Date: Sat, 25 Jun 2005 11:45:50 -0500 From: "Ninneman, TJ" <terry@twopeasinabucket.com> To: <freebsd-pf@freebsd.org> Subject: Outbound SSH problem Message-ID: <200506251645.j5PGjoRb028520@outbound1.mail.tds.net>
next in thread | raw e-mail | index | archive | help
I'm having some trouble on both my 5.3 and 5.4 FreeBSD servers running PF.
My ruleset explicitly blocks outbound ssh from my servers to prevent attacks
on other servers in the event that one of my servers is compromised. The
problem is that I have noticed (after a few days of the server being up) my
daily run output showing both TCP and UDP packets being dropped outbound:
block drop out quick on em0 proto tcp from any to any port = ssh [
Evaluations: 437 Packets: 0 Bytes: 0 States: 0 ]
block drop out quick on em0 proto udp from any to any port = ssh [
Evaluations: 1505 Packets: 0 Bytes: 0 States: 0 ]
My 5.3 server (the oldest I have at this location) used to show these
blocked packets in the log but now doesn't and my 5.4 machines never have.
I only see them on the daily security run.
My question is, are my servers compromised or am I misreading the run
output? I find it hard to believe that they are compromised simply because
the latest server I setup, every file system is mounted read only yet I
still have this output. As you can imagine I'm pretty nervous about this
and any help would be awesome!
Here is my pf.conf on an internal Samba server with external ssh access:
##### Initial Setup #####
#Setup Macros
ext_if = "em0"
ext_ip = "xxx.xxx.xxx.xxx"
int_if = "em1"
int_ip = "192.168.0.52"
#Set block plolicy to drop
set block-policy drop
#Lets first scrub all incoming packets
scrub in on $ext_if
scrub in on $int_if
#setup a default deny policy for everything
block log all
#pass traffic on the loopback interface in either direction
pass quick on lo0 all
#Set up a tables for non-routable IP's, blacklisted IP's, and whitelisted
IP's
table <rfc1918> const {192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}
table <blacklist> persist file "/etc/pf_blacklist"
table <ext_whitelist> persist file "/etc/pf_ext_whitelist"
table <int_whitelist> persist file "/etc/pf_int_whitelist"
##### End Setup #####
##### Inbound - Internal Interface #####
#Allow pings from internal network non-routable IP's
pass in quick on $int_if inet proto icmp all icmp-type echoreq code 0 keep
state
#Allow inbound ssh
pass in quick on $int_if proto tcp from <int_whitelist> to $int_ip port 22
flags S/SA synproxy state
#Samba ports
pass in quick on $int_if proto tcp from <int_whitelist> to $int_ip port
{139, 445} keep state
pass in quick on $int_if proto udp from <int_whitelist> to $int_ip port
{137, 138} keep state
##### Outbound - Internal Interface #####
#Allow out traffic to internal network non-routable IP's
pass out quick on $int_if proto {tcp, udp, icmp} from $int_ip to
<int_whitelist> keep state
##### Inbound - External Interface #####
#Block bad ip's
block in quick on $ext_if from <blacklist> to any
block in quick on $ext_if from <rfc1918> to any
#Allow inbound SSH traffic (from approved IP's)
pass in quick on $ext_if proto tcp from <ext_whitelist> to $ext_ip port ssh
flags S/SA synproxy state
##### Outbound - External Interface #####
#Lets block port 22 outbound in the event were compromised
block out quick on $ext_if proto {tcp, udp} to any port 22
#Allow outbound tcp, udp, and icmp traffic
pass out quick on $ext_if proto {tcp, udp, icmp} all flags S/SA synproxy
state
The whitelist files contain the approved internal and external ips.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506251645.j5PGjoRb028520>