Need someone to review my pf.conf

Niklaas Baudet von Gersdorff stdin at niklaas.eu
Wed Jun 8 06:07:59 UTC 2016 

Goran Tepšić [2016-06-07 22:42 +0200] :

> 1. Do you think it works better than limiting malicious ssh attempts via
> PF? This way, everyone who do 5 bad logins during 60sec gets added to the
> table and blocked for 24hrs. How does sshguard work?

Well, actually your rules don't really check whether a connection was
followed by a successful login or not. The rule simply limits connection
*attempts*.

Sshguard only bans those attempts *that failed* and it does so very
clever. Have a look here http://www.sshguard.net/ what sshguard can and
cannot do:

    * it supports log message authentication
    * it features touchiness and automatic blacklisting
    * it supports IPv6 addressing natively
    * it supports slick multiple-source monitoring
    * it supports sophisticated whitelisting
    * it recognizes many logging formats transparently
    * it handles host names or addresses in log files natively
    * it supports per-service and per-address blocking actions

> 2. Will look into anchors but i'm not sure how this helps exactly. Care to
> elaborate please?

The way you do it now your ports will remain open, independently from
whether your jails are running or not. With anchors you can add the
required rules when a jail starts, and remove them when a jail stops.

In my /etc/pf.conf I have:

--------------------8<--------------------

table <ns>         persist

[...]

rdr-anchor "jails/*" on $ext_if to $ext_if

[...]

pass in             proto { udp tcp } to <ns>           port domain

-------------------->8--------------------

In my /etc/jail.conf I have e.g.,

--------------------8<--------------------

[...]

exec.prestart  = "pfctl -t $class -T add    $private_ip4 $private_ip6";
exec.prestop   = "pfctl -t $class -T delete $private_ip4 $private_ip6";

[...]


ns1 {
    $network        = 1;
    $id             = 1;
    $class          = "ns";
    exec.poststart += "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } to vtnet0 port domain ->   $private_ip6' | pfctl -a 'jails/$name-ipv6' -f -";
    exec.poststart += "echo 'rdr pass on vtnet0 inet  proto { udp tcp } to vtnet0 port domain ->   $private_ip4' | pfctl -a 'jails/$name-ipv4' -f -";
    exec.poststop  += "pfctl -a jails/$name-ipv6 -F all";
    exec.poststop  += "pfctl -a jails/$name-ipv4 -F all";
}

-------------------->8--------------------

So, I each time jail ns1 starts its IP addresses are added to the
relevant table and the required rdr rules are added to an anchor. If
I stop it the firewall closes every connection that relates to that
jail.

Maybe this is a bit paranoid. But this way I can simply transfer jails
between different hosts and the rules I need are added automagically.

> 3. Currently postfix only does outgoing mail mrelaying to google,  i think
> I'll remove 25 port from rules.

If you only have outgoing connections (and since you have an `pass out
all` rule) you can remove `pass in ... port 25`, yes.

> 4. I can't block 80 and 443 a it would break apps server hosts. These ports
> are likely to be used in that botnet scenario but i just can't block these.
> Any suggestion on this?

Remember that it's only about outgoing connections that are
*established* by your app servers. Where do they need to establish
connections to?

For regular www servers that I had in use, they only needed to connect
to pkg.freebsd.org for upgrading. So, what you can do is write a sh
script that `drill`s pkg.freebsd.org occasionally and adds the addresses
to e.g., `<allowed>`. In your pf.conf you can add something like

pass out on $jail_if proto tcp to <allowed> port 80

to limit connectivity of your jails.

To further improve and get around them connecting to pkg.freebsd.org you
can run your own poudriere instance on the host, mount_nullfs the
package repository to another jail "pkg" and only allow your "www" jails
to connect to "pkg".

This highly depends on your setup and what your app servers are doing.
Just to give you some idea of what worked for me.

> 5. Yes,  IPv6 is disabled. Should i remove those IPv6 block rules from
> config?

Depends on whether you need it or not. :-) I have

--------------------8<--------------------

pass on $ext_if inet6 proto ipv6-icmp all icmp6-type { 1 2 3 4 128 129 131 133 134 135 136 137 143 }

-------------------->8--------------------

which is necessary for IPv6 to work correctly. (Maybe one can limit the
rule even more but I haven't investigated this further yet.)

    Niklaas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20160608/1a6807ae/attachment.sig>

More information about the freebsd-pf mailing list