Date: Wed, 8 Jun 2016 07:57:49 +0200 From: Niklaas Baudet von Gersdorff <stdin@niklaas.eu> To: freebsd-pf@freebsd.org Subject: Re: Need someone to review my pf.conf Message-ID: <20160608055749.GA2050@box-hlm-03.niklaas.eu> In-Reply-To: <CADLW%2Bu1mSZ1w2=_mBJ2gBgVmhLAutjKg-62ZEqAnDt5o0aTarA@mail.gmail.com> References: <CADLW%2Bu3uT%2B6ciTQmffq9D0A_07JPgvK5hCaVcHtS=Ngt2-bu3Q@mail.gmail.com> <20160607062857.GD37483@box-hlm-03.niklaas.eu> <CADLW%2Bu36fM5Hz-QGKiOP8_ccNf_S54LF0rfa3BSD9cYMs5Ze%2Bw@mail.gmail.com> <CADLW%2Bu0AXZKV7deuCBfNgPaHb4Xk9Xk8t9F49-zhafjOzzCRGg@mail.gmail.com> <CADLW%2Bu1mSZ1w2=_mBJ2gBgVmhLAutjKg-62ZEqAnDt5o0aTarA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Goran Tep=C5=A1i=C4=87 [2016-06-07 22:42 +0200] : > 1. Do you think it works better than limiting malicious ssh attempts via > PF? This way, everyone who do 5 bad logins during 60sec gets added to the > table and blocked for 24hrs. How does sshguard work? Well, actually your rules don't really check whether a connection was followed by a successful login or not. The rule simply limits connection *attempts*. Sshguard only bans those attempts *that failed* and it does so very clever. Have a look here http://www.sshguard.net/ what sshguard can and cannot do: * it supports log message authentication * it features touchiness and automatic blacklisting * it supports IPv6 addressing natively * it supports slick multiple-source monitoring * it supports sophisticated whitelisting * it recognizes many logging formats transparently * it handles host names or addresses in log files natively * it supports per-service and per-address blocking actions > 2. Will look into anchors but i'm not sure how this helps exactly. Care to > elaborate please? The way you do it now your ports will remain open, independently from whether your jails are running or not. With anchors you can add the required rules when a jail starts, and remove them when a jail stops. In my /etc/pf.conf I have: --------------------8<-------------------- table <ns> persist [...] rdr-anchor "jails/*" on $ext_if to $ext_if [...] pass in proto { udp tcp } to <ns> port domain -------------------->8-------------------- In my /etc/jail.conf I have e.g., --------------------8<-------------------- [...] exec.prestart =3D "pfctl -t $class -T add $private_ip4 $private_ip6"; exec.prestop =3D "pfctl -t $class -T delete $private_ip4 $private_ip6"; [...] ns1 { $network =3D 1; $id =3D 1; $class =3D "ns"; exec.poststart +=3D "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } t= o vtnet0 port domain -> $private_ip6' | pfctl -a 'jails/$name-ipv6' -f -"; exec.poststart +=3D "echo 'rdr pass on vtnet0 inet proto { udp tcp } t= o vtnet0 port domain -> $private_ip4' | pfctl -a 'jails/$name-ipv4' -f -"; exec.poststop +=3D "pfctl -a jails/$name-ipv6 -F all"; exec.poststop +=3D "pfctl -a jails/$name-ipv4 -F all"; } -------------------->8-------------------- So, I each time jail ns1 starts its IP addresses are added to the relevant table and the required rdr rules are added to an anchor. If I stop it the firewall closes every connection that relates to that jail. Maybe this is a bit paranoid. But this way I can simply transfer jails between different hosts and the rules I need are added automagically. > 3. Currently postfix only does outgoing mail mrelaying to google, i think > I'll remove 25 port from rules. If you only have outgoing connections (and since you have an `pass out all` rule) you can remove `pass in ... port 25`, yes. > 4. I can't block 80 and 443 a it would break apps server hosts. These por= ts > are likely to be used in that botnet scenario but i just can't block thes= e. > Any suggestion on this? Remember that it's only about outgoing connections that are *established* by your app servers. Where do they need to establish connections to? For regular www servers that I had in use, they only needed to connect to pkg.freebsd.org for upgrading. So, what you can do is write a sh script that `drill`s pkg.freebsd.org occasionally and adds the addresses to e.g., `<allowed>`. In your pf.conf you can add something like pass out on $jail_if proto tcp to <allowed> port 80 to limit connectivity of your jails. To further improve and get around them connecting to pkg.freebsd.org you can run your own poudriere instance on the host, mount_nullfs the package repository to another jail "pkg" and only allow your "www" jails to connect to "pkg". This highly depends on your setup and what your app servers are doing. Just to give you some idea of what worked for me. > 5. Yes, IPv6 is disabled. Should i remove those IPv6 block rules from > config? Depends on whether you need it or not. :-) I have --------------------8<-------------------- pass on $ext_if inet6 proto ipv6-icmp all icmp6-type { 1 2 3 4 128 129 131 = 133 134 135 136 137 143 } -------------------->8-------------------- which is necessary for IPv6 to work correctly. (Maybe one can limit the rule even more but I haven't investigated this further yet.) Niklaas --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXV7PVAAoJEG2fODeJrIU/mMEP/3kN8R6LJCaCQL52xIsH0X2N J9gvcnS9wMy7LRjQe0j2qVuJZLPTdj+b0OsXtlL8exHWOA79RB/aoNR4EEn/Qwvu P8vzmWFov7qaoQkh5SNfdJakNdh3yDCwVQq5K8Lu8FTAo+crt9pBCYhlvuDccxVk hgYMmu2a3+Wviac9SQRKz+QfnrPB8RMATHBHpTjX/tDr78Gbj0WXVCKj17AKb+gA sz+3LgAaHGya4xIjItuMcYtBx11G3uPc7iiLyxpZr3nW0tb6HGJOB3S2zRy3pHfp g4yJwcHHvyMsf1SqsEE7b+z2JmJetzkL9Tr0M/VajGwh5zhjksNGDxGqjSbc0xbz 4da/lmqVFIYD0EKPVvms80YFh1slrKbnAIk+xh/+H48sqfSxG+/UVrCbFSE9mZAh /S4j1MGC3FCfW20a9WMhUAZANBTHVUGn43w3V0slMbbPfT8oUkHoRYZdehYA1xZg whO5ARrR7Llo2RTvgKQZTM0E0eqX37wST2BTklMEXqdp69eem8gp4NwCOEhn4fri BviNF7BQD5YLxrULxMtiKoiQZE7JM8eag1cmVrK02dwrAIIddy9KqNC7DiJgL1OW Dbzd7DPfwiOUmEKRm0kva8ijhK9wD6hKLvu2md3+QkqRmB+H1qJXjn7Zhn8sGQvQ 7B3mgdlHtaU547llwi1a =Qt+G -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160608055749.GA2050>