[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pf rules for Review



Hi Charles and list,
My only real issue with your ruleset is that it is quite hard to read as I
feel there are too many comments and separator lines. (It's difficult to
determine how secure the rules are if your intended security policy is
unclear.) You could probably chop dozens of lines from your pf.conf file by
judicious use of macros and grouping rules more efficiently, not to mention
tidying up your comment style. Other than that, it looks as if you know
what you're doing.
Here's what I use for my home lan. The order of rules is driven by goals
of clarity and simplicity; efficiency was the least important consideration
for me. I hope you'd agree that this ruleset is easy on the eye and
therefore easy to understand and debug. (I offer no guarantees for its
security benefits though :)
[I too would appreciate feedback on the style and functionality of this
ruleset. For example, is using "quick" extensively considered bad style?
(I thought it would be slightly more efficient). Should I be using flags
like S/SA with my "keep states" for tcp? Are the fingerprinting scan rules
up to the job?]
Thanks.
--
stephen
# $OpenBSD: pf.conf,v 1.6 2002/06/27 07:00:43 fgsch Exp $
#
# See pf.conf(5) for syntax and examples
#
# Interfaces
ext      = "ne3"
int      = "ep0"
loop     = "lo0"
# Addresses
mynet    = "x.x.x.96/29"
naiad    = "10.0.0.2"
nereid   = "10.0.0.3"
despina  = "10.0.0.4"
mailhost = "10.0.0.2"
dnshost  = "10.0.0.2"
sechost  = "10.0.0.2"
p2phost  = "10.0.0.4"
servers  = "{10.0.0.2, 10.0.0.3}"
spoofed  = "{224.0.0.0/4, 0.0.0.0/8, 172.16.0.0/12, 240.0.0.0/4,   \
             10.0.0.0/8, 169.254.0.0/16, 248.0.0.0/5, 127.0.0.0/8, \
             192.168.0.0/16, 192.0.2.0/24, 255.255.255.255/32}"
# Protocol groups
allproto = "{icmp, tcp, udp, ipv6, gre, esp}"
# Port groups
mail     = "{smtp, imaps}"
gen      = "{ssh, ftp, http, https, >= 49152}"
p2p      = "{6257, 6346, 6699}"
nbt      = "{epmap, netbios-ns, netbios-dgm, netbios-ssn}"
# Abbrieviations (to stop linewrap in this mail)
ks       = "keep state"
# Options
set loginterface $ext
# Normalization rules
scrub in  all no-df
scrub out all no-df
# NAT Rules
binat on $ext from $despina to any -> x.x.x.x.97
binat on $ext from $naiad   to any -> x.x.x.x.98
binat on $ext from $nereid  to any -> x.x.x.x.99
nat   on $ext from $int/16  to any -> $ext
# Filter Rules
#==========================================================================
# Default deny policy
#==========================================================================
# block and log everything on all interfaces
block out log all
block in  log all
# return RST and ICMP errors for blocked tcp and udp connections
block return-rst  in log proto tcp all
block return-icmp in log proto udp all
#==========================================================================
# Internal policy
#==========================================================================
# quickly pass everything on internal interfaces
pass in  quick on !$ext all
pass out quick on !$ext all
# anti spoofing for all interfaces
antispoof log quick for {$ext, $int, $loop}
#==========================================================================
# External policy
#==========================================================================
#--------------------------------------------------------------------------
# DENY OUT silently with immediate block - log for now
#--------------------------------------------------------------------------
# destination spoofed packets and broadcasts
block out log quick on $ext from any to $spoofed
# traffic that doesn't have my address as source
block out log quick on $ext from !$mynet to any
# netbios noise
block return-rst  out log quick on $ext proto tcp from any to any port $nbt
block return-icmp out log quick on $ext proto udp from any to any port $nbt
#--------------------------------------------------------------------------
# DENY IN with immediate block and log
#--------------------------------------------------------------------------
# source spoofed packets
block in log quick on $ext from $spoofed to any
# fingerprinting scans
block in log quick on $ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext inet proto tcp from any to any flags FS/FSRA
#--------------------------------------------------------------------------
# ALLOW OUT everything and keep state where possible
#--------------------------------------------------------------------------
pass out quick on $ext proto $allproto all keep state
#--------------------------------------------------------------------------
# ALLOW IN specific traffic to classes of services, log and keep state
#--------------------------------------------------------------------------
# ICMP ping requests from anywhere
pass in log quick on $ext inet proto icmp all icmp-type echoreq keep state
# TCP from anywhere to specific ports and hosts
pass in log quick on $ext proto tcp from any to any       port auth   $ks
pass in log quick on $ext proto tcp from any to $dnshost  port domain $ks
pass in log quick on $ext proto tcp from any to $mailhost port $mail  $ks
pass in log quick on $ext proto tcp from any to $p2phost  port $p2p   $ks
pass in log quick on $ext proto tcp from any to $servers  port $gen   $ks
# UDP from anywhere to specific ports and hosts
pass in log quick on $ext proto udp from any to $dnshost port domain  $ks
pass in log quick on $ext proto udp from any to $sechost port isakmp  $ks
pass in log quick on $ext proto udp from any to $p2phost port $p2p    $ks
# [All other incoming traffic must already have state to pass]