Date: Tue, 7 Jun 2016 22:42:32 +0200 From: =?UTF-8?B?R29yYW4gVGVwxaFpxIc=?= <purpleritza@gmail.com> To: freebsd-pf@freebsd.org Subject: Re: Need someone to review my pf.conf Message-ID: <CADLW%2Bu1mSZ1w2=_mBJ2gBgVmhLAutjKg-62ZEqAnDt5o0aTarA@mail.gmail.com> In-Reply-To: <CADLW%2Bu0AXZKV7deuCBfNgPaHb4Xk9Xk8t9F49-zhafjOzzCRGg@mail.gmail.com> References: <CADLW%2Bu3uT%2B6ciTQmffq9D0A_07JPgvK5hCaVcHtS=Ngt2-bu3Q@mail.gmail.com> <20160607062857.GD37483@box-hlm-03.niklaas.eu> <CADLW%2Bu36fM5Hz-QGKiOP8_ccNf_S54LF0rfa3BSD9cYMs5Ze%2Bw@mail.gmail.com> <CADLW%2Bu0AXZKV7deuCBfNgPaHb4Xk9Xk8t9F49-zhafjOzzCRGg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey Niklaas, thanks for suggestions! 1. Do you think it works better than limiting malicious ssh attempts via PF? This way, everyone who do 5 bad logins during 60sec gets added to the table and blocked for 24hrs. How does sshguard work? 2. Will look into anchors but i'm not sure how this helps exactly. Care to elaborate please? 3. Currently postfix only does outgoing mail mrelaying to google, i think I'll remove 25 port from rules. 4. I can't block 80 and 443 a it would break apps server hosts. These ports are likely to be used in that botnet scenario but i just can't block these. Any suggestion on this? 5. Yes, IPv6 is disabled. Should i remove those IPv6 block rules from config? 6. ssh in jails is necessary for app developers to be able to manage apps occasionally. Thanks for suggestions once again! On Jun 7, 2016 8:29 AM, "Niklaas Baudet von Gersdorff" <stdin@niklaas.eu> wrote: Goran Tep=C5=A1i=C4=87 [2016-06-06 22:18 +0200] : > Hi, I would like someone more skilled than me to glance over my pf.conf I > compiled and possibly let me know if it can be secured/tightened further. > Here's the conf: http://sprunge.us/fCLH I'm not a professional, so take the following comments with a grain of salt. Maybe they spur further discussions that will be helpful. 1. You can think about using security/sshguard-pf for further protection. 2. You can think about using anchors for rules related to your jails. This way you can add/remove rules when jails start/stop. See http://www.openbsd.org/faq/pf/anchors.html, especially "Manipulating Anchors". 3. It seems you have a mail server running. Take a look at mail/spamd. I had issues using the grey listing feature for senders that use multiple SMTP servers (Google, Amazon, etc.); so I decided to only use spamd for blocking only. Although there is some documentation in the FreeBSD handbook, you should read the man pages because the former doc seems old. 4. In general, it's not a good idea to pass out everything. Restrict it to what you really need. In case one of your jails gets hijacked it will be more difficult to use it for e.g., a botnet. 5. You disable IPv6, right? 6. It seems you rdr additional ports for SSH to your jails. I'm not sure whether that is really necessary (depends on you). You can simply administer the jails from your jail host with jexec(8). Niklaas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADLW%2Bu1mSZ1w2=_mBJ2gBgVmhLAutjKg-62ZEqAnDt5o0aTarA>