From owner-freebsd-pf@freebsd.org Tue Jun 7 06:28:59 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A423B6D06C for ; Tue, 7 Jun 2016 06:28:59 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from box-hlm-03.niklaas.eu (box-hlm-03.niklaas.eu [IPv6:2a02:2770:6:0:21a:4aff:feaa:e902]) by mx1.freebsd.org (Postfix) with ESMTP id 39E8E1DC9 for ; Tue, 7 Jun 2016 06:28:59 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: by box-hlm-03.niklaas.eu (Postfix, from userid 1001) id 60F8C38841C; Tue, 7 Jun 2016 08:28:57 +0200 (CEST) Date: Tue, 7 Jun 2016 08:28:57 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-pf@freebsd.org Subject: Re: Need someone to review my pf.conf Message-ID: <20160607062857.GD37483@box-hlm-03.niklaas.eu> Mail-Followup-To: freebsd-pf@freebsd.org References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="+JUInw4efm7IfTNU" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jun 2016 06:28:59 -0000 --+JUInw4efm7IfTNU Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Goran Tep=C5=A1i=C4=87 [2016-06-06 22:18 +0200] : > Hi, I would like someone more skilled than me to glance over my pf.conf I > compiled and possibly let me know if it can be secured/tightened further. > Here's the conf: http://sprunge.us/fCLH I'm not a professional, so take the following comments with a grain of salt. Maybe they spur further discussions that will be helpful. 1. You can think about using security/sshguard-pf for further protection. 2. You can think about using anchors for rules related to your jails. This way you can add/remove rules when jails start/stop. See http://www.openbsd.org/faq/pf/anchors.html, especially "Manipulating Anchors". 3. It seems you have a mail server running. Take a look at mail/spamd. I had issues using the grey listing feature for senders that use multiple SMTP servers (Google, Amazon, etc.); so I decided to only use spamd for blocking only. Although there is some documentation in the FreeBSD handbook, you should read the man pages because the former doc seems old. 4. In general, it's not a good idea to pass out everything. Restrict it to what you really need. In case one of your jails gets hijacked it will be more difficult to use it for e.g., a botnet. 5. You disable IPv6, right? 6. It seems you rdr additional ports for SSH to your jails. I'm not sure whether that is really necessary (depends on you). You can simply administer the jails from your jail host with jexec(8). Niklaas --+JUInw4efm7IfTNU Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXVmmhAAoJEG2fODeJrIU/tg0QAJTLphkOxymvLfsRVu2G8Lzh BKonXM2O9iHOEZs1pG+CUJ51/dnmTXSn5kMqzNjwNAiia9NyRbA2JlOuOmzJeN5J Z2IliR2w9vu1X2800ZFDbtI3G2NfxUCIirh2OtJGXVqRSD6GM/aS0VsGduh+lR7H +MIT0E7wL8AuxcObwVuZq99LBjLN98rVwq3+FUYkXfge/yUbk8U8Mw1n+b9qLFUc sqRDFp8gyu2Nw9Rs+uyEWgqe9WTTSd62JoA61UKtaOMVCygb26cZ/YQYvKoGzj8P MivA0F9gh5unBHzR9mfTk8aeZwXqRig4odn8O1iq2Brp4hHWeWHkTI7dhLjCDTPJ khbc09mMs2ucP6B1cLsbgWvaixLfL1iU3Vk6oYJlL8ACmWByQNXEhLHiuFqVWcaR Y+JtS2gIpDk6q4zGVTv+pwJGlkxq7optBmIKK9mjmX45w+rRHhiG1SCUgN5ivsQ5 zlWx33VJsBXU2tgfpfosv1IU4tciPocN4g2sPgmetv8Jmb9umOoDPw9A7Aitp53k ApZ8dS153Rqiwh1U3aL0B/1ACtyG+q074yJRdQiNIiN8wf0N53lhGByMIuRQIyTR 1rW52/smHKvcvjAkNHQYGFRUUbILvYuMEGR9n+MYBEjnD2pR14nA6yNWHwNE8nZu Zk6aNiSw7zsAGSTTejOj =Wp2l -----END PGP SIGNATURE----- --+JUInw4efm7IfTNU--