Date: Sat, 24 May 2014 00:31:56 -0500 From: David Noel <david.i.noel@gmail.com> To: Lucius Rizzo <Lucius.Rizzo@the.ie> Cc: freebsd-stable@freebsd.org Subject: Re: What is your favourite/best firewall on FreeBSD and why? Message-ID: <CAHAXwYCi%2BqRmCfY1FKCXXvnxDQW-Xn113yv-dLTBaC04Th9r6Q@mail.gmail.com> In-Reply-To: <CAHAXwYAZzFdqsEjA3xApZXaSZHaJR2R8XHds_aZDBcaRCGxNpQ@mail.gmail.com> References: <20140520070926.GA92183@The.ie> <CAHAXwYAZzFdqsEjA3xApZXaSZHaJR2R8XHds_aZDBcaRCGxNpQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/23/14, David Noel <david.i.noel@gmail.com> wrote:
> On 5/20/14, Lucius Rizzo <Lucius.Rizzo@the.ie> wrote:
>> If you use any of the firewalls, and have interesting
>> or even optimized rule sets, I would really like to see them :)
>
> I'll post them shortly.
>
Let me know if I missed anything.
###########################
## Macros ##
###########################
ext_if="em0"
#jail_ips="{192.168.1.21,192.168.1.22,192.168.1.23,192.168.1.24}"
lan_ip="192.168.1.20"
lan_subnet="192.168.1.0/24"
###########################
## Tables ##
###########################
# set up abuse detection and prevention
# any host that hammers more than 3 connections in 5 seconds
# gets their packet states killed and address blackholed
#table <ssh_abuse> persist file "/var/db/pf.blacklist"
###########################
## Options ##
###########################
set fingerprints "/etc/pf.os"
set debug urgent
set block-policy drop
set skip on lo0
set limit frags 5000 # default
set limit src-nodes 5000 # default
set limit states 10000 # default
set limit tables 1000 # default
set limit table-entries 200000 # default
set loginterface $ext_if
set optimization normal # default
set ruleset-optimization basic # default
set state-policy floating # default
set timeout interval 10 # default
set timeout frag 30 # default
set timeout src.track 0 # default
###########################
## Traffic Normalization ##
###########################
# normalize and fragment all incoming traffic
# scrub in on $ext_if all fragment reassemble
scrub in on $ext_if all random-id fragment reassemble
###########################
## Queueing Rules ##
###########################
###########################
## Translation Rules ##
###########################
#nat on $ext_if inet proto { tcp, udp, icmp } from $jail_ips to
$lan_subnet -> $lan_ip
#nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
#nat on $ext_if from !($ext_if) to any -> 192.168.1.20
#nat pass on $ext_if from $lan_subnet to any -> 192.168.1.20
#nat on $ext_if from 192.168.1.21 to any -> 192.168.1.20
###########################
## Packet Filtering ##
###########################
# default to drop everything
#block in log all
block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"
# block ipv6
#block drop in quick inet6 "default in deny ipv6 rule"
#block drop out quick inet6 label "default out deny ipv6 rule"
# enable antispoofing
antispoof log quick for $ext_if inet label "antispoof rule"
# block all if no back routes
block in log quick from no-route to any label "no-route rule"
# block all if reverse fails (probably spoofed)
block in log quick from urpf-failed to any label "reverse lookup
failed rule (probably spoofed)"
# drop broadcast requests quietly
block in log quick on $ext_if from any to 255.255.255.255
# block os-fingerprinting probes
# F=FIN,S=SYN,R=RST,P=PUSH,A=ACK,U=URG,E=ECE,W=CWR
block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF
block in log quick on $ext_if proto tcp flags FUP/FUP
block in log quick on $ext_if from any os "NMAP" to any label "NMAP
scan block rule"
# keep state on any outbound tcp, udp, or icmp traffic
# modulate the isn (initial sequence number) of outgoing packets
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
## how to allow only certain outbound ports? is needed?
# allow inbound postgresql connections
#pass in on $ext_if proto {tcp,udp} from 192.168.1.20 to $ext_if port = 5432
# allow inbound ssh traffic with synproxy handshaking
#pass in log on $ext_if proto tcp from any to any port ssh flags S/SA
synproxy state
# allow inbound www traffic with synproxy handshaking
#pass in log on $ext_if proto tcp from any to any port www flags S/SA
synproxy state
# uses table defined above for blacklisting
#block in quick from <ssh_abuse>
#pass in on $ext_if proto tcp to any port {ssh,www} flags S/SA keep
state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse>
flush)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHAXwYCi%2BqRmCfY1FKCXXvnxDQW-Xn113yv-dLTBaC04Th9r6Q>