I've been running the PF firewall for 10 days now, and noticed a fair amount of state-mismatches.
Is this normal? This server runs my website and postfix/dovecot.
Here is my config :
Am I making any mistakes and/or do you have any optimization tips?
Is this normal? This server runs my website and postfix/dovecot.
Code:
Status: Enabled for 9 days 23:14:44 Debug: Urgent
Interface Stats for em0 IPv4 IPv6
Bytes In 31977957140 14402015528
Bytes Out 102840028384 8534599695
Packets In
Passed 85540987 7032814
Blocked 2283643 61200
Packets Out
Passed 117563529 9873904
Blocked 12292 2
State Table Total Rate
current entries 359
searches 222366118 258.2/s
inserts 7720388 9.0/s
removals 7720030 9.0/s
Counters
match 10067718 11.7/s
bad-offset 0 0.0/s
fragment 1 0.0/s
short 23 0.0/s
normalize 2231 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 21080 0.0/s
state-insert 1 0.0/s
state-limit 0 0.0/s
src-limit 2 0.0/s
synproxy 0 0.0/s
map-failed 0 0.0/sHere is my config :
Am I making any mistakes and/or do you have any optimization tips?
Code:
EXT_IF="em0"
set loginterface $EXT_IF
set ruleset-optimization none
set block-policy drop
set state-policy if-bounde
set fingerprints "/dev/null"
set skip on lo0
set optimization aggressive
set timeout { tcp.established 600 }
set limit frags 10000
# ipv4 = echoreq, echorep, unreach, timex, paramprob
# ipv6 = echoreq, echorep, unreach, toobig, timex, paramprob, neighbrsol, neighbradv
ipv4_icmp_types = "{ 8, 0, 3, 11, 12 }"
ipv6_icmp_types = "{ 128, 129, 1, 2, 3, 4, 135, 136 }"
tcp_state = "flags S/SA keep state"
udp_state = "keep state"
table <blacklist> persist
table <fail2ban> persist
table <postfix> persist
table <googleips> persist file "/home/me/pf-mail-whitelist.txt"
# Allow all outgoing traffic
pass out quick all $tcp_state
# allow our IP address + proxy IP access to the server
# this needs to be here, as the antispoof blocks our proxy IP addres
pass in quick on $EXT_IF inet proto tcp from $SSH_WHITELIST to $SERVER port $SSH $tcp_state
antispoof quick for $EXT_IF
block in quick on $EXT_IF from no-route to any
block in quick on $EXT_IF from urpf-failed to any
block in quick on $EXT_IF from any to 255.255.255.255
block in quick on $EXT_IF from <blacklist> to any
block in quick on $EXT_IF from <postfix> to any
block in quick on $EXT_IF proto { tcp, udp } from <fail2ban> to any port 25
# deny all incoming traffic
block in all
# allow select ICMP for IPv4 and IPv6
pass in quick on $EXT_IF inet proto icmp icmp-type $ipv4_icmp_types
pass in quick on $EXT_IF inet6 proto ipv6-icmp icmp6-type $ipv6_icmp_types
### WEBSERVER RULES ###
pass in quick on $EXT_IF proto tcp from any to any port { 80, 443 } $tcp_state
pass in quick on $EXT_IF proto udp from any to any port 443 $udp_state
### MAIL RULES ###
# allow my ip address and Google to send mail
pass in quick on $EXT_IF inet proto tcp from { $WHITELIST, <googleips> } to $SERVER port 587 $tcp_state
# allow my ip address to access pop3 (dovecot)
pass in quick on $EXT_IF inet proto tcp from $WHITELIST to $SERVER port 995 $tcp_state
# allow my ip to connect to port 25 (testing purposes) + don't rate limit google ips
pass in quick on $EXT_IF inet proto tcp from { $WHITELIST, <googleips> } to $SERVER port 25 $tcp_state
### RATE LIMIT RULES ###
# allow access to Postfix, but rate limit abusers (excluding us)
pass in quick on $EXT_IF inet proto tcp from !$WHITELIST to $SERVER port 25 \
$tcp_state \
(max-src-conn-rate 4/12, overload <postfix> flush global)
