From owner-freebsd-stable@FreeBSD.ORG  Sat May 24 05:31:58 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 8C21EBB4
 for <freebsd-stable@freebsd.org>; Sat, 24 May 2014 05:31:58 +0000 (UTC)
Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com
 [IPv6:2a00:1450:400c:c00::229])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 281E52B47
 for <freebsd-stable@freebsd.org>; Sat, 24 May 2014 05:31:58 +0000 (UTC)
Received: by mail-wg0-f41.google.com with SMTP id z12so5658480wgg.12
 for <freebsd-stable@freebsd.org>; Fri, 23 May 2014 22:31:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:reply-to:in-reply-to:references:date:message-id
 :subject:from:to:cc:content-type;
 bh=YqGYi3Nhwba6ADrJBLo0GklHU+RPK+ueLDBoO7rtJFM=;
 b=uvizEi39Yd4afZr19jrnC+EVyYhDys/TYcrBLIMoYd0AmI8zeuXaYZAUJfOy4oAB1X
 3pet+O169d9qmCKzV3CdsrtjpcpNoQhf/0LmJW+3GvkUrSXGDw7CQL5X+CdUDxdLtLze
 8bshpzUc+eo+SvSzA8rGLNj0gjnZBiQkVtzvsSfb3rS4r3PYCzbIKIPNclsluvolqQ1Z
 jsm4Ic3N38XGwHtTLV4L63AyPQkXLsboz5+YsxgSu/TL38G+umN8MSv/jSWN+FJ/GWvu
 /vy0CzOUpCEiLyej9G/AdW3PWq4VDpK2wQTostwCNBWiPh6Uef06Q54LhPh+qB6nNSvK
 6qjQ==
MIME-Version: 1.0
X-Received: by 10.180.211.106 with SMTP id nb10mr8199194wic.9.1400909516371;
 Fri, 23 May 2014 22:31:56 -0700 (PDT)
Received: by 10.217.43.194 with HTTP; Fri, 23 May 2014 22:31:56 -0700 (PDT)
Reply-To: David.I.Noel@gmail.com
In-Reply-To: <CAHAXwYAZzFdqsEjA3xApZXaSZHaJR2R8XHds_aZDBcaRCGxNpQ@mail.gmail.com>
References: <20140520070926.GA92183@The.ie>
 <CAHAXwYAZzFdqsEjA3xApZXaSZHaJR2R8XHds_aZDBcaRCGxNpQ@mail.gmail.com>
Date: Sat, 24 May 2014 00:31:56 -0500
Message-ID: <CAHAXwYCi+qRmCfY1FKCXXvnxDQW-Xn113yv-dLTBaC04Th9r6Q@mail.gmail.com>
Subject: Re: What is your favourite/best firewall on FreeBSD and why?
From: David Noel <david.i.noel@gmail.com>
To: Lucius Rizzo <Lucius.Rizzo@the.ie>
Content-Type: text/plain; charset=UTF-8
Cc: freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 May 2014 05:31:58 -0000

On 5/23/14, David Noel <david.i.noel@gmail.com> wrote:
> On 5/20/14, Lucius Rizzo <Lucius.Rizzo@the.ie> wrote:
>> If you use any of the firewalls, and have interesting
>> or even optimized rule sets, I would really like to see them :)
>
> I'll post them shortly.
>

Let me know if I missed anything.

###########################
##        Macros         ##
###########################

ext_if="em0"
#jail_ips="{192.168.1.21,192.168.1.22,192.168.1.23,192.168.1.24}"
lan_ip="192.168.1.20"
lan_subnet="192.168.1.0/24"

###########################
##        Tables         ##
###########################

# set up abuse detection and prevention
# any host that hammers more than 3 connections in 5 seconds
# gets their packet states killed and address blackholed
#table <ssh_abuse> persist file "/var/db/pf.blacklist"

###########################
##        Options        ##
###########################

set fingerprints "/etc/pf.os"
set debug urgent
set block-policy drop

set skip on lo0

set limit frags 	5000 	# default
set limit src-nodes 	5000 	# default
set limit states	10000 	# default
set limit tables	1000 	# default
set limit table-entries	200000 	# default
set loginterface $ext_if
set optimization normal		# default
set ruleset-optimization basic	# default
set state-policy floating	# default
set timeout interval	10	# default
set timeout frag	30	# default
set timeout src.track	0	# default

###########################
## Traffic Normalization ##
###########################

# normalize and fragment all incoming traffic
# scrub in on $ext_if all fragment reassemble
scrub in on $ext_if all random-id fragment reassemble

###########################
##   Queueing Rules      ##
###########################

###########################
##   Translation Rules   ##
###########################

#nat on $ext_if inet proto { tcp, udp, icmp } from $jail_ips to
$lan_subnet -> $lan_ip
#nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
#nat on $ext_if from !($ext_if) to any -> 192.168.1.20
#nat pass on $ext_if from $lan_subnet to any -> 192.168.1.20
#nat on $ext_if from 192.168.1.21 to any -> 192.168.1.20

###########################
##   Packet Filtering    ##
###########################

# default to drop everything
#block in log all
block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"

# block ipv6
#block drop in quick inet6 "default in deny ipv6 rule"
#block drop out quick inet6 label "default out deny ipv6 rule"

# enable antispoofing
antispoof log quick for $ext_if inet label "antispoof rule"

# block all if no back routes
block in log quick from no-route to any label "no-route rule"

# block all if reverse fails (probably spoofed)
block in log quick from urpf-failed to any label "reverse lookup
failed rule (probably spoofed)"

# drop broadcast requests quietly
block in log quick on $ext_if from any to 255.255.255.255

# block os-fingerprinting probes
# F=FIN,S=SYN,R=RST,P=PUSH,A=ACK,U=URG,E=ECE,W=CWR
block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF

block in log quick on $ext_if proto tcp flags FUP/FUP
block in log quick on $ext_if from any os "NMAP" to any label "NMAP
scan block rule"

# keep state on any outbound tcp, udp, or icmp traffic
# modulate the isn (initial sequence number) of outgoing packets
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
## how to allow only certain outbound ports? is needed?

# allow inbound postgresql connections
#pass in on $ext_if proto {tcp,udp} from 192.168.1.20 to $ext_if port = 5432

# allow inbound ssh traffic with synproxy handshaking
#pass in log on $ext_if proto tcp from any to any port ssh flags S/SA
synproxy state

# allow inbound www traffic with synproxy handshaking
#pass in log on $ext_if proto tcp from any to any port www flags S/SA
synproxy state

# uses table defined above for blacklisting
#block in quick from <ssh_abuse>
#pass in on $ext_if proto tcp to any port {ssh,www} flags S/SA keep
state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse>
flush)