Set PF to only block SSH and Ping

[adripillo]

Hello, any idea of how can set PF to only block incoming SSH and Pings? ?. Thanks.

 

[wblock@]

See http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html#pftut-icmp. Blocking pings is questionable, they are not terrifying as some people believe.

For SSH and other TCP protocols that might be allowed if they originate inside the LAN, use a

pass out on $ext_if proto tcp

rule. Then later in the rules,

pass in on $ext_if inet proto tcp from any to $ext_if port $tcpservers

will allow just the protocols listed in tcpservers in.

 

[adripillo]

I was following the handbook and I get this:

# service pf start
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:40: macro 'icmp_types' not defined
/etc/pf.conf:40: syntax error
/etc/pf.conf:41: macro 'icmp_types' not defined
pfctl: Syntax error in config file: pf rules not loaded
No ALTQ support in kernel
ALTQ related functions disabled

 

[wblock@]

The icmp_types macro is defined in the next two sections, but I wonder if the intent in the first example was to leave it out entirely:

pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from any to $ext_if keep state

 

[wblock@]

Mr. Hansteen confirms, so document updated:
http://svnweb.freebsd.org/doc/head/...r1=42084&r2=42083&pathrev=42084&diff_format=h

 

[kpa]

Why would you block only SSH and ICMP? Are you sure no other ports have services listening on them?

 

[adripillo]

Why would you block only SSH and ICMP? Are you sure no other ports have services listening on them?

I do not want incoming SSH and ICMP.

 

[throAU]

Standard response:

Maintaining a firewall that is open by default is a bad idea. Block everything, allow only what you want, from where you want explicitly. If you set things to allow by default, there's nothing to stop an exploited program opening a high port and enabling a non-root remote shell that can then be used for a local exploit. If everything is closed by default, even if a non-root compromise can open a port for the attacker to connect to in an attempt to perform a local root exploit, the port is blocked by the firewall.

Obviously it's not a 100% failsafe defence, but the harder you can make it for the bad guys the better.

2c.

 

[adripillo]

Finally found a nice guide about IPFW, so I could configure it very easy. Now I just need to deny ICMP there but I will open another thread to not make a confusion here. Thanks all for the replies.

 

[wblock@]

The PF configuration was done. Why go back to ipfw(8)?

 

[adripillo]

The PF configuration was done. Why go back to ipfw(8)?

It was giving me some problems with the kernel. Based on what I read I needed to add ALTQ to the kernel and found some guide about it but it was kind of complicated. So I investigated more and found that IPFW comes with FreeBSD and the guide I found for IPFW was more simple so that's for I decided to go for IPFW.

 

[DutchDaemon]

The ALTQ remark on screen when running e.g. a pfctl command is just a remark. ALTQ does not have to be in the kernel, unless you want to use traffic shaping. It is not an error, nor a requirement. It is just a (rather annoying) informative remark.

 

[adripillo]

The ALTQ remark on screen when running e.g. a pfctl command is just a remark. ALTQ does not have to be in the kernel, unless you want to use traffic shaping. It is not an error, nor a requirement. It is just a (rather annoying) informative remark.

Oh ok, thanks a lot for the info.