OpenBSD PF Firewall Script – /etc/pf.conf File

by on August 13, 2008 · 13 comments

Following script will protect collocated FreeBSD / OpenBSD / NetBSD server running PF firewall. My box has 2 interface one for VPN and other for public interface. I only run http, dns and ssh on public port. Read pf, rc.conf and pf.conf man page for details. Tested on FreeBSD and OpenBSD.

Sample /etc/pf.conf

  1. #### First declare a couple of variables ####
  2. ### Outgoing tcp / udp port ####
  3. ### 43 - whois, 22 - ssh ###
  4. tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}"
  5. udp_services = "{ domain, ntp }"
  6. ### allow ping / pong ####
  7. icmp_types = "{ echoreq, unreach }"
  8.  
  9. #### define tables. add all subnets and ips to block
  10. table <blockedip> persist file "/etc/pf.block.ip.conf"
  11.  
  12. martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
  13.  
  14. ### admin server ranges ###
  15. adminrange = "112.220.11.0/23"
  16.  
  17. # connected to internet
  18. ext_if = "em1"
  19. # connected to vpn / lan
  20. int_if = "em0"
  21.  
  22. ##### ftp proxy
  23. #proxy="127.0.0.1"
  24. #proxyport="8021"
  25.  
  26. #### Normalization
  27. #scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments
  28. scrub in all
  29.  
  30. #### NAT and RDR start
  31. #nat-anchor "ftp-proxy/*"
  32. #rdr-anchor "ftp-proxy/*"
  33.  
  34. # redirect ftp traffic
  35. #rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
  36.  
  37. # Drop incoming everything
  38. block in all
  39. block return
  40.  
  41. # keep stats of outgoing connections
  42. pass out keep state
  43.  
  44. # We need to have an anchor for ftp-proxy
  45. #anchor "ftp-proxy/*"
  46.  
  47. # unlimited traffic for loopback and lan / vpn
  48. set skip on {lo0, $int_if}
  49.  
  50. # activate spoofing protection for all interfaces
  51. block in quick from urpf-failed
  52.  
  53. #antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
  54. antispoof log for $ext_if
  55.  
  56. #Block RFC 1918 addresses
  57. block drop in log (all) quick on $ext_if from $martians to any
  58. block drop out log (all) quick on $ext_if from any to $martians
  59.  
  60.  
  61. # Block all ips
  62. # pfctl -t blockedip -T show
  63. block drop in log (all) quick on $ext_if from <blockedip> to any
  64. block drop out log (all) quick on $ext_if from any to <blockedip>
  65.  
  66. # allow outgoing
  67. pass out on $ext_if proto tcp to any port $tcp_services
  68. pass out on $ext_if proto udp to any port $udp_services
  69.  
  70. # Allow trace route
  71. pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
  72.  
  73. # Allow admin to get into box
  74. pass in on $int_if from $adminrange to any
  75.  
  76. # Allow incoming ssh, http, bind traffic
  77. # pass in on $ext_if proto tcp from any to any port 25
  78. pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
  79. pass in on $ext_if proto udp from any to any port domain
  80. pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
  81. pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy modulate state
  82. pass inet proto icmp all icmp-type $icmp_types keep state
  83. ## add your rule below ##


4000+ howtos and counting! If you enjoyed this article, join 45000+ others and get free email updates!

Click here to subscribe via email.

  • Hekko

    This was very helpful :) Thank You ;-)

    Regards
    http://hekko.eu

  • Dirk Gently

    Good work vivec. great help when pf.conf is lacking comments. ;)

  • Waitman Gobble

    freebsd 7.2-RELEASE – I believe it ships with pf @ OpenBSD 4.1

    notes:

    1) “$ext_if proto tcp from any to any port http flags S/SA synproxy modulate state”
    throws me a syntax error, I understand that using synproxy and modulate is redundant, ie synproxy includes modulate and keep.

    2) using synproxy with ssh ain’t happening for me, not yet sure – researching.

    3) in pf @ OpenBSD 4.1, default TCP flags are S/SA keep state

    thanks, keep up the great work.

  • Waitman Gobble

    oops, i think the problem might be
    pass in on $ext_if proto tcp from ant to any port ssh flags S/SA synproxy state

    “ant” should be “any” ?

  • Vivek Gite

    Yes, it was a typo. Thanks for the heads-up!

  • Andrei

    # synproxy state – proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state.

  • Amza Marian

    It is ok. Simple and great.

    Normally, a client connects to the server and we handshake with them, then proceed to exchange data. by telling pf to handshake proxy between the client and server, tcp syn flood attacts from ddos become uneffective because a spoofed client cannot complete a handshake.

    As Dirk Gently says: More comments are welcome.

  • bastian

    How can i block port 22 to public and give permission to specific ip address

  • phaleon

    here is what I have done
    ## ips ok for ssh
    table { 1.2.3.4, 5.6.7.8, 9.10.11.12 }

    # and then
    pass in on $ext_iface proto tcp from to any port 22 flags S/SA synproxy state

  • circus

    Hi, CMIIW but this rule:

        pass out keep state
    

    just makes this rules:

        pass out on $ext_if proto tcp to any port $tcp_services
        pass out on $ext_if proto udp to any port $udp_services
    

    a bit pointless? I’m still able to connect to any ports.

  • circus

    And I think we should use

    block all
    
  • Rani

    pass quick proto tcp from $table to $ext_if port 22 flags S/SA keep state

    and if you want ssh brute force options;

    table persist file “/etc/bruteforce.conf”
    pass quick proto tcp from $table to $ext_if port 22 flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global)

  • Bruce

    You probably don’t want to block all the other icmp types like fragmentation-needed – it breaks things in a subtle but annoying way!

Previous Script:

Next Script: