From owner-freebsd-pf@FreeBSD.ORG Sat Jun 25 16:45:54 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F19516A41C for ; Sat, 25 Jun 2005 16:45:54 +0000 (GMT) (envelope-from terry@twopeasinabucket.com) Received: from outbound1.mail.tds.net (outbound1.mail.tds.net [216.170.230.91]) by mx1.FreeBSD.org (Postfix) with ESMTP id 110C343D1F for ; Sat, 25 Jun 2005 16:45:53 +0000 (GMT) (envelope-from terry@twopeasinabucket.com) Received: from tj (vrnawibas01-pool4-a241.vrnawi.tds.net [69.128.144.241]) by outbound1.mail.tds.net (8.13.4/8.12.2) with ESMTP id j5PGjoRb028520 for ; Sat, 25 Jun 2005 11:45:50 -0500 (CDT) Message-Id: <200506251645.j5PGjoRb028520@outbound1.mail.tds.net> From: "Ninneman, TJ" To: Date: Sat, 25 Jun 2005 11:45:50 -0500 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcV5pVfsFg1cGEOxRlq19uQOeZwi8A== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Outbound SSH problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jun 2005 16:45:54 -0000 I'm having some trouble on both my 5.3 and 5.4 FreeBSD servers running PF. My ruleset explicitly blocks outbound ssh from my servers to prevent attacks on other servers in the event that one of my servers is compromised. The problem is that I have noticed (after a few days of the server being up) my daily run output showing both TCP and UDP packets being dropped outbound: block drop out quick on em0 proto tcp from any to any port = ssh [ Evaluations: 437 Packets: 0 Bytes: 0 States: 0 ] block drop out quick on em0 proto udp from any to any port = ssh [ Evaluations: 1505 Packets: 0 Bytes: 0 States: 0 ] My 5.3 server (the oldest I have at this location) used to show these blocked packets in the log but now doesn't and my 5.4 machines never have. I only see them on the daily security run. My question is, are my servers compromised or am I misreading the run output? I find it hard to believe that they are compromised simply because the latest server I setup, every file system is mounted read only yet I still have this output. As you can imagine I'm pretty nervous about this and any help would be awesome! Here is my pf.conf on an internal Samba server with external ssh access: ##### Initial Setup ##### #Setup Macros ext_if = "em0" ext_ip = "xxx.xxx.xxx.xxx" int_if = "em1" int_ip = "192.168.0.52" #Set block plolicy to drop set block-policy drop #Lets first scrub all incoming packets scrub in on $ext_if scrub in on $int_if #setup a default deny policy for everything block log all #pass traffic on the loopback interface in either direction pass quick on lo0 all #Set up a tables for non-routable IP's, blacklisted IP's, and whitelisted IP's table const {192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8} table persist file "/etc/pf_blacklist" table persist file "/etc/pf_ext_whitelist" table persist file "/etc/pf_int_whitelist" ##### End Setup ##### ##### Inbound - Internal Interface ##### #Allow pings from internal network non-routable IP's pass in quick on $int_if inet proto icmp all icmp-type echoreq code 0 keep state #Allow inbound ssh pass in quick on $int_if proto tcp from to $int_ip port 22 flags S/SA synproxy state #Samba ports pass in quick on $int_if proto tcp from to $int_ip port {139, 445} keep state pass in quick on $int_if proto udp from to $int_ip port {137, 138} keep state ##### Outbound - Internal Interface ##### #Allow out traffic to internal network non-routable IP's pass out quick on $int_if proto {tcp, udp, icmp} from $int_ip to keep state ##### Inbound - External Interface ##### #Block bad ip's block in quick on $ext_if from to any block in quick on $ext_if from to any #Allow inbound SSH traffic (from approved IP's) pass in quick on $ext_if proto tcp from to $ext_ip port ssh flags S/SA synproxy state ##### Outbound - External Interface ##### #Lets block port 22 outbound in the event were compromised block out quick on $ext_if proto {tcp, udp} to any port 22 #Allow outbound tcp, udp, and icmp traffic pass out quick on $ext_if proto {tcp, udp, icmp} all flags S/SA synproxy state The whitelist files contain the approved internal and external ips.