On Fri, Mar 30, 2007 at 11:51:43AM +0200, Anze Povsic wrote: > Hello! > > First of all i would like to say many many thanks to obsd comunity especially > to obsd developers for realy great product > i realy appreciate your work, now is a second time i pre-order cd-set just to > support the project. > but what i wrote this message is thath i would like to heard what you people > think about the pf.conf i include in the mail > those rules are on the gateway to protect machines on LAN. > thanks to any comments and sorry for my english.
Okay, you asked for it... quite a bit of commentary, and my take on your ruleset, below. > # $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $ > # > # See pf.conf(5) and /usr/share/pf for syntax and examples. > # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 > # in /etc/sysctl.conf if packets are to be forwarded between interfaces. > > ext_if="tun0" tun0? Are you sure? > int_if="fxp0" > > NoRoute="{0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, > 224.0.0.0/3, 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, > 255.255.255.255/32 }" /32 is not required. I don't think blocking unroutable nets is terribly useful. > OutTCP="{1494, 5999, http, https, smtp, pop3, whois, domain, ssh, ftp, > ftp-data, auth, ntp, nntp}" > OutUDP="{1604, ntp, domain}" > Bad_ports="5,69,135,137,138,139,445,524,548,666,1080,1433,1434,2283,2535,3127,3128,3410,8866,9898,4899,6129,12345,6667,33270,60001,54321,65289,2407,1711,31337,10000,65506,2745" Enumerating bad ports isn't going to help you... see below. > set loginterface $ext_if That is not usually required, but otherwise okay. > set optimization aggressive If you don't know that you need this, don't use it. Dropping idle sessions is not a good thing. > set block-policy drop > set state-policy if-bound if-bound should not be used unless necessary. It makes things less standard and more complex. > scrub in on { lo $ext_if, $int_if } all fragment reassemble random-id > scrub out on { lo $ext_if, $int_if } all fragment reassemble random-id You might want to use scrub on { $ext_if $int_if } fragment reassemble random-id \ reassemble-tcp set skip on lo0 instead; it's less verbose, adds TCP normalization (which should work perfectly in 99.9% of all cases), and bypasses pf for traffic on the loopback interface. > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > nat on $ext_if from $int_if:network to any -> ($ext_if:0) static-port Do you need the static-port? You might want to experiment with using it only for whatever truly needs it - I don't know what pf does when it handles multiple NAT'ed connections from the same source port in this case. You should probably find out. > rdr on $ext_if proto tcp from any to any port smtp -> 127.0.0.1 port spamd This will redirect *all* incoming traffic to spamd; effectively, your host is a tarpit for mail servers. Is that the intention? If not, read spamd(8). > rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 > rdr on $int_if proto tcp from any to any port www -> 127.0.0.1 port 3128 Make sure whatever HTTP proxy you use is properly secured. > block in on $ext_if all > block out on $ext_if all More concisely, 'block on $ext_if'. Note that you allow *all* traffic out! It's usually best to start with 'block all'. > anchor "ftp-proxy/*" > > block return-rst out log on $ext_if proto tcp all > block return-rst in log on $ext_if proto tcp all > block return-icmp out log on $ext_if proto udp all > block return-icmp in log on $ext_if proto udp all Huh? That's more properly spelled 'block return log on $ext_if' which also handles non-tcp, non-udp traffic. Again, just block everything. > antispoof for { lo, $ext_if, $int_if } inet That doesn't make sense; you want quick, at least, and there's no reason to limit this to inet. > block in inet6 all > block out inet6 all > > pass in on lo all > pass out on lo all This is best replaced by 'set skip on lo0'. > block in log on $ext_if inet proto tcp from any to any flags /WEUAPRS > block in log on $ext_if inet proto tcp from any to any flags FUP/FUP > block in log on $ext_if inet proto tcp from any to any flags SR/SR > block in log on $ext_if inet proto tcp from any to any flags SF/SFRA > block in log on $ext_if inet proto tcp from any to any flags UAPRSF/UAPRSF > block in log on $ext_if inet proto tcp from any to any flags WEUAPRS/WEUAPRS > block in log on $ext_if inet proto tcp from any to any flags F/SFRA > block in log on $ext_if inet proto tcp from any to any flags U/SFRAU > block in log on $ext_if inet proto tcp from any to any flags FPU/SFRAUP Huh? pf knows how to normalize traffic, that's what scrub is for. All in all, I'd recommend replacing everything up to now with: ext_if="tun0" int_if="fxp0" OutTCP="{1494, 5999, http, https, smtp, pop3, whois, domain, ssh, ftp, ftp-data, auth, ntp, nntp}" OutUDP="{1604, ntp, domain}" set loginterface $ext_if set skip on lo0 scrub in on $ext_if fragment reassemble random-id reassemble tcp scrub out on $ext_if from !$ext_if fragment reassemble \ random-id reassemble-tcp set block-policy return nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" nat on $ext_if from $int_if:network to any -> ($ext_if:0) static-port # This, or what you really want to do rdr on $ext_if proto tcp from any to any port smtp -> 127.0.0.1 port spamd rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 rdr on $int_if proto tcp from any to any port www -> 127.0.0.1 port 3128 block quick inet6 antispoof quick for { lo0 $ext_if $int_if } block all > block in log on $ext_if from $NoRoute to any > block out log on $ext_if from any to $NoRoute > block in log proto { udp, tcp } from any to any port { = $Bad_ports } You don't want to do that - 'bad' ports may be chosen dynamically, so this will cause inexplicable random failures. > block in on $ext_if from any to 255.255.255.255 None of the above rules are necessary. > pass out on $ext_if inet proto tcp from any to any port www keep state > pass out on $ext_if inet proto tcp from any to any port > 1023 flags S/SA > modulate state Huh? Why do you use modulate state on one rule but not on another, and allow access to all ports > 1023? This makes $OutTCP, which was a good idea, pretty pointless. Drop those rules. > pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state You can use symbolic names ('echoreq') to improve readability. 'inet' is unnecessary, the 'block quick inet6' rule I proposed above already handled inet6. > pass out on $ext_if inet proto udp from any to any port $OutUDP keep state > pass out on $ext_if inet proto tcp from any to any port $OutTCP flags S/SA > modulate state Those are sensible. > pass in log on $ext_if inet proto tcp from any to lo0 port spamd synproxy > state flags S/SA Why? Why log connections to spamd, which already does logging? Why inet? Why synproxy for connections to not only a OpenBSD machine, which doesn't need it, but localhost? Just use pass in on $ext_if to lo0 port spamd and reserve synproxy for the case where you rdr connections from outside to a host on the LAN which does not have a particularly robust TCP implementation. > pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state > pass in on $int_if from any to any > pass out on $int_if from any to any More concisely, pass in on $int_if proto tcp to 127.0.0.1 port 3128 keep state pass on $int_if Which should make it clear that the first rule is unnecessary. Restricting $int_if further might be a good idea, too. > #pass in on $ext_if proto tcp to ($ext_if) port ssh keep state You will want to enable this, I think. Just make sure you use public keys, or strong passwords. > #pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state This doesn't do anything until you remove the rdr to spamd. > #pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state You might want to rate-limit this; I always rate-limit outgoing SMTP connections, to make sure a compromised host has limited value as a spamming bot. I'd replace the latter part by pass out on $ext_if proto udp to port $OutUDP keep state pass out on $ext_if proto tcp to port $OutTCP flags S/SA modulate state pass in on $ext_if proto tcp to $ext_if port ssh flags S/SA keep state pass in on $ext_if proto tcp to lo0 port spamd flags S/SA keep state pass on $int_if where the last rule should be tightened in the future. Joachim