Goran Tepšić [2016-06-06 22:18 +0200] : > Hi, I would like someone more skilled than me to glance over my pf.conf I > compiled and possibly let me know if it can be secured/tightened further. > Here's the conf: http://sprunge.us/fCLH
I'm not a professional, so take the following comments with a grain of salt. Maybe they spur further discussions that will be helpful. 1. You can think about using security/sshguard-pf for further protection. 2. You can think about using anchors for rules related to your jails. This way you can add/remove rules when jails start/stop. See http://www.openbsd.org/faq/pf/anchors.html, especially "Manipulating Anchors". 3. It seems you have a mail server running. Take a look at mail/spamd. I had issues using the grey listing feature for senders that use multiple SMTP servers (Google, Amazon, etc.); so I decided to only use spamd for blocking only. Although there is some documentation in the FreeBSD handbook, you should read the man pages because the former doc seems old. 4. In general, it's not a good idea to pass out everything. Restrict it to what you really need. In case one of your jails gets hijacked it will be more difficult to use it for e.g., a botnet. 5. You disable IPv6, right? 6. It seems you rdr additional ports for SSH to your jails. I'm not sure whether that is really necessary (depends on you). You can simply administer the jails from your jail host with jexec(8). Niklaas
signature.asc
Description: PGP signature
