Date: Sat, 25 Jun 2005 11:45:50 -0500 From: "Ninneman, TJ" <terry@twopeasinabucket.com> To: <freebsd-pf@freebsd.org> Subject: Outbound SSH problem Message-ID: <200506251645.j5PGjoRb028520@outbound1.mail.tds.net>
next in thread | raw e-mail | index | archive | help
I'm having some trouble on both my 5.3 and 5.4 FreeBSD servers running PF. My ruleset explicitly blocks outbound ssh from my servers to prevent attacks on other servers in the event that one of my servers is compromised. The problem is that I have noticed (after a few days of the server being up) my daily run output showing both TCP and UDP packets being dropped outbound: block drop out quick on em0 proto tcp from any to any port = ssh [ Evaluations: 437 Packets: 0 Bytes: 0 States: 0 ] block drop out quick on em0 proto udp from any to any port = ssh [ Evaluations: 1505 Packets: 0 Bytes: 0 States: 0 ] My 5.3 server (the oldest I have at this location) used to show these blocked packets in the log but now doesn't and my 5.4 machines never have. I only see them on the daily security run. My question is, are my servers compromised or am I misreading the run output? I find it hard to believe that they are compromised simply because the latest server I setup, every file system is mounted read only yet I still have this output. As you can imagine I'm pretty nervous about this and any help would be awesome! Here is my pf.conf on an internal Samba server with external ssh access: ##### Initial Setup ##### #Setup Macros ext_if = "em0" ext_ip = "xxx.xxx.xxx.xxx" int_if = "em1" int_ip = "192.168.0.52" #Set block plolicy to drop set block-policy drop #Lets first scrub all incoming packets scrub in on $ext_if scrub in on $int_if #setup a default deny policy for everything block log all #pass traffic on the loopback interface in either direction pass quick on lo0 all #Set up a tables for non-routable IP's, blacklisted IP's, and whitelisted IP's table <rfc1918> const {192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8} table <blacklist> persist file "/etc/pf_blacklist" table <ext_whitelist> persist file "/etc/pf_ext_whitelist" table <int_whitelist> persist file "/etc/pf_int_whitelist" ##### End Setup ##### ##### Inbound - Internal Interface ##### #Allow pings from internal network non-routable IP's pass in quick on $int_if inet proto icmp all icmp-type echoreq code 0 keep state #Allow inbound ssh pass in quick on $int_if proto tcp from <int_whitelist> to $int_ip port 22 flags S/SA synproxy state #Samba ports pass in quick on $int_if proto tcp from <int_whitelist> to $int_ip port {139, 445} keep state pass in quick on $int_if proto udp from <int_whitelist> to $int_ip port {137, 138} keep state ##### Outbound - Internal Interface ##### #Allow out traffic to internal network non-routable IP's pass out quick on $int_if proto {tcp, udp, icmp} from $int_ip to <int_whitelist> keep state ##### Inbound - External Interface ##### #Block bad ip's block in quick on $ext_if from <blacklist> to any block in quick on $ext_if from <rfc1918> to any #Allow inbound SSH traffic (from approved IP's) pass in quick on $ext_if proto tcp from <ext_whitelist> to $ext_ip port ssh flags S/SA synproxy state ##### Outbound - External Interface ##### #Lets block port 22 outbound in the event were compromised block out quick on $ext_if proto {tcp, udp} to any port 22 #Allow outbound tcp, udp, and icmp traffic pass out quick on $ext_if proto {tcp, udp, icmp} all flags S/SA synproxy state The whitelist files contain the approved internal and external ips.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506251645.j5PGjoRb028520>