On Mon, Nov 14, 2005 at 06:27:35PM -0700, Joe Barnett wrote:
> The machine is running 3.8 from the CDs, GENERIC kernel, etc.
> pf.conf follows (any critique of the rules and is welcome...):
>
> #########################################################################
> # pf.conf -- Pf ruleset
> #########################################################################
> # set up some variables
> #
> nic="rl0"
> spoofed="{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"
> local="192.168.0.0/16"
> #########################################################################
> # Scrub all packets by default
> scrub in all
> #########################################################################
> # Block all in by default, pass out all by default
> #
> block in all
> pass out all
> #########################################################################
> # Block spoofers (this might be redundant...)
> #
> block in quick on $nic from $spoofed
> #########################################################################
> # open http/s
> pass in quick proto tcp from $local to $nic port = 80
> pass in quick proto tcp from any to $nic port = 443
> #########################################################################
> # And SSH only, no ftp or telnet
> #
> pass in quick proto tcp from any to $nic port = 22
> #########################################################################
> # MySQL
> pass in quick proto tcp from $local to $nic port = 3306
> #########################################################################
> # SMB shares
> pass in quick proto tcp from $local to $nic port = 139
> pass in quick proto tcp from $local to $nic port = 445
> #########################################################################
> # Allow loopback traffic
> #
> pass in quick on lo0 all
> #########################################################################
> # Allow local machines to ping
> #
> pass in quick proto icmp from $local to $nic
> #########################################################################
> # Allow out all TCP, UDP, and ICMP traffic & keep state on it
> # so that it's allowed back in.
> #
> # tcp
> pass out quick proto tcp from $nic to any keep state
> # udp
> pass out quick proto udp from $nic to any keep state
> # icmp
> pass out quick inet proto icmp from $nic to any keep state
> #########################################################################
> # Block office generated SMB broadcast traffic without logging (very
> noisy) (this might also be redundant...)
> #
> block in quick proto udp from any to $nic port = 137
> block in quick proto udp from any to $nic port = 138
> #########################################################################
> # just to be safe, end by blocking anything that is left
> #
> block in all
I can't recall a time on this or the pf@benzedrine.cx list where running
with the "pass quick first, then block all at the end" mindset was
worthwhile. If you've got a real good reason to be doing it, fine.
Otherwise, I suggest avoiding it. You are doing a little of both --
You've got a default drop policy inbound yet a default allow outbound,
and you tacked on an extra default block in at the end for good measure.
I'm not sure what your intention was.
My suggestions:
1) Turn on logging so you can see what (if anything) is going wrong
2) For TCP connections, only allow in packets that are part of a valid
connection. That is, use "flags S/SA" to match the initial syn and
follow #3 to match the rest.
3) Use the various state options (keep, synproxy, modulate) everywhere
unless you've got a good reason not too. Especially for those
incoming 80/443 connections.
4) Using "$nic" will only work when you are referring to an interface.
That means rules like "pass out quick inet proto icmp from $nic blah
blah" won't work. They'll actually try to lookup "rl0" which you
definitely don't want. Use the proper address or address block
there.
5) Consider "set skip on lo0". You've got a rule that allows traffic in
on lo0, but never out.
6) See #1
> I have another pf.conf I use for testing, which allows all packets
> in and out, only scrubbing them, and performance is significantly
> better with this:
When you say "significantly", do you mean you are back to acceptable
speeds?
-jon
