Difference between revisions of "PF firewall script"

Revision as of 12:24, 15 June 2018

OpenBSD PF Firewall Script – /etc/pf.conf File in Categories Firewall last updated May 10, 2009

Following script will protect collocated FreeBSD / OpenBSD / NetBSD server running PF firewall. My box has 2 interface one for VPN and other for public interface. I only run http, dns and ssh on public port. Read pf, rc.conf and pf.conf man page for details. Tested on FreeBSD and OpenBSD. Sample /etc/pf.conf

1. 1. 1. First declare a couple of variables ####
  2. Outgoing tcp / udp port ####
  3. 43 - whois, 22 - ssh ###

tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}" udp_services = "{ domain, ntp }"

1. 1. allow ping / pong ####

icmp_types = "{ echoreq, unreach }"

1. 1. 1. define tables. add all subnets and ips to block

table <blockedip> persist file "/etc/pf.block.ip.conf"

martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

1. 1. admin server ranges ###

adminrange = "112.220.11.0/23"

connected to internet

ext_if = "em1"

connected to vpn / lan

int_if = "em0"

1. 1. 1. 1. ftp proxy
proxy="127.0.0.1"
proxyport="8021"

1. 1. 1. Normalization
scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments

scrub in all

1. 1. 1. NAT and RDR start
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

redirect ftp traffic
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport

Drop incoming everything

block in all block return

keep stats of outgoing connections

pass out keep state

We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"

unlimited traffic for loopback and lan / vpn

set skip on {lo0, $int_if}

activate spoofing protection for all interfaces

block in quick from urpf-failed

antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses

antispoof log for $ext_if

Block RFC 1918 addresses

block drop in log (all) quick on $ext_if from $martians to any block drop out log (all) quick on $ext_if from any to $martians

Block all ips
pfctl -t blockedip -T show

block drop in log (all) quick on $ext_if from <blockedip> to any block drop out log (all) quick on $ext_if from any to <blockedip>

allow outgoing

pass out on $ext_if proto tcp to any port $tcp_services pass out on $ext_if proto udp to any port $udp_services

Allow trace route

pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

Allow admin to get into box

pass in on $int_if from $adminrange to any

Allow incoming ssh, http, bind traffic
pass in on $ext_if proto tcp from any to any port 25

pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state pass in on $ext_if proto udp from any to any port domain pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy modulate state pass inet proto icmp all icmp-type $icmp_types keep state

1. add your rule below ##

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83

1. 1. 1. First declare a couple of variables ####
  2. Outgoing tcp / udp port ####
  3. 43 - whois, 22 - ssh ###