From owner-freebsd-pf@freebsd.org Tue Jun 7 20:42:33 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7B628B6E948 for ; Tue, 7 Jun 2016 20:42:33 +0000 (UTC) (envelope-from purpleritza@gmail.com) Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 442FF13C8 for ; Tue, 7 Jun 2016 20:42:33 +0000 (UTC) (envelope-from purpleritza@gmail.com) Received: by mail-it0-x22e.google.com with SMTP id n126so20668650itd.1 for ; Tue, 07 Jun 2016 13:42:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=h35JPO92AiQ5Kbm0J+fvBmBK88w6EMIlF4dC4QXm+GE=; b=x/GKntkrJoCOZ+R/XN/puwKeNcrh/tepL2fAYM8Wbm+VTf+Uah/cQmawafV3B79T26 xNBBG7dUPoTGYUUn5gXRielWBai7Ya/6dAAzxwT/4kaiT7/dpO66w10YSJBKtG6r1/QY ACBu4kXFqIn0FUqAQzNgAui+0gn3wldZ/0i6QEwvCxYIsjp3J1nAq898qf70ImJdbztK vKd/3UPLhC6PEHtYlXwqEyB4FT74WlfA69LlvCSM09s8iNVPv+y4eqAOsQhbKUK107HQ 2cmbMhzH0MmkzXJm2h2rjz5QzvvvwOM7b5l69b6tpDZ6XWp2s7zN+v+006rl4ywqgF/d Z7Ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=h35JPO92AiQ5Kbm0J+fvBmBK88w6EMIlF4dC4QXm+GE=; b=MOEnt7sYSgHIG2mkrhkOPwNo9V2+V8h1evsvTfhl/bZi6MpaTcanUwPt9eoOt5dT1q PxkgAJc1LiJxqlRoLogFjeyITiGbklxMkoxu7TkiCvOdqyoewW0TwdxjPblvhrsU0zaQ y7aDfMEB/Hx7FYxr7rf0QyUk/FjxwGnwVRN9BGVHGfPpYUjirASpUmX3WqHx8uRbS+bp PIZuPAKdVPOQPnXxjn2Iu2ccT17dBtgsjP0pK7lCy6Yx+t6RbdHJzftJxxYcdQsWv25C 3dC/6M9knxxeY41DhSBMLM6PS1c8XqXal2xvlxOvZsctXa/VKOe9YA0eUgwMYf+cibY+ OyQA== X-Gm-Message-State: ALyK8tJqF57dFCYhFG0E3YqmFn/Xqq8NBOKaY0ibHl7A1cCsKPkRTrk56pIueDjLt9j7S9KpiJZJAfUeag7u2g== MIME-Version: 1.0 X-Received: by 10.36.5.12 with SMTP id 12mr2939515itl.11.1465332152482; Tue, 07 Jun 2016 13:42:32 -0700 (PDT) Received: by 10.79.120.147 with HTTP; Tue, 7 Jun 2016 13:42:32 -0700 (PDT) Received: by 10.79.120.147 with HTTP; Tue, 7 Jun 2016 13:42:32 -0700 (PDT) In-Reply-To: References: <20160607062857.GD37483@box-hlm-03.niklaas.eu> Date: Tue, 7 Jun 2016 22:42:32 +0200 Message-ID: Subject: Re: Need someone to review my pf.conf From: =?UTF-8?B?R29yYW4gVGVwxaFpxIc=?= To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jun 2016 20:42:33 -0000 Hey Niklaas, thanks for suggestions! 1. Do you think it works better than limiting malicious ssh attempts via PF? This way, everyone who do 5 bad logins during 60sec gets added to the table and blocked for 24hrs. How does sshguard work? 2. Will look into anchors but i'm not sure how this helps exactly. Care to elaborate please? 3. Currently postfix only does outgoing mail mrelaying to google, i think I'll remove 25 port from rules. 4. I can't block 80 and 443 a it would break apps server hosts. These ports are likely to be used in that botnet scenario but i just can't block these. Any suggestion on this? 5. Yes, IPv6 is disabled. Should i remove those IPv6 block rules from config? 6. ssh in jails is necessary for app developers to be able to manage apps occasionally. Thanks for suggestions once again! On Jun 7, 2016 8:29 AM, "Niklaas Baudet von Gersdorff" wrote: Goran Tep=C5=A1i=C4=87 [2016-06-06 22:18 +0200] : > Hi, I would like someone more skilled than me to glance over my pf.conf I > compiled and possibly let me know if it can be secured/tightened further. > Here's the conf: http://sprunge.us/fCLH I'm not a professional, so take the following comments with a grain of salt. Maybe they spur further discussions that will be helpful. 1. You can think about using security/sshguard-pf for further protection. 2. You can think about using anchors for rules related to your jails. This way you can add/remove rules when jails start/stop. See http://www.openbsd.org/faq/pf/anchors.html, especially "Manipulating Anchors". 3. It seems you have a mail server running. Take a look at mail/spamd. I had issues using the grey listing feature for senders that use multiple SMTP servers (Google, Amazon, etc.); so I decided to only use spamd for blocking only. Although there is some documentation in the FreeBSD handbook, you should read the man pages because the former doc seems old. 4. In general, it's not a good idea to pass out everything. Restrict it to what you really need. In case one of your jails gets hijacked it will be more difficult to use it for e.g., a botnet. 5. You disable IPv6, right? 6. It seems you rdr additional ports for SSH to your jails. I'm not sure whether that is really necessary (depends on you). You can simply administer the jails from your jail host with jexec(8). Niklaas