On Fri, Mar 30, 2007 at 11:51:43AM +0200, Anze Povsic wrote:
> Hello!
>
> First of all i would like to say many many thanks to obsd comunity especially
> to obsd developers for realy great product
> i realy appreciate your work, now is a second time i pre-order cd-set just to
> support the project.
> but what i wrote this message is thath i would like to heard what you people
> think about the pf.conf i include in the mail
> those rules are on the gateway to protect machines on LAN.
> thanks to any comments and sorry for my english.
Okay, you asked for it... quite a bit of commentary, and my take on your
ruleset, below.
> # $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> ext_if="tun0"
tun0? Are you sure?
> int_if="fxp0"
>
> NoRoute="{0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23,
> 224.0.0.0/3, 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
> 255.255.255.255/32 }"
/32 is not required. I don't think blocking unroutable nets is terribly
useful.
> OutTCP="{1494, 5999, http, https, smtp, pop3, whois, domain, ssh, ftp,
> ftp-data, auth, ntp, nntp}"
> OutUDP="{1604, ntp, domain}"
> Bad_ports="5,69,135,137,138,139,445,524,548,666,1080,1433,1434,2283,2535,3127,3128,3410,8866,9898,4899,6129,12345,6667,33270,60001,54321,65289,2407,1711,31337,10000,65506,2745"
Enumerating bad ports isn't going to help you... see below.
> set loginterface $ext_if
That is not usually required, but otherwise okay.
> set optimization aggressive
If you don't know that you need this, don't use it. Dropping idle
sessions is not a good thing.
> set block-policy drop
> set state-policy if-bound
if-bound should not be used unless necessary. It makes things less
standard and more complex.
> scrub in on { lo $ext_if, $int_if } all fragment reassemble random-id
> scrub out on { lo $ext_if, $int_if } all fragment reassemble random-id
You might want to use
scrub on { $ext_if $int_if } fragment reassemble random-id \
reassemble-tcp
set skip on lo0
instead; it's less verbose, adds TCP normalization (which should work
perfectly in 99.9% of all cases), and bypasses pf for traffic on the
loopback interface.
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> nat on $ext_if from $int_if:network to any -> ($ext_if:0) static-port
Do you need the static-port? You might want to experiment with using it
only for whatever truly needs it - I don't know what pf does when it
handles multiple NAT'ed connections from the same source port in this
case. You should probably find out.
> rdr on $ext_if proto tcp from any to any port smtp -> 127.0.0.1 port spamd
This will redirect *all* incoming traffic to spamd; effectively, your
host is a tarpit for mail servers. Is that the intention? If not, read
spamd(8).
> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
> rdr on $int_if proto tcp from any to any port www -> 127.0.0.1 port 3128
Make sure whatever HTTP proxy you use is properly secured.
> block in on $ext_if all
> block out on $ext_if all
More concisely, 'block on $ext_if'. Note that you allow *all* traffic
out! It's usually best to start with 'block all'.
> anchor "ftp-proxy/*"
>
> block return-rst out log on $ext_if proto tcp all
> block return-rst in log on $ext_if proto tcp all
> block return-icmp out log on $ext_if proto udp all
> block return-icmp in log on $ext_if proto udp all
Huh? That's more properly spelled
'block return log on $ext_if'
which also handles non-tcp, non-udp traffic. Again, just block
everything.
> antispoof for { lo, $ext_if, $int_if } inet
That doesn't make sense; you want quick, at least, and there's no reason
to limit this to inet.
> block in inet6 all
> block out inet6 all
>
> pass in on lo all
> pass out on lo all
This is best replaced by 'set skip on lo0'.
> block in log on $ext_if inet proto tcp from any to any flags /WEUAPRS
> block in log on $ext_if inet proto tcp from any to any flags FUP/FUP
> block in log on $ext_if inet proto tcp from any to any flags SR/SR
> block in log on $ext_if inet proto tcp from any to any flags SF/SFRA
> block in log on $ext_if inet proto tcp from any to any flags UAPRSF/UAPRSF
> block in log on $ext_if inet proto tcp from any to any flags WEUAPRS/WEUAPRS
> block in log on $ext_if inet proto tcp from any to any flags F/SFRA
> block in log on $ext_if inet proto tcp from any to any flags U/SFRAU
> block in log on $ext_if inet proto tcp from any to any flags FPU/SFRAUP
Huh? pf knows how to normalize traffic, that's what scrub is for.
All in all, I'd recommend replacing everything up to now with:
ext_if="tun0"
int_if="fxp0"
OutTCP="{1494, 5999, http, https, smtp, pop3, whois, domain, ssh, ftp,
ftp-data, auth, ntp, nntp}"
OutUDP="{1604, ntp, domain}"
set loginterface $ext_if
set skip on lo0
scrub in on $ext_if fragment reassemble random-id reassemble tcp
scrub out on $ext_if from !$ext_if fragment reassemble \
random-id reassemble-tcp
set block-policy return
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from $int_if:network to any -> ($ext_if:0) static-port
# This, or what you really want to do
rdr on $ext_if proto tcp from any to any port smtp -> 127.0.0.1 port spamd
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr on $int_if proto tcp from any to any port www -> 127.0.0.1 port 3128
block quick inet6
antispoof quick for { lo0 $ext_if $int_if }
block all
> block in log on $ext_if from $NoRoute to any
> block out log on $ext_if from any to $NoRoute
> block in log proto { udp, tcp } from any to any port { = $Bad_ports }
You don't want to do that - 'bad' ports may be chosen dynamically, so
this will cause inexplicable random failures.
> block in on $ext_if from any to 255.255.255.255
None of the above rules are necessary.
> pass out on $ext_if inet proto tcp from any to any port www keep state
> pass out on $ext_if inet proto tcp from any to any port > 1023 flags S/SA
> modulate state
Huh? Why do you use modulate state on one rule but not on another, and
allow access to all ports > 1023? This makes $OutTCP, which was a good
idea, pretty pointless. Drop those rules.
> pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
You can use symbolic names ('echoreq') to improve readability. 'inet' is
unnecessary, the 'block quick inet6' rule I proposed above already
handled inet6.
> pass out on $ext_if inet proto udp from any to any port $OutUDP keep state
> pass out on $ext_if inet proto tcp from any to any port $OutTCP flags S/SA
> modulate state
Those are sensible.
> pass in log on $ext_if inet proto tcp from any to lo0 port spamd synproxy
> state flags S/SA
Why? Why log connections to spamd, which already does logging? Why inet?
Why synproxy for connections to not only a OpenBSD machine, which
doesn't need it, but localhost? Just use
pass in on $ext_if to lo0 port spamd
and reserve synproxy for the case where you rdr connections from outside
to a host on the LAN which does not have a particularly robust TCP
implementation.
> pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
> pass in on $int_if from any to any
> pass out on $int_if from any to any
More concisely,
pass in on $int_if proto tcp to 127.0.0.1 port 3128 keep state
pass on $int_if
Which should make it clear that the first rule is unnecessary.
Restricting $int_if further might be a good idea, too.
> #pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
You will want to enable this, I think. Just make sure you use public
keys, or strong passwords.
> #pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
This doesn't do anything until you remove the rdr to spamd.
> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state
You might want to rate-limit this; I always rate-limit outgoing SMTP
connections, to make sure a compromised host has limited value as a
spamming bot.
I'd replace the latter part by
pass out on $ext_if proto udp to port $OutUDP keep state
pass out on $ext_if proto tcp to port $OutTCP flags S/SA modulate state
pass in on $ext_if proto tcp to $ext_if port ssh flags S/SA keep state
pass in on $ext_if proto tcp to lo0 port spamd flags S/SA keep state
pass on $int_if
where the last rule should be tightened in the future.
Joachim
