FreeBSD bridging security router
Trond Endrestøl
trond.endrestol at ximalas.info
Sun Mar 29 19:30:53 UTC 2020
On Sun, 29 Mar 2020 12:34-0600, The Doctor via freebsd-questions wrote:
> Question is that I have the following set up
>
> 1) /etc/rc.conf
>
> hostname="border.nk.ca"
> ifconfig_bce0="inet 192.168.81.14 netmask 255.255.255.0 promisc "
> ifconfig_bce1="up media 100baseTX mediaopt full-duplex promisc "
> ifconfig_bce2="up promisc"
> ifconfig_bce3="up promisc"
> defaultrouter="192.168.81.2"
> hald_enable="YES"
> named_enable="YES"
> sshd_enable="YES"
> sshguard_enable="YES"
> moused_enable="YES"
> ntpdate_enable="YES"
> ntpd_enable="YES"
> gateway_enable="YES"
> ipv6_gateway_enable="YES"
Do you need IPv6? I don't see any IPv6 related config elsewhere.
> pf_enable="YES"
> clamav_clamd_enable="YES"
> clamd_enable="YES"
> squid_enable="YES"
> tcsd_enable="YES"
> tcsd_mode="emulator"
> tpmd_enable="YES"
> dbus_enable="YES"
> apache24_enable="yes"
> postgresql_enable="YES"
> firebird_enable="YES"
> firebird_mode="superserver"
> suricata_enable="YES"
> suricata_divertport="8000"
> cloned_interfaces="bridge0 tap0 tap1 tap2 tap3"
> ifconfig_bridge0="addm bce2 addm tap0 addm tap1 addm tap2 addm tap3 up"
> cloned_interfaces="bce0 bce1"
Are the two cloned_interfaces lines intentional? The second one
overrides the first one.
> ifconfig_bridge1="addm bce0 addm bce1 up"
> #firewall_enable="YES"
> #firewall_type="simple"
> #firewall_quiet="YES"
> #firewall_logging="YES"
> vm_enable="YES"
> vm_dir="/usr/vm/"
> vboxdrv_load="YES"
> xrdp_enable="YES"
> xrdp_sesman_enable="YES"
> saslauthd_enable="YES"
> openvassd_enable="YES"
> openvasmd_enable="YES"
> gsad_enable="YES"
> pflog_logfile="/var/log/pflog"
> # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
> dumpdev="AUTO"
> redis_enable="YES"
> cbsd_workdir="/usr/vm"
> cbsdrsyncd_enable="YES"
> cbsdrsyncd_flags="--config=/usr/vm/etc/rsyncd.conf"
> cbsdd_enable="YES"
> rcshutdown_timeout="900"
>
> and
>
> 2) /etc/pf.conf
>
> ## Set your public interface ##
> ext_if="bce1"
> ##Internal bridge for virtually hosted machines
> int_if="bce0"
> bridge0="bridge0"
> ## Set your server public IP address ##
> int_if_ip="192.168.81.14"
> bridge0_ip="192.168.81.13"
> intnet = $int_if:network
> #Proxy for FTP
> proxy="127.0.0.1"
> proxyport="8021"
> #All virtal machines go here!
> win2019="192.168.81.18"
> kali="192.168.81.15"
> seconion="192.168.81.16"
> parrot="192.168.81.17"
> #In case you need a whole group
> vhosts =" { 192.168.81.16, 192.168.81.15,
> 192.168.81.17,192.168.81.18 }"
> ## Set and drop these IP ranges on public interface and any other troublemakers
> ##
>
> martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8, 240.0.0.0/4 }"
> ## Set http(80)/https (443) port here and other ports that need accessing ##
> webports = "{http, https,8443,119,561,110,143,993,995,20,21,23,25,464,465,587,53
> ,513,783,88,135,137,138,139,445,69,10000,20000,43,636,1024:5000,8000:8100,5900:5
> 999,49150:61000}"
> # Radius
> radiusports = "{1645,1646,1812,1813 }"
>
> ## enable these services ##
> int_tcp_services = "{domain, ntp, smtp,nntp, smtps,submission, www, https,20,88,
> ftp, ssh,110,139,137,138,135,143,636,993,995,443,445,464,561,636,783,389,7500,84
> 43,10000,20000,43,63,1024:5000,8000:8100,5900:5999,23,49150:61000}"
> int_udp_services = "{domain, ntp,69,88,137,138,139,445,464}"
> int_radius_services = "{1645,1646,1812,1813 }"
>
>
> ## Skip loop back interface - Skip all PF processing on interface bridge and vir
> tual hosts ##
> set skip on lo
> set skip on bridge0
> set skip on tap0
> set skip on tap1
> set skip on tap2
> set skip on tap3
>
>
> ## Sets the interface for which PF should gather statistics such as bytes in/out
> and packets passed/blocked ##
> set loginterface $ext_if
> set fingerprints "/etc/pf.os"
>
> # Deal with attacks based on incorrect handling of packet fragments
> scrub in all
>
> ################### TRANSLATION #############
>
> #### NAT and RDR start
> nat on $ext_if from $intnet to any -> ($ext_if)
> nat on $intnet from $bridge0 to any -> ($intnet)
> nat on $bridge0 from $kali to any -> ($bridge0)
> nat on $bridge0 from $win2019 to any -> ($bridge0)
> nat on $bridge0 from $kali to any -> ($bridge0)
>
> --se note for virtual machines you are passing the packects via the
This doesn't look like a proper comment.
> ## Virtual switch so treat as michine (tap) into switch (Bridge) into
> ## your macine acting as the host (exit)
>
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
>
> # Redirect ftp traffic to proxy
> rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
>
>
> ## Set default policy ##
> block return in log all
> block out all
>
> # We need to have an anchor for ftp-proxy
> anchor "ftp-proxy/*"
> pass out proto tcp from $proxy to any port 20
> pass out proto tcp from $proxy to any port 21
> pass out on $int_if inet proto {tcp, udp} from $int_if to any port ftp:ftp-proxy
> pass in on egress proto tcp to port 21
> pass in on egress proto tcp to port 20
> pass in on egress proto tcp to port > 49151
> pass out quick on egress inet proto tcp from any to 192.168.81.1 flags S/SA
> pass out quick on egress inet proto tcp from any to 192.168.81.3 flags S/SA
>
> #set up virtual switch
>
> pass in quick on bridge0 all
> pass quick on tap0 all
> pass quick on tap1 all
> pass quick on tap2 all
> pass quick on tap3 all
>
> # Drop all Non-Routable Addresses
> block drop in quick on $int_if from $martians to any
> block drop out quick on $int_if from any to $martians
> block drop in quick on $vhosts from $martians to any
> block drop out quick on $vhosts from any to $martians
>
> ## Blocking spoofed packets
> antispoof quick for $int_if
> antispoof quick for $vhosts
>
> # Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
> # I do not allow or accept ssh traffic from ALL for security reasons
> #pass in quick on $ext_if inet proto tcp from 192.168.81.0/24 to $ext_if_ip port
> = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz"
> ## Use the following rule to enable ssh for ALL users from any IP address #
> ## pass in inet proto tcp to $ext_if port ssh
> ### [ OR ] ###
> pass in inet proto tcp to $int_if port 22
> pass in inet proto tcp to $vhosts port 22
>
>
> pass in inet proto tcp to $int_if port 36941
> pass in inet proto tcp to $vhosts port 36941
>
>
> # Allow Ping-Pong stuff. Be a good sysadmin
> icmp_types = "{ echoreq, unreach }"
> pass inet proto icmp all icmp-type $icmp_types keep state
> # allow out the default range for traceroute(8):
> pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep stat
> e
> pass out on $int_if inet proto udp from any to any port 33433 >< 33626 keep stat
> e
> pass out on $vhosts inet proto udp from any to any port 33433 >< 33626 keep stat
> e
>
> # All access to our Nginx/Apache/Lighttpd Webserver and other ports
> pass proto tcp from any to $int_if port $webports
> pass proto udp from any to $int_if port $webports
> pass proto udp from any to $int_if port $radiusports
> pass proto tcp from any to $vhosts port $webports
> pass proto udp from any to $vhosts port $webports
>
> pass in on $int_if proto tcp from any to any port = 36941 keep state
> pass in on $vhosts proto tcp from any to any port = 36941 keep state
> pass in on $kali proto tcp from any to any port = 36941 keep state
>
> # Allow essential outgoing traffic
> pass out quick on $int_if proto tcp to any port $int_tcp_services
> pass out quick on $int_if proto udp to any port $int_udp_services
> pass out quick on $int_if proto udp to any port $int_radius_services
> pass out quick on $vhosts proto tcp to any port $int_tcp_services
> pass out quick on $vhosts proto udp to any port $int_udp_services
>
> #For radius make certain for older syatems port 1645 and current 1812
> pass in log quick on $int_if proto tcp from any to any port = 1645 flags S/SA ke
> ep state
> pass in log quick on $int_if proto udp from any to any port = 1645 keep state
> pass in log quick on $int_if proto tcp from any to any port = 1812 flags S/SA ke
> ep state
> pass in log quick on $int_if proto udp from any to any port = 1812 keep state
>
> pass in log quick on $int_if proto tcp from any to any port = 36941 flags S/SA k
> eep state
> pass in log quick on $int_if proto udp from any to any port = 36941 keep state
>
> pass in log quick on $vhosts proto tcp from any to any port = 36941 flags S/SA k
> eep state
>
> pass in log quick on $vhosts proto udp from any to any port = 36941 keep state
> pass out quick all flags S/SA keep state
>
> # Add custom rules below
> block quick from <bruteforce>
> pass quick proto { tcp, udp } from any to any port ssh \
> flags S/SA keep state \
> (max-src-conn 15, max-src-conn-rate 5/3, \
> overload <bruteforce> flush global)
> ## I wonder if sshguard works with pf.
>
> Well this is suppose to act as a server / firewall /router.
>
> The primary DNS does ping the outside world once bce1 is up
> but not resolve domain names.
>
> Anything in the configuration I forget?
What's the contents of /etc/resolv.conf?
--
Trond.
More information about the freebsd-questions
mailing list