Following script will protect collocated FreeBSD / OpenBSD / NetBSD server running PF firewall. My box has 2 interface one for VPN and other for public interface. I only run http, dns and ssh on public port. Read pf, rc.conf and pf.conf man page for details. Tested on FreeBSD and OpenBSD.
Sample /etc/pf.conf
#### First declare a couple of variables #### ### Outgoing tcp / udp port #### ### 43 - whois, 22 - ssh ### tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}" udp_services = "{ domain, ntp }" ### allow ping / pong #### icmp_types = "{ echoreq, unreach }" #### define tables. add all subnets and ips to block table <blockedip> persist file "/etc/pf.block.ip.conf" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" ### admin server ranges ### adminrange = "112.220.11.0/23" # connected to internet ext_if = "em1" # connected to vpn / lan int_if = "em0" ##### ftp proxy #proxy="127.0.0.1" #proxyport="8021" #### Normalization #scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments scrub in all #### NAT and RDR start #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" # redirect ftp traffic #rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport # Drop incoming everything block in all block return # keep stats of outgoing connections pass out keep state # We need to have an anchor for ftp-proxy #anchor "ftp-proxy/*" # unlimited traffic for loopback and lan / vpn set skip on {lo0, $int_if} # activate spoofing protection for all interfaces block in quick from urpf-failed #antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses antispoof log for $ext_if #Block RFC 1918 addresses block drop in log (all) quick on $ext_if from $martians to any block drop out log (all) quick on $ext_if from any to $martians # Block all ips # pfctl -t blockedip -T show block drop in log (all) quick on $ext_if from <blockedip> to any block drop out log (all) quick on $ext_if from any to <blockedip> # allow outgoing pass out on $ext_if proto tcp to any port $tcp_services pass out on $ext_if proto udp to any port $udp_services # Allow trace route pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state # Allow admin to get into box pass in on $int_if from $adminrange to any # Allow incoming ssh, http, bind traffic # pass in on $ext_if proto tcp from any to any port 25 pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state pass in on $ext_if proto udp from any to any port domain pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy modulate state pass inet proto icmp all icmp-type $icmp_types keep state ## add your rule below ##
Want to read Linux tips and tricks, but don't have time to check our blog everyday? Subscribe to our email newsletter to make sure you don't miss a single tip/tricks.
- Download Script
- Email this to a friend
- Rss Feed
- Last Updated: 05/10/09
{ 6 comments… read them below or add one }
This was very helpful :) Thank You ;-)
Regards
http://hekko.eu
Good work vivec. great help when pf.conf is lacking comments. ;)
freebsd 7.2-RELEASE – I believe it ships with pf @ OpenBSD 4.1
notes:
1) “$ext_if proto tcp from any to any port http flags S/SA synproxy modulate state”
throws me a syntax error, I understand that using synproxy and modulate is redundant, ie synproxy includes modulate and keep.
2) using synproxy with ssh ain’t happening for me, not yet sure – researching.
3) in pf @ OpenBSD 4.1, default TCP flags are S/SA keep state
thanks, keep up the great work.
# synproxy state – proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state.
oops, i think the problem might be
pass in on $ext_if proto tcp from ant to any port ssh flags S/SA synproxy state
“ant” should be “any” ?
Yes, it was a typo. Thanks for the heads-up!