FreeBSD - pf

Sicherheitshalber

Falls man keinen Zugriff auf die Konsole hat, während des Testens lieber alle 15min pf beenden.

/etc/crontab

*/15  *  *  *  *  root  /sbin/pfctl -d 2>/dev/null 

neuladen der crontab

# killall -HUP cron

/etc/rc.conf

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

/etc/pf.conf

#
# nach dem edit der pf.conf 
# die firewall neustarten mit:
#    
#      pfctl -f /etc/pf.conf
#
#      oder
#
#      /etc/rc.d/pf reload
#
### macro name for external interface.
ext_if = "vtnet0"

### IP setzen
#ext_v4=".."
#ext_v6="::"

set block-policy return
set loginterface $ext_if

### allow ping / pong ####
icmp_types = "{ echoreq, unreach }"

### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $ext_if all fragment reassemble
#scrub in all

### set a default deny everything policy.
block all
block in  all
block out all

### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, to prevent services utilizing the
### local loop from being blocked accidentally.
set skip on lo0
antispoof for $ext_if inet
#antispoof for $ext_if
antispoof for $ext_if inet6

### block anything coming from sources that we have no back routes for.
block in from no-route to any

### block packets that fail a reverse path check. we look up the routing
### table, check to make sure that the outbound is the same as the source
### it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any

### drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255

### block packets claiming to come from reserved internal address blocks, as
### they are obviously forged and cannot be contacted from the outside world.
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### block probes that can possibly determine our operating system by disallowing
### certain combinations that are commonly used by nmap, queso and xprobe2, who
### are attempting to fingerprint the server.
### * F : FIN  - Finish; end of session
### * S : SYN  - Synchronize; indicates request to start session
### * R : RST  - Reset; drop a connection
### * P : PUSH - Push; packet is sent immediately
### * A : ACK  - Acknowledgement
### * U : URG  - Urgent
### * E : ECE  - Explicit Congestion Notification Echo
### * W : CWR  - Congestion Window Reduced
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

### keep state on any outbound tcp, udp or icmp traffic. modulate the isn of
### outgoing packets. (initial sequence number) broken operating systems
### sometimes don't randomize this number, making it guessable.
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### normally, a client connects to the server and we handshake with them, then
### proceed to exchange data. by telling pf to handshake proxy between the client
### and our server, tcp syn flood attacts from ddos become uneffective because
### a spoofed client cannot complete a handshake.

### set a rule that allows inbound ssh traffic with synproxy handshaking. yes I changed the ssh port
#pass in on $ext_if proto tcp from any to any port 22 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port 9922 flags S/SA synproxy state

### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port 25 flags S/SA synproxy state
# pass in on $ext_if proto tcp from any to any port 465 flags S/SA synproxy state
# pass in on $ext_if proto tcp from any to any port 587 flags S/SA synproxy state
# pass in on $ext_if proto tcp from any to any port 993 flags S/SA synproxy state
# pass in on $ext_if proto tcp from any to any port 143 flags S/SA synproxy state
# pass in on $ext_if proto tcp from any to any port 995 flags S/SA synproxy state
# pass in on $ext_if proto tcp from any to any port 110 flags S/SA synproxy state

# Apache
pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port 443 flags S/SA synproxy state
pass in on $ext_if inet6 proto tcp from any to any port 80 flags S/SA synproxy state
pass in on $ext_if inet6 proto tcp from any to any port 443 flags S/SA synproxy state

# pure-ftp
# pass in on $ext_if proto tcp to port 9921
# pass in on $ext_if proto tcp to port 30000 >< 50000
# pass in on $ext_if inet6 proto tcp to port 9921
# pass in on $ext_if inet6 proto tcp to port 30000 >< 50000

# NTP
pass in on $ext_if proto udp from any to any port 123

# mysql
#pass in on $ext_if proto tcp from any to any port 3306 flags S/SA synproxy state

### allow ping
pass inet proto icmp all icmp-type $icmp_types keep state

pass in log quick on $ext_if inet6 proto { ipv6-icmp } from any to any keep state
pass out log quick on $ext_if inet6 proto { tcp udp ipv6-icmp} keep state

# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $ext_if inet6 proto udp from any to any port 33433 >< 33626 keep state
#pass out on $ext_if inet6 proto udp from any to any port 33434 >< 34500

# Allow SNMP from cacti-server
# pass in quick inet proto udp from xxx.xxx.xxx.xxx to $ext_if port 161 keep state queue snmp

# Allow incomming named udp / tcp 53
pass in on $ext_if proto udp from any to any port 53
pass in on $ext_if inet6 proto udp from any to any port 53
# All tcp service protected using synproxy
pass in on $ext_if proto tcp from any to any port 53 flags S/SA synproxy state
pass in on $ext_if inet6 proto tcp from any to any port 53 flags S/SA synproxy state

# anchor for fail2ban pwnage
#anchor fail2ban
block drop log quick from <fail2ban> to any

pf starten

zunächst kernel-pf laden

# kldload pf

danach pf starten

# pfctl -e
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled

oder

# /etc/rc.d/pf start

pf.conf neu einlesen

# /etc/rc.d/pf reload

pf stopen

# /etc/rc.d/pf stop