From owner-freebsd-stable@FreeBSD.ORG Sat May 24 05:31:58 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8C21EBB4 for ; Sat, 24 May 2014 05:31:58 +0000 (UTC) Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 281E52B47 for ; Sat, 24 May 2014 05:31:58 +0000 (UTC) Received: by mail-wg0-f41.google.com with SMTP id z12so5658480wgg.12 for ; Fri, 23 May 2014 22:31:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=YqGYi3Nhwba6ADrJBLo0GklHU+RPK+ueLDBoO7rtJFM=; b=uvizEi39Yd4afZr19jrnC+EVyYhDys/TYcrBLIMoYd0AmI8zeuXaYZAUJfOy4oAB1X 3pet+O169d9qmCKzV3CdsrtjpcpNoQhf/0LmJW+3GvkUrSXGDw7CQL5X+CdUDxdLtLze 8bshpzUc+eo+SvSzA8rGLNj0gjnZBiQkVtzvsSfb3rS4r3PYCzbIKIPNclsluvolqQ1Z jsm4Ic3N38XGwHtTLV4L63AyPQkXLsboz5+YsxgSu/TL38G+umN8MSv/jSWN+FJ/GWvu /vy0CzOUpCEiLyej9G/AdW3PWq4VDpK2wQTostwCNBWiPh6Uef06Q54LhPh+qB6nNSvK 6qjQ== MIME-Version: 1.0 X-Received: by 10.180.211.106 with SMTP id nb10mr8199194wic.9.1400909516371; Fri, 23 May 2014 22:31:56 -0700 (PDT) Received: by 10.217.43.194 with HTTP; Fri, 23 May 2014 22:31:56 -0700 (PDT) Reply-To: David.I.Noel@gmail.com In-Reply-To: References: <20140520070926.GA92183@The.ie> Date: Sat, 24 May 2014 00:31:56 -0500 Message-ID: Subject: Re: What is your favourite/best firewall on FreeBSD and why? From: David Noel To: Lucius Rizzo Content-Type: text/plain; charset=UTF-8 Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 May 2014 05:31:58 -0000 On 5/23/14, David Noel wrote: > On 5/20/14, Lucius Rizzo wrote: >> If you use any of the firewalls, and have interesting >> or even optimized rule sets, I would really like to see them :) > > I'll post them shortly. > Let me know if I missed anything. ########################### ## Macros ## ########################### ext_if="em0" #jail_ips="{192.168.1.21,192.168.1.22,192.168.1.23,192.168.1.24}" lan_ip="192.168.1.20" lan_subnet="192.168.1.0/24" ########################### ## Tables ## ########################### # set up abuse detection and prevention # any host that hammers more than 3 connections in 5 seconds # gets their packet states killed and address blackholed #table persist file "/var/db/pf.blacklist" ########################### ## Options ## ########################### set fingerprints "/etc/pf.os" set debug urgent set block-policy drop set skip on lo0 set limit frags 5000 # default set limit src-nodes 5000 # default set limit states 10000 # default set limit tables 1000 # default set limit table-entries 200000 # default set loginterface $ext_if set optimization normal # default set ruleset-optimization basic # default set state-policy floating # default set timeout interval 10 # default set timeout frag 30 # default set timeout src.track 0 # default ########################### ## Traffic Normalization ## ########################### # normalize and fragment all incoming traffic # scrub in on $ext_if all fragment reassemble scrub in on $ext_if all random-id fragment reassemble ########################### ## Queueing Rules ## ########################### ########################### ## Translation Rules ## ########################### #nat on $ext_if inet proto { tcp, udp, icmp } from $jail_ips to $lan_subnet -> $lan_ip #nat on $ext_if from !($ext_if) to any -> ($ext_if:0) #nat on $ext_if from !($ext_if) to any -> 192.168.1.20 #nat pass on $ext_if from $lan_subnet to any -> 192.168.1.20 #nat on $ext_if from 192.168.1.21 to any -> 192.168.1.20 ########################### ## Packet Filtering ## ########################### # default to drop everything #block in log all block drop in log all label "default in deny rule" block drop out log all label "default out deny rule" # block ipv6 #block drop in quick inet6 "default in deny ipv6 rule" #block drop out quick inet6 label "default out deny ipv6 rule" # enable antispoofing antispoof log quick for $ext_if inet label "antispoof rule" # block all if no back routes block in log quick from no-route to any label "no-route rule" # block all if reverse fails (probably spoofed) block in log quick from urpf-failed to any label "reverse lookup failed rule (probably spoofed)" # drop broadcast requests quietly block in log quick on $ext_if from any to 255.255.255.255 # block os-fingerprinting probes # F=FIN,S=SYN,R=RST,P=PUSH,A=ACK,U=URG,E=ECE,W=CWR block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF block in log quick on $ext_if proto tcp flags /WEUAPRSF block in log quick on $ext_if proto tcp flags SR/SR block in log quick on $ext_if proto tcp flags SF/SF block in log quick on $ext_if proto tcp flags FUP/FUP block in log quick on $ext_if from any os "NMAP" to any label "NMAP scan block rule" # keep state on any outbound tcp, udp, or icmp traffic # modulate the isn (initial sequence number) of outgoing packets pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state ## how to allow only certain outbound ports? is needed? # allow inbound postgresql connections #pass in on $ext_if proto {tcp,udp} from 192.168.1.20 to $ext_if port = 5432 # allow inbound ssh traffic with synproxy handshaking #pass in log on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state # allow inbound www traffic with synproxy handshaking #pass in log on $ext_if proto tcp from any to any port www flags S/SA synproxy state # uses table defined above for blacklisting #block in quick from #pass in on $ext_if proto tcp to any port {ssh,www} flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload flush)