[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall rules for a stand-alone machine



On Jan 15, 2005, at 9:29 AM, [email protected] wrote:

Dear all,

I'm new to PF and I would have liked to have the opinion of more
experienced users of PF about my firewall rules. It's a box with one interface,
where only SSH is allowed from outside. After reading the PF documentation
and a few other resources, I came up with the rules below.
Thank you in advance for all comments!
Cheers,
Xavier


# Set macros
ext_if                                 = "rl0"
tcp_flags                          = "S/SA"
tcp_services_in_proxy  = "{ 22 }"
tcp_services_out            = "{ 22, 80, 443 }"
udp_services_out          = "{ 53, 123 }"
icmp_types                      = "echoreq"

# Set options
set block-policy drop
set state-policy if-bound
set loginterface $ext_if

# Scrub all incoming packets
scrub in all

# Default policy (block all traffic on all interfaces in either direction)
block in log-all all
block out log all


# Pass traffic on the loopback interface in either direction
pass quick on lo0 all

# Activate anti-spoofing protections
antispoof quick for $ext_if

# Allowed traffic from outside
pass in log quick on $ext_if inet proto tcp from any to $ext_if port
	$tcp_services_in_proxy flags $tcp_flags synproxy state

# Allowed traffic from inside
pass out log quick on $ext_if inet proto tcp from $ext_if to any port
$tcp_services_out flags $tcp_flags modulate state
pass out log quick on $ext_if inet proto udp from $ext_if to any port
$udp_services_out modulate state
pass out log quick on $ext_if inet proto icmp from $ext_if to any icmp-type
$icmp_types keep state

- Use macros efficiently. Creating macros just to be creating them is wasting space and can actually make it harder to read your ruleset. You wasted 25 characters with your $tcp_flags macro, and actually provided less clarity than you would have by just using S/SA in each rule. Why create this unreadable $tcp_services_in_proxy when you can just say "port ssh"? The idea with macros is to make it EASIER to read your ruleset, not harder. :)


- Why bother setting state-policy when you've only got one interface anyways? Floating works fine.

- In your rules, surround your interface with parentheses. This allows for the automatic updating of rules if your IP address changes.

- Stop overusing the quick option. You've only got 8 rules, there's no need. Besides, what would the last 4 possibly take preference over? Oh, right, only the two block rules. :-P

- Why log passed outbound traffic? For that matter, why log passed traffic at all? If you're paranoid, I would instead focus your energies on breaking down your block rules into protocol so that it's easier to diagnose logging output based on the rule number. (block in log-all proto tcp all, block in log proto udp all, block in log proto icmp all, block in log all).

- Your OpenBSD box is not a router and already generates quality ISNs. There is no need for modulate state, keep state will suffice. If, however, you're concerned about ISNs generated by the other endpoint, then go ahead and use it.

- Also, the use of synproxy state is unnecessary since you're not passing packets anywhere. No need to proxy the handshake since you're the endpoint.

- Cannot use modulate state on UDP, it's only for TCP connections.

Other than the last item, the rest of the complaints are primarily nitpicking. Your ruleset should work fine (not tested), but it's a good idea to maintain a readable ruleset to ease ongoing maintenance. Here is how I might have put your ruleset together:

# Set macros
ext_if                                 = "rl0"
tcp_services_out            = "{ 22, 80, 443 }"
udp_services_out          = "{ 53, 123 }"

# Set options
set block-policy drop
set loginterface $ext_if

# Scrub all incoming packets
scrub in all

# Default policy (block all traffic on all interfaces in either direction)
block in log-all all
block out log all


# Pass traffic on the loopback interface in either direction
pass quick on lo0 all

# Activate anti-spoofing protections
antispoof quick for $ext_if

# Allowed traffic from outside
pass in log on $ext_if inet proto tcp from any to ($ext_if) port ssh flags S/SA keep state


# Allowed traffic from inside
pass out on $ext_if inet proto tcp from ($ext_if) to any port $tcp_services_out flags S/SA keep state
pass out on $ext_if inet proto udp from ($ext_if) to any port $udp_services_out keep state
pass out on $ext_if inet proto icmp from ($ext_if) to any icmp-type echoreq keep state



Hope this helps.


--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net