pf.conf settings
I want to use pf as firewall for my laptop. It is connected wired and wireless, depending on the situation, but also to my own router/modem. I have enabled pf and made a pf.conf which is looking like this: # # $OpenBSD: PF firewall rules $ # scrub scrub in all # setup a default deny policy block in all block out all antispoof for { bce0, wpi0 } inet pass out on { bce0, wpi0 } proto tcp from any to any pass out on { bce0, wpi0 } proto udp from any to any pass out on { bce0, wpi0 } proto icmp from any to any # I was wondering if there are defaults which are better then these. For example the pass out lines with from any to any, could they be tightened more? I have tried some settings but till now I did not manage to get it working with other settings then these. Any help to make my pf settings more secure would be appreciated. To be sure; I am running pf on my laptop, and there is no other computer connected to my laptop. Jan
Re: pf.conf settings
Okay, found some stuff on the internet; this is it at the moment: # $OpenBSD: PF firewall rules $ # ports: see /etc/services # 21 = ftp # 22 = ssh # 25 = smtp # 53 = domain # 80 = www # 110 = pop3 # 123 = ntp # 631 = ipp (CUPS) # 6667 = irc tcp_pass = "{ 21 22 25 53 80 110 123 6667}" udp_pass = "{ 53 110 }" # scrub scrub in all # setup a default deny policy block in all block out all antispoof for { bce0, wpi0 } inet pass out on { bce0, wpi0 } proto tcp to any port $tcp_pass pass out on { bce0, wpi0 } proto udp to any port $udp_pass > > Any help to make my pf settings more secure would be appreciated. > > To be sure; I am running pf on my laptop, and there is no other computer > connected to my laptop. > > Jan
Re: pf.conf settings
Okay, this should be it, any commends are appreciated. The >1023 is used for ftp; ### # $OpenBSD: PF firewall rules $ tcp_pass = "{ 21 22 25 53 80 110 123 >1023}" udp_pass = "{ 53 110 }" # scrub scrub in all # setup a default deny policy block in all block out all antispoof for { bce0, wpi0 } inet pass out on { bce0, wpi0 } proto tcp to any port $tcp_pass pass out on { bce0, wpi0 } proto udp to any port $udp_pass ### On Mon, 28 May 2007 22:01:53 +0200 Lontronics Mailinglist account <[EMAIL PROTECTED]> wrote: > Okay, found some stuff on the internet; this is it at the moment: > > > > > Any help to make my pf settings more secure would be appreciated. > > > > To be sure; I am running pf on my laptop, and there is no other computer > > connected to my laptop. > > > > Jan
Re: pf.conf settings
On Mon, 28 May 2007, Lontronics Mailinglist account wrote: > Okay, found some stuff on the internet; this is it at the moment: > > # $OpenBSD: PF firewall rules $ > > # ports: see /etc/services > # 21 = ftp > # 22 = ssh > # 25 = smtp > # 53 = domain > # 80 = www > # 110 = pop3 > # 123 = ntp > # 631 = ipp (CUPS) > # 6667 = irc > > tcp_pass = "{ 21 22 25 53 80 110 123 6667}" > udp_pass = "{ 53 110 }" > > # scrub > scrub in all > > # setup a default deny policy > block in all > block out all > > antispoof for { bce0, wpi0 } inet > > pass out on { bce0, wpi0 } proto tcp to any port $tcp_pass > pass out on { bce0, wpi0 } proto udp to any port $udp_pass You may wish to add pass in and out rules for icmp, to be RFC compliant. If you are passing to 80 outbound, you may want to also pass 443 (SSL, https). You may wish to add "log" options to the block statements, particularly the "out" -- if you are trying to pass packets that you have forbidden, you probably want to know that, either to allow those packets, or to wonder where they are coming from, going to, and why. If you are going to be using pop and irc, you may wish to evalute allowing inbound tcp on 113, the identd/auth service. (Also enabling it in /etc/inetd.conf). Or not. I wonder if this setup will allow you to do dhcp. Probably during boot, (before it takes effect, when the rules in /etc/rc are active), but afterwards, not. This might be an issue. I dunno how dhcp communicates, don't use it myself. But do try logging, maybe all packets at first, to familiarize yourself with your normal network traffic. A tcpdump process in a little xterm can be fascinating and make debugging a more complicated pf setup easy or possible. I use # /usr/sbin/tcpdump -n -e -ttt -i pflog0 to watch in realtime. Dave
Re: pf.conf settings
On Mon, May 28, 2007 at 11:27:46PM +0200, Lontronics Mailinglist account wrote: > Okay, this should be it, any commends are appreciated. > The >1023 is used for ftp; That is not the proper solution; use ftp-proxy, as documented in the FAQ. > ### > > # $OpenBSD: PF firewall rules $ > > tcp_pass = "{ 21 22 25 53 80 110 123 >1023}" > udp_pass = "{ 53 110 }" I'd recommend symbolic names for legibility: tcp_pass = { ftp ssh smtp domain http pop3 } udp_pass = { domain ntp } I'm pretty certain you mean the above, by the way; NTP over TCP is about as useful as POP3 over UDP... > # scrub > scrub in all 'scrub' is useful when using an OpenBSD machine as a firewall, as it makes it far harder for attackers to get weird packets to machines with badly-written TCP/IP stacks. However, the OpenBSD network stuff is usually very good, and enabling scrub enables an attacker to attack far more code (notably, the PF code as well). Plus it consumes some cycles. Just skip it. > # setup a default deny policy > block in all > block out all 'block all' > antispoof for { bce0, wpi0 } inet > > pass out on { bce0, wpi0 } proto tcp to any port $tcp_pass > pass out on { bce0, wpi0 } proto udp to any port $udp_pass As noted, you should add icmp. Also, if you are sure that you will never use IPv6, 'block inet6'. You didn't post it, but you will want to add 'set skip lo0' at least. Strange things happen when pf blocks everything on the loopback interface... Joachim -- TFMotD: fingerd (8) - remote user information server
Re: pf.conf settings
Thanks Joachim and Woodchuck for your replies. To be RFC compliant I will add icmp. I will also add logging to check the output, can indeed be very helpfull. I am not using ssh and dhcp, so I have blocked those ports About 'block inet6'; I thought that 'block all' did that job? I will also add 'set skip lo0'; good point! Scrub is removed now because of the notes from Joachim. I will add the ftp proxy too. Thanks again, will post the result later for a last check.
Re: pf.conf settings
On 5/28/07, Woodchuck <[EMAIL PROTECTED]> wrote: I wonder if this setup will allow you to do dhcp. Probably during boot, (before it takes effect, when the rules in /etc/rc are active), but afterwards, not. Typically, dhclient(8) uses the bpf(4) devices and is not troubled by PF's ruleset. If I'm not mistaken, this behaviour is hinted at in the man page. This might be an issue. I dunno how dhcp communicates, don't use it myself. If you're interested, you may want to see RFC 2131 and RFC 2132. In short: DHCP uses UDP datagrams to/from ports 67 and 68. Typically, conversations start with a discovery (broadcast by the client). An active DHCP server may then provide a lease offer. Normally, the client requests the address listed in the offer. If all goes well, the server acknowledges the request. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: pf.conf settings
Sorry to bother again. Still no luck with pf in combination with ftp-proxy. A connection is made, but then it is blocked (getting no route to host): Here is the output of gftp: Looking up ftp.lontronics.nl Trying ftp.lontronics.nl:21 Connected to ftp.lontronics.nl:21 220 Gene6 FTP Server v3.9.0 (Build 2) ready... USER lontronics 331 Password required for lontronics. PASS 230 User lontronics logged in. SYST 215 UNIX Type: L8 TYPE I 200 Type set to I. CWD /lontronics 550 CWD failed. "/lontronics" : no such file or directory. PWD 257 "/" is current directory. Loading directory listing / from server (LC_TIME=C) PASV 227 Entering Passive Mode (195,8,208,48,81,216) Cannot create a data connection: No route to host Disconnecting from site ftp.lontronics.nl I am running pf as firewall now with the following settings: pf.conf: # $OpenBSD: PF firewall rules $ # macros # 6667 is used for irc int_if= "{ bce0, wpi0 }" tcp_services = "{ ssh, smtp, domain, www, pop3, auth, ftp, sftp, pop3s, imap, imaps, https, 6667 }" udp_services = "{ domain, ntp }" # options set block-policy drop set skip on lo0 #Translation nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 antispoof for $int_if inet # block all ipv6 and setup a default deny policy for ipv4 block inet6 all block all anchor "ftp-proxy/*" pass out on $int_if proto tcp to any port $tcp_services pass out on $int_if proto udp to any port $udp_services pass out on $int_if inet proto icmp all icmp-type echoreq inetd.conf: ftp stream tcp nowait root/usr/libexec/ftpd ftpd -US ftp stream tcp6nowait root/usr/libexec/ftpd ftpd -US rc.conf.local: pf=YES # enable pf firewall pf_rules=/etc/pf.conf # use /etc/pf.conf for pf setttings pflogd_flags=NO # disable logging on pf firewall ftpproxy_flags="" # enable the internal ftp proxy Any suggestions of what settings are wrong? Any help would really be appreciated, because I did not find the info on the internet, news groups and forums Jan.