Date: Sat, 24 May 2014 00:31:56 -0500 From: David Noel <david.i.noel@gmail.com> To: Lucius Rizzo <Lucius.Rizzo@the.ie> Cc: freebsd-stable@freebsd.org Subject: Re: What is your favourite/best firewall on FreeBSD and why? Message-ID: <CAHAXwYCi%2BqRmCfY1FKCXXvnxDQW-Xn113yv-dLTBaC04Th9r6Q@mail.gmail.com> In-Reply-To: <CAHAXwYAZzFdqsEjA3xApZXaSZHaJR2R8XHds_aZDBcaRCGxNpQ@mail.gmail.com> References: <20140520070926.GA92183@The.ie> <CAHAXwYAZzFdqsEjA3xApZXaSZHaJR2R8XHds_aZDBcaRCGxNpQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/23/14, David Noel <david.i.noel@gmail.com> wrote: > On 5/20/14, Lucius Rizzo <Lucius.Rizzo@the.ie> wrote: >> If you use any of the firewalls, and have interesting >> or even optimized rule sets, I would really like to see them :) > > I'll post them shortly. > Let me know if I missed anything. ########################### ## Macros ## ########################### ext_if="em0" #jail_ips="{192.168.1.21,192.168.1.22,192.168.1.23,192.168.1.24}" lan_ip="192.168.1.20" lan_subnet="192.168.1.0/24" ########################### ## Tables ## ########################### # set up abuse detection and prevention # any host that hammers more than 3 connections in 5 seconds # gets their packet states killed and address blackholed #table <ssh_abuse> persist file "/var/db/pf.blacklist" ########################### ## Options ## ########################### set fingerprints "/etc/pf.os" set debug urgent set block-policy drop set skip on lo0 set limit frags 5000 # default set limit src-nodes 5000 # default set limit states 10000 # default set limit tables 1000 # default set limit table-entries 200000 # default set loginterface $ext_if set optimization normal # default set ruleset-optimization basic # default set state-policy floating # default set timeout interval 10 # default set timeout frag 30 # default set timeout src.track 0 # default ########################### ## Traffic Normalization ## ########################### # normalize and fragment all incoming traffic # scrub in on $ext_if all fragment reassemble scrub in on $ext_if all random-id fragment reassemble ########################### ## Queueing Rules ## ########################### ########################### ## Translation Rules ## ########################### #nat on $ext_if inet proto { tcp, udp, icmp } from $jail_ips to $lan_subnet -> $lan_ip #nat on $ext_if from !($ext_if) to any -> ($ext_if:0) #nat on $ext_if from !($ext_if) to any -> 192.168.1.20 #nat pass on $ext_if from $lan_subnet to any -> 192.168.1.20 #nat on $ext_if from 192.168.1.21 to any -> 192.168.1.20 ########################### ## Packet Filtering ## ########################### # default to drop everything #block in log all block drop in log all label "default in deny rule" block drop out log all label "default out deny rule" # block ipv6 #block drop in quick inet6 "default in deny ipv6 rule" #block drop out quick inet6 label "default out deny ipv6 rule" # enable antispoofing antispoof log quick for $ext_if inet label "antispoof rule" # block all if no back routes block in log quick from no-route to any label "no-route rule" # block all if reverse fails (probably spoofed) block in log quick from urpf-failed to any label "reverse lookup failed rule (probably spoofed)" # drop broadcast requests quietly block in log quick on $ext_if from any to 255.255.255.255 # block os-fingerprinting probes # F=FIN,S=SYN,R=RST,P=PUSH,A=ACK,U=URG,E=ECE,W=CWR block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF block in log quick on $ext_if proto tcp flags /WEUAPRSF block in log quick on $ext_if proto tcp flags SR/SR block in log quick on $ext_if proto tcp flags SF/SF block in log quick on $ext_if proto tcp flags FUP/FUP block in log quick on $ext_if from any os "NMAP" to any label "NMAP scan block rule" # keep state on any outbound tcp, udp, or icmp traffic # modulate the isn (initial sequence number) of outgoing packets pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state ## how to allow only certain outbound ports? is needed? # allow inbound postgresql connections #pass in on $ext_if proto {tcp,udp} from 192.168.1.20 to $ext_if port = 5432 # allow inbound ssh traffic with synproxy handshaking #pass in log on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state # allow inbound www traffic with synproxy handshaking #pass in log on $ext_if proto tcp from any to any port www flags S/SA synproxy state # uses table defined above for blacklisting #block in quick from <ssh_abuse> #pass in on $ext_if proto tcp to any port {ssh,www} flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHAXwYCi%2BqRmCfY1FKCXXvnxDQW-Xn113yv-dLTBaC04Th9r6Q>