the SMTP host in the DMZ
pass in log on $ext_if proto tcp from any to $dmz_smtp port smtp flags S/SA synproxy state
pass in log on $prv_if proto tcp from $prv_hosts to $dmz_smtp port smtp flags S/SA synproxy state
pass out log on $dmz_if proto tcp from any to $dmz_smtp port smtp
pass in on $dmz_if proto tcp from $dmz_smtp to any port smtp
pass out log on $ext_if proto tcp from $dmz_if to any port smtp
# pass all connections to the DNS host in the DMZ
pass in on $ext_if inet proto {tcp, udp} from any to $dmz_dns port 53 flags S/SA keep state
This worked for me for years until I switched. I don't recall the exact version of OpenBSD but it was before they changed the syntax, and I believe the conf above matches FreeBSD's version of pf. I'm not a firewall expert, so someone might be able to provide you with better rules.
 

Jose

Well-Known Member

Reaction score: 145
Messages: 291

Code:
ext_if="em0"
Should this be e0? Out of curiosity, why did you rename your interface?
syntax error line 10 why?
Beats me. That ruleset is only 9 lines long, haha. Edit: Try pfctl -gnf /path/to/ruleset.

Yes I am using postfix
For incoming or outgoing email?

Webmin uses port 10000
That's very handy. We'll only allow access from your internal network once we get things going.
I have all the services working, and the jails. I just cant do firewall and networking.
And am currently unemployed, otherwise could pay for the final setup.
How is networking configured in your existing jails?
 

PMc

Aspiring Daemon

Reaction score: 348
Messages: 833

this is what gets printed to the screen:
May 6 14:51:46 server webmin[#####]: Non-existent login as webmin from 212.166.56.110
this repeats 4 times, then
May 6 14:51:53 server webmin[#####]: Security alert: Host 212.166.54.110 blocked after 5 failed logins for user webmin

So, I will not work on my server from outside my home anymore, and I just closed the ports at the router.
Better is that. At least for that webmin; I doubt if that has all too much security assessment. Those things don't belong on the internet, they should be run thru a VPN.
You can leave ssh open if that is strictly key-based. Checking: what I have uncommented in the /etc/ssh/sshd_config is this:

Code:
$ grep -v ^# sshd_config | grep -v '^$'
Port XXX
Port 22
AuthorizedKeysFile      .ssh/authorized_keys
ChallengeResponseAuthentication no
MaxStartups 3
Subsystem       sftp    /usr/libexec/sftp-server
You can remove "port 22" and use an arbitrary, otherwise unused port - that obfuscates things a little bit, but you have to enter it whereever you connect from.
Sadly I can't help with pf, I am an ipfw user.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

That is not too ambitious. My setup at home is:
Code:
isp->firewall (FreeBSD IPF)->LAN->TV (Netflix, Hulu)
                      |          |->Windows
                      |->DMZ->mail server (OpenBSD OpenSMTPD on SmartOS kvm)
                         |-> Web server (SmartOS)
                         |-> another machine
                         |-> another machine
I run IPF now. I have a static IP from my ISP and LAN is on 192.168.1.0/24 and DMZ is on 192.168.2.0/24. LAN can reach DMZ but DMZ cannot reach LAN. I've setup jails on FreeBSD and have tried them, but my real world experience with virtualization comes from Solaris. But what you want is certainly doable.

At one time I used OpenBSD/pf for the firewall and this was my pf.conf
Code:
# Macros
ext_if="axe0"
prv_if="axe1"
dmz_if="axe2"
# prv_hosts -- the list of addresses of hosts on the screened LAN
prv_hosts = "{192.168.1.10, 192.168.1.15, 192.168.1.20 192.168.1.21 192.168.1.22}"
# dmz_hosts -- the list of addresses of hosts in the DMZ
dmz_hosts = "{192.168.2.21/32, 192.168.2.22/32, 192.168.2.23/32, 192.168.2.26/32, 192.168.2.27/32, 192.168.2.28/32}"
# dmz_www -- the address of the WWW server in the DMZ
dmz_www = "192.168.2.21/32"
# dmz_smtp -- the address of the SMTP server in the DMZ
dmz_smtp = "192.168.2.22/32"
# dmz_dns -- the address of the DNS server in the DMZ
dmz_dns = "192.168.2.23/32"
# Tables
table <rfc1918> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }
table <bruteforce> persist
# all IP addresses assigned to the firewall
table <firewall> const { self }
# Options
set require-order yes
set block-policy drop
set optimization aggressive
set loginterface $ext_if
set fingerprints "/etc/pf.os"
set ruleset-optimization none
set state-policy if-bound
set timeout { frag 30, tcp.established 120 }
set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
################ Queueing ##################################
altq on $ext_if bandwidth 984Kb hfsc queue { q_pri, q_def, q_mus, q_tor }
queue q_pri bandwidth 49% priority 7 hfsc
queue q_def bandwidth 49% priority 5 hfsc (linkshare 49%) {q_smtp,q_http,ssh_login,q_def1}
queue ssh_login bandwidth 96% priority 5 hfsc
queue q_http bandwidth 1% priority 4 hfsc
queue q_smtp bandwidth 1% priority 4 hfsc
queue q_def1 bandwidth 1% priority 3 hfsc (default)
queue q_mus bandwidth 1% qlimit 200 priority 4 hfsc
queue q_tor bandwidth  1% qlimit 25   priority 3 hfsc (upperlimit 272Kb)
################ Translation (NAT)  ##################################
# Translation rules are first match
# NAT internal hosts
nat on $ext_if inet from ! $ext_if to any -> $ext_if
# redirect connections to port 80 (HTTP) to DMZ
rdr on $prv_if inet proto tcp from $prv_hosts to $ext_if port {www, https} -> $dmz_www port 80
rdr on $ext_if inet proto tcp from any to $ext_if port {www, https} -> $dmz_www port 80
# redirect connections to port 25 (SMTP) to DMZ
#rdr on $prv_if inet proto tcp from $prv_hosts to $ext_if port smtp -> $dmz_smtp port smtp
rdr on $ext_if inet proto tcp from any to $ext_if port smtp -> $dmz_smtp port smtp
#rdr pass on $ext_if proto tcp from any to $ext_if port 25 -> $dmz_smtp port 25
# redirect connections to port 53 (DNS) to DMZ
rdr on $ext_if inet proto {tcp, udp} from any to $ext_if port 53 -> $dmz_dns
# DENY rouge redirections
no rdr
################ Traffic Normalizaton ##################################
# Set ttl to 254 to limit possible mapping of hosts behind firewall.
# Also set random-id to help with the same.
match in all scrub (no-df random-id min-ttl 254 max-mss 1440 reassemble tcp)
match out all scrub (no-df random-id)
################ Filtering ##################################
# don't filter on the loopback interface
set skip on lo0
# Block spoofed packets: enable "set state-policy if-bound" above
antispoof log quick for { lo0 $dmz_if $prv_if $ext_if }
block log all
pass quick on lo0 all
block drop in quick on $ext_if from <bruteforce>
block in quick on $ext_if from <rfc1918> to any
block out quick on $ext_if from any to <rfc1918>
block in quick on $ext_if inet from any to 255.255.255.255
block in log quick on $ext_if inet from urpf-failed to any
block in log quick on $ext_if inet from no-route to any
# Block anything coming from source we have no back routes for
block in log quick from no-route to any
# Anti-fake return scans
block return-rst out on $ext_if proto tcp all
block return-rst in on $ext_if proto tcp all
block return-icmp out on $ext_if proto udp all
block return-icmp  in on $ext_if proto udp all
# Block and log outgoing packets that don't have our address as source,
# they are either spoofed or something is misconfigured. NAT disabled,
# (for instance), we want to be nice and don't send out garbage.
block out log quick on $ext_if from ! $ext_if to any
# Block nmap os detection scans
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF
# only allow ssh connections from the local network if it's from the
# trusted computer, 192.168.1.10. use "block return" so that a TCP RST is
# sent to close blocked connections right away. use "quick" so that this
# rule is not overridden by the "pass" rules below.
block return in quick on $prv_if proto tcp from ! 192.168.1.10 \
to $prv_if port ssh
# allow ssh connections in on the external interface as long as they're
# NOT destined for the firewall (i.e., they're destined for a machine on
# the local network). log the initial packet so that we can later tell
# who is trying to connect. use the tcp syn proxy to proxy the connection.
# the default flags "S/SA" will automatically be applied to the rule by
# PF.
#pass in log on $ext_if proto tcp to ! <firewall> \
port ssh synproxy state
#pass in on $ext_if proto tcp from any to $ext_if port ssh flags S/SA keep state (max-src-conn 1, max-src-conn-rate 3/5, overload <bruteforce> flush global)
# pass all connections originating from the firewall
pass out quick on $ext_if inet from $ext_if to any flags S/SA modulate state
# pass all connections originating from the screened LAN
pass in quick on $prv_if from $prv_hosts to any flags S/SA
# pass all connections originating from the DMZ
pass in quick on $dmz_if from $dmz_hosts to any flags S/SA
pass out quick on $dmz_if from $prv_hosts to any flags S/SA
# pass all connections to the WWW host in the DMZ
pass in quick on $ext_if inet proto tcp from any to $dmz_www port {www, https} flags S/SA synproxy state
pass in quick on $ext_if inet proto tcp from any to $ext_if port {www, https} flags S/SA keep state
pass out quick on $dmz_if inet proto tcp from any to $ext_if port {www, https} flags S/SA keep state
pass out quick on $dmz_if inet proto tcp from any to any port {www, https} flags S/SA keep state
#pass all connections to the SMTP host in the DMZ
pass in log on $ext_if proto tcp from any to $dmz_smtp port smtp flags S/SA synproxy state
pass in log on $prv_if proto tcp from $prv_hosts to $dmz_smtp port smtp flags S/SA synproxy state
pass out log on $dmz_if proto tcp from any to $dmz_smtp port smtp
pass in on $dmz_if proto tcp from $dmz_smtp to any port smtp
pass out log on $ext_if proto tcp from $dmz_if to any port smtp
# pass all connections to the DNS host in the DMZ
pass in on $ext_if inet proto {tcp, udp} from any to $dmz_dns port 53 flags S/SA keep state
This worked for me for years until I switched. I don't recall the exact version of OpenBSD but it was before they changed the syntax, and I believe the conf above matches FreeBSD's version of pf. I'm not a firewall expert, so someone might be able to provide you with better rules.
This setup to include TV and home electronics would be like a dream come true for me. Makes my heart skip a beat!
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

Should this be e0? Out of curiosity, why did you rename your interface?

Beats me. That ruleset is only 9 lines long, haha. Edit: Try pfctl -gnf /path/to/ruleset.


For incoming or outgoing email?


That's very handy. We'll only allow access from your internal network once we get things going.

How is networking configured in your existing jails?
Because I couldn't set it up with the jails I am currently doing everything out of the main host.
Well postfix would be for both. That is something else that I am only now setting up.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

Better is that. At least for that webmin; I doubt if that has all too much security assessment. Those things don't belong on the internet, they should be run thru a VPN.
You can leave ssh open if that is strictly key-based. Checking: what I have uncommented in the /etc/ssh/sshd_config is this:

Code:
$ grep -v ^# sshd_config | grep -v '^$'
Port XXX
Port 22
AuthorizedKeysFile      .ssh/authorized_keys
ChallengeResponseAuthentication no
MaxStartups 3
Subsystem       sftp    /usr/libexec/sftp-server
You can remove "port 22" and use an arbitrary, otherwise unused port - that obfuscates things a little bit, but you have to enter it whereever you connect from.
Sadly I can't help with pf, I am an ipfw user.
Yes, I use ipfw too.
this is mine:

Code:
PubkeyAuthentication yes
ChallengeResponseAuthentication no
Subsystem       sftp    /usr/libexec/sftp-server
IgnoreRhosts yes
IgnoreUserKnownHosts no
PrintMotd yes
StrictModes yes
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
sandra@server:/etc/ssh %
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

Should this be e0? Out of curiosity, why did you rename your interface?

Beats me. That ruleset is only 9 lines long, haha. Edit: Try pfctl -gnf /path/to/ruleset.


For incoming or outgoing email?


That's very handy. We'll only allow access from your internal network once we get things going.

How is networking configured in your existing jails?
I changed the name in case it breaks. That way once I replace it, I only need to change the name in one place, rc.conf. I mean technically, if it ever broke, I could have just renamed it then, but I didn't think of it. I thought if it just now. I had a network card break on me once. So it does happen.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

I changed the name in case it breaks. That way once I replace it, I only need to change the name in one place, rc.conf. I mean technically, if it ever broke, I could have just renamed it then, but I didn't think of it. I thought if it just now. I had a network card break on me once. So it does happen.
same thing, error in line 10
 

Jose

Well-Known Member

Reaction score: 145
Messages: 291

Yes, I use ipfw too.
Hahaha! Why have I been trying to help you with pf(4) rules? You can use either ipfw(8) or pf, but not both. If you're trying to choose, I recommend you go with ipfw. I get the feeling it's more widely adopted among the users of this forum.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

Well, I am already using ipfw but the webmin attack is still happening.
I think pf is a good firewall to use.
I do need to comply with HIPAA regulation and my idea was to start a business supporting other physicians in this area, because it is very expensive in this neck of the woods.
I am reading this:
 

pyret

Active Member

Reaction score: 94
Messages: 192

I have used OS/2 Weasel for a mail server (for a week), Plan 9 upas for mail (for a week), Sendmail (egad!) and OpenSMTPD. I would recommend OpenSMTPD. Everyone has their own opinion of what is best and what they prefer, but the syntax for OpenSMTPD is easy to read. And you don't need a 1400 page "Bat book" for it (reference to the O'Reilly Sendmail book).

This is my current smtpd.conf for OpenSMTPD on OpenBSD. I think there is still a FreeBSD port.
Code:
queue compression
queue encryption key 44d1ee9dd2f0a54e4a6c21bd24b2c2d1
# pki setup
pki mail.myname.email certificate "/etc/ssl/mail.myname.email.crt"
pki mail.myname.email key "/etc/ssl/private/mail.myname.email.key"
pki mail.business.com certificate "/etc/ssl/mail.business.com.crt"
pki mail.business.com key "/etc/ssl/private/mail.business.com.key"
# tables setup
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
table users file:/etc/mail/users
table secrets file:/etc/mail/secrets
table blacklist-recipients file:/etc/mail/blacklist-recipients
# listen ports setup
listen on lo0
#listen on egress port 25
#listen on egress port 587 tls-require pki mail.myname.email auth <secrets>
listen on egress port 25 tls auth-optional <secrets> hostname mail.myname.email
listen on egress port 587 tls-require auth <secrets> hostname mail.myname.email
# allow local messages
#accept from local for local alias <aliases> deliver to maildir "/var/mail/%{user.username}/Inbox"
accept recipient ! <blacklist-recipients> from local for local alias <aliases> deliver to mbox
# allow virtual domains
accept from any recipient ! <blacklist-recipients> for domain <domains> \
    virtual <users> deliver to maildir "/var/mail/%{user.username}/Inbox"
# allow outgoing mails
accept from local for any relay
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

I have used OS/2 Weasel for a mail server (for a week), Plan 9 upas for mail (for a week), Sendmail (egad!) and OpenSMTPD. I would recommend OpenSMTPD. Everyone has their own opinion of what is best and what they prefer, but the syntax for OpenSMTPD is easy to read. And you don't need a 1400 page "Bat book" for it (reference to the O'Reilly Sendmail book).

This is my current smtpd.conf for OpenSMTPD on OpenBSD. I think there is still a FreeBSD port.
Code:
queue compression
queue encryption key 44d1ee9dd2f0a54e4a6c21bd24b2c2d1
# pki setup
pki mail.myname.email certificate "/etc/ssl/mail.myname.email.crt"
pki mail.myname.email key "/etc/ssl/private/mail.myname.email.key"
pki mail.business.com certificate "/etc/ssl/mail.business.com.crt"
pki mail.business.com key "/etc/ssl/private/mail.business.com.key"
# tables setup
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
table users file:/etc/mail/users
table secrets file:/etc/mail/secrets
table blacklist-recipients file:/etc/mail/blacklist-recipients
# listen ports setup
listen on lo0
#listen on egress port 25
#listen on egress port 587 tls-require pki mail.myname.email auth <secrets>
listen on egress port 25 tls auth-optional <secrets> hostname mail.myname.email
listen on egress port 587 tls-require auth <secrets> hostname mail.myname.email
# allow local messages
#accept from local for local alias <aliases> deliver to maildir "/var/mail/%{user.username}/Inbox"
accept recipient ! <blacklist-recipients> from local for local alias <aliases> deliver to mbox
# allow virtual domains
accept from any recipient ! <blacklist-recipients> for domain <domains> \
    virtual <users> deliver to maildir "/var/mail/%{user.username}/Inbox"
# allow outgoing mails
accept from local for any relay
Sounds good to me, thanks
 

Jose

Well-Known Member

Reaction score: 145
Messages: 291

Well, I am already using ipfw but the webmin attack is still happening.
You're going to have to use fail2ban, like VladiBG suggested.
I think pf is a good firewall to use.
On Openbsd, sure. I think the Freebsd world is moving away from it. It certainly has the feeling of being a backwater nowadays. I stick with it because it's what I learned, but if I was starting fresh on Freebsd I'd use ipfw.
Great resource. I use his traplists. He's very pf/Openbsd focused, though.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

You're going to have to use fail2ban, like VladiBG suggested.

On Openbsd, sure. I think the Freebsd world is moving away from it. It certainly has the feeling of being a backwater nowadays. I stick with it because it's what I learned, but if I was starting fresh on Freebsd I'd use ipfw.

Great resource. I use his traplists. He's very pf/Openbsd focused, though.
Yes, I already installed fal2ban
 
Top