FreeBSD bridging security router

Trond Endrestøl trond.endrestol at ximalas.info
Sun Mar 29 19:30:53 UTC 2020 

On Sun, 29 Mar 2020 12:34-0600, The Doctor via freebsd-questions wrote:

> Question is that I have the following set up
> 
> 1) /etc/rc.conf
> 
> hostname="border.nk.ca"
> ifconfig_bce0="inet 192.168.81.14 netmask 255.255.255.0 promisc "
> ifconfig_bce1="up  media 100baseTX mediaopt full-duplex promisc "
> ifconfig_bce2="up promisc"
> ifconfig_bce3="up promisc"
> defaultrouter="192.168.81.2"
> hald_enable="YES"
> named_enable="YES"
> sshd_enable="YES"
> sshguard_enable="YES"
> moused_enable="YES"
> ntpdate_enable="YES"
> ntpd_enable="YES"
> gateway_enable="YES"

> ipv6_gateway_enable="YES"

Do you need IPv6? I don't see any IPv6 related config elsewhere.

> pf_enable="YES"
> clamav_clamd_enable="YES"
> clamd_enable="YES"
> squid_enable="YES"
> tcsd_enable="YES"
> tcsd_mode="emulator"
> tpmd_enable="YES"
> dbus_enable="YES"
> apache24_enable="yes"
> postgresql_enable="YES"
> firebird_enable="YES"
> firebird_mode="superserver"
> suricata_enable="YES"
> suricata_divertport="8000"

> cloned_interfaces="bridge0 tap0 tap1 tap2 tap3"
> ifconfig_bridge0="addm bce2 addm tap0 addm tap1 addm tap2 addm tap3 up"
> cloned_interfaces="bce0 bce1"

Are the two cloned_interfaces lines intentional? The second one 
overrides the first one.

> ifconfig_bridge1="addm bce0 addm bce1 up"
> #firewall_enable="YES"
> #firewall_type="simple"
> #firewall_quiet="YES"
> #firewall_logging="YES"
> vm_enable="YES"
> vm_dir="/usr/vm/"
> vboxdrv_load="YES"
> xrdp_enable="YES"
> xrdp_sesman_enable="YES"
> saslauthd_enable="YES"
> openvassd_enable="YES"
> openvasmd_enable="YES"
> gsad_enable="YES"
> pflog_logfile="/var/log/pflog"
> # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
> dumpdev="AUTO"
> redis_enable="YES"
> cbsd_workdir="/usr/vm"
> cbsdrsyncd_enable="YES"
> cbsdrsyncd_flags="--config=/usr/vm/etc/rsyncd.conf"
> cbsdd_enable="YES"
> rcshutdown_timeout="900"
> 
> and
> 
> 2) /etc/pf.conf
> 
> ## Set your public interface ##
> ext_if="bce1"
> ##Internal bridge for virtually hosted machines
> int_if="bce0"
> bridge0="bridge0"
> ## Set your server public IP address ##
> int_if_ip="192.168.81.14"
> bridge0_ip="192.168.81.13"
> intnet = $int_if:network
> #Proxy for FTP
> proxy="127.0.0.1"
> proxyport="8021"
> #All virtal machines go here!
> win2019="192.168.81.18"
> kali="192.168.81.15"
> seconion="192.168.81.16"
> parrot="192.168.81.17"
> #In case you need a whole group
> vhosts =" { 192.168.81.16, 192.168.81.15,
>            192.168.81.17,192.168.81.18 }"
> ## Set and drop these IP ranges on public interface and any other troublemakers
> ##
> 
> martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
>        10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
> 	      0.0.0.0/8, 240.0.0.0/4 }"
> 	      ## Set http(80)/https (443) port here and other ports that need accessing ##
> 	      webports = "{http, https,8443,119,561,110,143,993,995,20,21,23,25,464,465,587,53
> 	      ,513,783,88,135,137,138,139,445,69,10000,20000,43,636,1024:5000,8000:8100,5900:5
> 	      999,49150:61000}"
> 	      # Radius
> 	      radiusports = "{1645,1646,1812,1813 }"
> 
> 	      ## enable these services ##
> 	      int_tcp_services = "{domain, ntp, smtp,nntp, smtps,submission, www, https,20,88,
> 	      ftp, ssh,110,139,137,138,135,143,636,993,995,443,445,464,561,636,783,389,7500,84
> 	      43,10000,20000,43,63,1024:5000,8000:8100,5900:5999,23,49150:61000}"
> 	      int_udp_services = "{domain, ntp,69,88,137,138,139,445,464}"
> 	      int_radius_services = "{1645,1646,1812,1813 }"
> 
> 
> 	      ## Skip loop back interface - Skip all PF processing on interface bridge and vir
> 	      tual hosts  ##
> 	      set skip on lo
> 	      set skip on bridge0
> set skip on tap0
> set skip on tap1
> set skip on tap2
> set skip on tap3
> 
> 
> ## Sets the interface for which PF should gather statistics such as bytes in/out
>  and packets passed/blocked ##
>  set loginterface $ext_if
>  set fingerprints "/etc/pf.os"
> 
>  # Deal with attacks based on incorrect handling of packet fragments
>  scrub in all
> 
>  ###################  TRANSLATION #############
> 
>  #### NAT and RDR start
>  nat on $ext_if from $intnet to any -> ($ext_if)
>  nat on $intnet from $bridge0 to any -> ($intnet)
>  nat on $bridge0 from $kali to any -> ($bridge0)
>  nat on $bridge0 from $win2019 to any -> ($bridge0)
>  nat on $bridge0 from $kali to any -> ($bridge0)
> 

> --se note for virtual machines you are passing the packects via the

This doesn't look like a proper comment.

> ## Virtual switch so treat as michine (tap) into switch (Bridge) into
> ## your macine acting as the host (exit)
> 
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> 
> # Redirect ftp traffic to proxy
> rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
> 
> 
> ## Set default policy ##
> block return in log all
> block out all
> 
> # We need to have an anchor for ftp-proxy
> anchor "ftp-proxy/*"
> pass out proto tcp from $proxy to any port 20
> pass out proto tcp from $proxy to any port 21
> pass out on $int_if inet proto {tcp, udp} from $int_if to any port ftp:ftp-proxy
> pass in on egress proto tcp to port 21
> pass in on egress proto tcp to port 20
> pass in on egress proto tcp to port > 49151
> pass out quick on egress inet proto tcp from any to 192.168.81.1 flags S/SA
> pass out quick on egress inet proto tcp from any to 192.168.81.3 flags S/SA
> 
> #set up virtual switch
> 
> pass in quick on bridge0 all
> pass quick on tap0 all
> pass quick on tap1 all
> pass quick on tap2 all
> pass quick on tap3 all
> 
> # Drop all Non-Routable Addresses
> block drop in quick on $int_if from $martians to any
> block drop out quick on $int_if from any to $martians
> block drop in quick on $vhosts from $martians to any
> block drop out quick on $vhosts from any to $martians
> 
> ## Blocking spoofed packets
> antispoof quick for $int_if
> antispoof quick for $vhosts
> 
> # Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
> # I do not allow or accept ssh traffic from ALL for security reasons
> #pass in quick on $ext_if inet proto tcp from 192.168.81.0/24 to $ext_if_ip port
>  = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz"
>  ## Use the following rule to enable ssh for ALL users from any IP address #
>  ## pass in inet proto tcp to $ext_if port ssh
>  ### [ OR ] ###
>  pass in inet proto tcp to $int_if port 22
>  pass in inet proto tcp to $vhosts port 22
> 
> 
>  pass in inet proto tcp to $int_if port 36941
>  pass in inet proto tcp to $vhosts port 36941
> 
> 
>  # Allow Ping-Pong stuff. Be a good sysadmin
>  icmp_types = "{ echoreq, unreach }"
>  pass inet proto icmp all icmp-type $icmp_types keep state
>  # allow out the default range for traceroute(8):
> pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep stat
> e
> pass out on $int_if inet proto udp from any to any port 33433 >< 33626 keep stat
> e
> pass out on $vhosts inet proto udp from any to any port 33433 >< 33626 keep stat
> e
> 
> # All access to our Nginx/Apache/Lighttpd Webserver and other ports
> pass proto tcp from any to $int_if port $webports
> pass proto udp from any to $int_if port $webports
> pass proto udp from any to $int_if port $radiusports
> pass proto tcp from any to $vhosts port $webports
> pass proto udp from any to $vhosts port $webports
> 
> pass in on $int_if proto tcp from any to any port = 36941 keep state
> pass in on $vhosts proto tcp from any to any port = 36941 keep state
> pass in on $kali proto tcp from any to any port = 36941 keep state
> 
> # Allow essential outgoing traffic
> pass out quick on $int_if proto tcp to any port $int_tcp_services
> pass out quick on $int_if proto udp to any port $int_udp_services
> pass out quick on $int_if proto udp to any port $int_radius_services
> pass out quick on $vhosts proto tcp to any port $int_tcp_services
> pass out quick on $vhosts proto udp to any port $int_udp_services
> 
> #For radius make certain for older syatems port 1645 and current 1812
> pass in log quick on $int_if proto tcp from any to any port = 1645 flags S/SA ke
> ep state
> pass in log quick on $int_if proto udp from any to any port = 1645 keep state
> pass in log quick on $int_if proto tcp from any to any port = 1812 flags S/SA ke
> ep state
> pass in log quick on $int_if proto udp from any to any port = 1812 keep state
> 
> pass in log quick on $int_if proto tcp from any to any port = 36941 flags S/SA k
> eep state
> pass in log quick on $int_if proto udp from any to any port = 36941 keep state
> 
> pass in log quick on $vhosts proto tcp from any to any port = 36941 flags S/SA k
> eep state
> 
> pass in log quick on $vhosts proto udp from any to any port = 36941 keep state
> pass out quick all flags S/SA keep state
> 
> # Add custom rules below
> block quick from <bruteforce>
> pass quick proto { tcp, udp } from any to any port ssh \
>     flags S/SA keep state \
> 	(max-src-conn 15, max-src-conn-rate 5/3, \
> 	    overload <bruteforce> flush global)
> 	    ## I wonder if sshguard works with pf.
> 
> Well this is suppose to act as a server / firewall /router.
> 
> The primary DNS does ping the outside world once bce1 is up
> but not resolve domain names.
> 
> Anything in the configuration I forget?

What's the contents of /etc/resolv.conf?

-- 
Trond.

More information about the freebsd-questions mailing list