Re: Configuring PF
On Sun, 20 Feb 2005 11:42:41 -0700, Pat Maddox <[EMAIL PROTECTED]> > > I'd still like to find a good example config file that works well for > a web server. > I posted an easy to adapt config file 3 days ago, haven't you seen it? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Configuring PF
On Sun, 20 Feb 2005 06:23:39 -0800, Loren M. Lang <[EMAIL PROTECTED]> wrote: > On Mon, Feb 14, 2005 at 09:32:25PM -0700, Pat Maddox wrote: > > I want to install a firewall on my system. First of all, is PF the > > one I should be using? It seems to get the most recommendations. > > > > I don't actually seem to have any problems configuring it - I just > > have some problems testing the configuration. I can ssh to the box, > > and I can access port 80...but I'd like to be able to just scan it to > > quickly see what's up. When PF is disabled, I can nmap it in about 9 > > seconds. When I turn it on, it takes over 3 minutes to do. These > > machines are on the same network, so the connection is obviously fast. > > This is a good thing, IMHO. Think about all those script kiddies > sitting out there looking for a nice, juicy server to compromise. If it > takes them 3 minutes to port scan your machine, they'll probably cancel > it before it's finished and move on. That makes sense to me. I'd still like to be able to scan it the first time around to make sure everything's working, then I can just set it to drop packets, so it takes longer. I'd still like to find a good example config file that works well for a web server. > > I believe what's happening is that all ports that aren't open are > configured to drop packets instead of reject them like is default. > Reject means send back an error message saying port is closed where > dropping just ignores it. The port scanner sends out a request and > waits for a response, either "Hello," or "Sorry, I'm closed." It will > wait quite a while before it decides that nothings there. > > > > > Are there any good, pretty simple guides on setting up PF? I'm having > > a tough time understanding what the rulesets all mean. > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > -- > I sense much NT in you. > NT leads to Bluescreen. > Bluescreen leads to downtime. > Downtime leads to suffering. > NT is the path to the darkside. > Powerful Unix is. > > Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc > Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Configuring PF
On Mon, Feb 14, 2005 at 09:32:25PM -0700, Pat Maddox wrote: > I want to install a firewall on my system. First of all, is PF the > one I should be using? It seems to get the most recommendations. > > I don't actually seem to have any problems configuring it - I just > have some problems testing the configuration. I can ssh to the box, > and I can access port 80...but I'd like to be able to just scan it to > quickly see what's up. When PF is disabled, I can nmap it in about 9 > seconds. When I turn it on, it takes over 3 minutes to do. These > machines are on the same network, so the connection is obviously fast. This is a good thing, IMHO. Think about all those script kiddies sitting out there looking for a nice, juicy server to compromise. If it takes them 3 minutes to port scan your machine, they'll probably cancel it before it's finished and move on. I believe what's happening is that all ports that aren't open are configured to drop packets instead of reject them like is default. Reject means send back an error message saying port is closed where dropping just ignores it. The port scanner sends out a request and waits for a response, either "Hello," or "Sorry, I'm closed." It will wait quite a while before it decides that nothings there. > > Are there any good, pretty simple guides on setting up PF? I'm having > a tough time understanding what the rulesets all mean. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Configuring PF
On Fri, 18 Feb 2005 00:28:30 -0700, Pat Maddox <[EMAIL PROTECTED]> wrote:
> Can you guys let me know if this looks like a good conf file? I've
> got web, mail, ftp, ssh, and DNS that I need to have open.
>
> # Macros
> ext_if="fxp0"
> SYN_ONLY="S/FSRA"
> tcp_services = "{ 21, 22, 25, 53, 80, 143 }"
> icmp_types = "echoreq"
>
> # Default deny
> block all
>
> ## Filtering rules
>
> # Default TCP policy
> block return-rst in log on $ext_if proto TCP all
This block rule is not needed, You alreadt have a "default deny policy"
> pass in log quick on $ext_if proto TCP from any to $ext_if port
> $tcp_services flags $SYN_ONLY keep state
>
> # Default UDP policy
> block in log on $ext_if proto udp all
This block rule is not needed, You alreadt have a "default deny policy"
> pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state
>
> # Default ICMP policy
> block in log on $ext_if proto icmp all
This block rule is not needed, You already have a "default deny policy"
> pass in inet proto icmp all icmp-type echoreq keep state
>
> block out log on $ext_if all
This block rule is not needed, You alreadt have a "default deny policy"
> pass out log quick on $ext_if from $ext_if to any keep state
>
> # Allow the local interface to talk unrestricted
> pass in quick on lo0 all
> pass out quick on lo0 all
>
>
> On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <[EMAIL PROTECTED]> wrote:
> > On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <[EMAIL PROTECTED]> wrote:
> > > I've managed to come up with something that works so far. I am having
> > > two problems though.
> > >
> > > The first is that I can't authenticate for IMAP anymore. No clue why,
> > > it just keeps rejecting my password. maillog shows imapd: LOGIN
> > > FAILED, that's it.
> > >
> > > Also, after enabling pf, all my UDP ports show as open. I've got a
> > > ruleset of
> > > block in log on $ext_if proto udp all
> > >
> > > So all UDP ports should be shown as closed. Doesn't really make any
> > > sense to me. Anyone care to help?
> > >
> > > Thanks for the help so far.
> > >
> > > Pat
> >
> > Start with a default policy to block and log all traffic
> >
> > # --- default policy
> > block log from any to any
> >
> > Now you only have to open ports to let traffic in. If you don't know
> > which port to open for a certain protocol, you can run "tcpdump -eni
> > pfl0g". tcpdump will show which rule blocked, and on which port
> > address combination.
> >
> >
How about this?
# --- pf.conf skeleton for server
# j65nko freebsdforums.org
#
# --- MACRO Section -
EXT_IF="fxp0"
PING = "echoreq"
# --- allowed incoming services initiated by clients
TCP_IN = "{ ssh, smtp, pop3, imap, http, https }"
#UDP_IN = "{ domain }"
# --- allowed services initiated by server
TCP_OUT = "{ smtp }"
UDP_OUT = "{ domain }"
# -- TABLE Section --
# -- OPTIONS Section
set loginterface $EXT_IF
# - TRAFFIC NORMALIZATION
scrub in all
# -- TRANSLATION Section (NAT/RDR)
# -- FILTER section
# --- DEFAULT POLICY
block log all
# --- LOOPBACK
pass quick on lo0 all
# === INCOMING
# --- EXTERNAL INTERFACE
# --- TCP
pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
$TCP_IN flags S/SA keep state
# --- UDP
#pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
$UDP_IN keep state
# --- ICMP
#pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF
icmp-type $PING keep state
# === OUTGOING
# --- EXTERNAL INTERFACE
# --- TCP
pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
$TCP_OUT flags S/SA keep state
# --- UDP
pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
$UDP_OUT keep state
# --- ICMP
pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
icmp-type $PING keep state
# - end of pr.conf
=Adriaan=
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Configuring PF
Can you guys let me know if this looks like a good conf file? I've
got web, mail, ftp, ssh, and DNS that I need to have open.
# Macros
ext_if="fxp0"
SYN_ONLY="S/FSRA"
tcp_services = "{ 21, 22, 25, 53, 80, 143 }"
icmp_types = "echoreq"
# Default deny
block all
## Filtering rules
# Default TCP policy
block return-rst in log on $ext_if proto TCP all
pass in log quick on $ext_if proto TCP from any to $ext_if port
$tcp_services flags $SYN_ONLY keep state
# Default UDP policy
block in log on $ext_if proto udp all
pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state
# Default ICMP policy
block in log on $ext_if proto icmp all
pass in inet proto icmp all icmp-type echoreq keep state
block out log on $ext_if all
pass out log quick on $ext_if from $ext_if to any keep state
# Allow the local interface to talk unrestricted
pass in quick on lo0 all
pass out quick on lo0 all
On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <[EMAIL PROTECTED]> wrote:
> On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <[EMAIL PROTECTED]> wrote:
> > I've managed to come up with something that works so far. I am having
> > two problems though.
> >
> > The first is that I can't authenticate for IMAP anymore. No clue why,
> > it just keeps rejecting my password. maillog shows imapd: LOGIN
> > FAILED, that's it.
> >
> > Also, after enabling pf, all my UDP ports show as open. I've got a ruleset
> > of
> > block in log on $ext_if proto udp all
> >
> > So all UDP ports should be shown as closed. Doesn't really make any
> > sense to me. Anyone care to help?
> >
> > Thanks for the help so far.
> >
> > Pat
>
> Start with a default policy to block and log all traffic
>
> # --- default policy
> block log from any to any
>
> Now you only have to open ports to let traffic in. If you don't know
> which port to open for a certain protocol, you can run "tcpdump -eni
> pfl0g". tcpdump will show which rule blocked, and on which port
> address combination.
>
> =Adriaan=
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Configuring PF
On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <[EMAIL PROTECTED]> wrote: > I've managed to come up with something that works so far. I am having > two problems though. > > The first is that I can't authenticate for IMAP anymore. No clue why, > it just keeps rejecting my password. maillog shows imapd: LOGIN > FAILED, that's it. > > Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of > block in log on $ext_if proto udp all > > So all UDP ports should be shown as closed. Doesn't really make any > sense to me. Anyone care to help? > > Thanks for the help so far. > > Pat Start with a default policy to block and log all traffic # --- default policy block log from any to any Now you only have to open ports to let traffic in. If you don't know which port to open for a certain protocol, you can run "tcpdump -eni pfl0g". tcpdump will show which rule blocked, and on which port address combination. =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Configuring PF
I've managed to come up with something that works so far. I am having
two problems though.
The first is that I can't authenticate for IMAP anymore. No clue why,
it just keeps rejecting my password. maillog shows imapd: LOGIN
FAILED, that's it.
Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of
block in log on $ext_if proto udp all
So all UDP ports should be shown as closed. Doesn't really make any
sense to me. Anyone care to help?
Thanks for the help so far.
Pat
On Wed, 16 Feb 2005 13:26:37 +0100, Volker Kindermann <[EMAIL PROTECTED]> wrote:
> Hi Pat,
>
>
> > Is there any place I can find a good default ruleset for a server, and
> > just change what ports I want open?
>
> pf originates at openbsd. There you'll find lots of documentation, the
> pf-faq, and the (as always in the BSD world) excellent manpages.
>
> In addition there's the pf-repository at: https://solarflux.org/pf/
>
> And there are some books which include examples.
>
>
> > Also, I've noticed that some rulesets will have different flags and
> > keep state on for certain TCP ports, but not others. For example, at
> > https://www.section6.net/help/pf.php I found:
> > #WebServer, HTTPS, 8000
> > pass in on $extif proto tcp from any to any port 80 flags S/SA
> > pass in on $extif proto tcp from any to any port $tcp_services flags
> > S/SA synproxy state
> >
> > tcp_services is {22, 443}
> >
> > I don't understand why they use synproxy state for 22 and 443, but not 80
>
> Because synproxy as a security feature has a drawback: speed. Do you
> understand what synproxy does? It completes the three-way-handshake at
> the firewall first and only if this succeds it forwards the connection
> to the (web)server. This takes some small amount of time.
>
> Acceptable with protocolls like ssh and https but mostly unacceptable
> with http.
>
> -volker
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Configuring PF
Hi Pat,
Is there any place I can find a good default ruleset for a server, and
just change what ports I want open?
pf originates at openbsd. There you'll find lots of documentation, the
pf-faq, and the (as always in the BSD world) excellent manpages.
In addition there's the pf-repository at: https://solarflux.org/pf/
And there are some books which include examples.
Also, I've noticed that some rulesets will have different flags and
keep state on for certain TCP ports, but not others. For example, at
https://www.section6.net/help/pf.php I found:
#WebServer, HTTPS, 8000
pass in on $extif proto tcp from any to any port 80 flags S/SA
pass in on $extif proto tcp from any to any port $tcp_services flags
S/SA synproxy state
tcp_services is {22, 443}
I don't understand why they use synproxy state for 22 and 443, but not 80
Because synproxy as a security feature has a drawback: speed. Do you
understand what synproxy does? It completes the three-way-handshake at
the firewall first and only if this succeds it forwards the connection
to the (web)server. This takes some small amount of time.
Acceptable with protocolls like ssh and https but mostly unacceptable
with http.
-volker
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Configuring PF
Is there any place I can find a good default ruleset for a server, and
just change what ports I want open?
Also, I've noticed that some rulesets will have different flags and
keep state on for certain TCP ports, but not others. For example, at
https://www.section6.net/help/pf.php I found:
#WebServer, HTTPS, 8000
pass in on $extif proto tcp from any to any port 80 flags S/SA
pass in on $extif proto tcp from any to any port $tcp_services flags
S/SA synproxy state
tcp_services is {22, 443}
I don't understand why they use synproxy state for 22 and 443, but not 80
On Mon, 14 Feb 2005 23:44:32 -0500, chip <[EMAIL PROTECTED]> wrote:
> > quickly see what's up. When PF is disabled, I can nmap it in about 9
> > seconds. When I turn it on, it takes over 3 minutes to do. These
> > machines are on the same network, so the connection is obviously fast.
>
> I believe this is becuase nmap is having to wait on the connections to
> time out. If you tell PF to 'reject' instead of 'drop' it may go a
> bit faster.
>
> --
> Just my $.02, your mileage may vary, batteries not included, etc
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Configuring PF
> quickly see what's up. When PF is disabled, I can nmap it in about 9 > seconds. When I turn it on, it takes over 3 minutes to do. These > machines are on the same network, so the connection is obviously fast. I believe this is becuase nmap is having to wait on the connections to time out. If you tell PF to 'reject' instead of 'drop' it may go a bit faster. -- Just my $.02, your mileage may vary, batteries not included, etc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Configuring PF
I want to install a firewall on my system. First of all, is PF the one I should be using? It seems to get the most recommendations. I don't actually seem to have any problems configuring it - I just have some problems testing the configuration. I can ssh to the box, and I can access port 80...but I'd like to be able to just scan it to quickly see what's up. When PF is disabled, I can nmap it in about 9 seconds. When I turn it on, it takes over 3 minutes to do. These machines are on the same network, so the connection is obviously fast. Are there any good, pretty simple guides on setting up PF? I'm having a tough time understanding what the rulesets all mean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
