pf.conf settings

Discussion:

pf.conf settings

Lontronics Mailinglist account

2007-05-28 18:34:44 UTC

I want to use pf as firewall for my laptop.
It is connected wired and wireless, depending on the situation, but also to my own router/modem.

I have enabled pf and made a pf.conf which is looking like this:
#############################################
# $OpenBSD: PF firewall rules $

# scrub
scrub in all

# setup a default deny policy
block in all
block out all

antispoof for { bce0, wpi0 } inet

pass out on { bce0, wpi0 } proto tcp from any to any
pass out on { bce0, wpi0 } proto udp from any to any
pass out on { bce0, wpi0 } proto icmp from any to any
#############################################

I was wondering if there are defaults which are better then these.
For example the pass out lines with from any to any, could they be tightened more?
I have tried some settings but till now I did not manage to get it working with other settings then these.

Any help to make my pf settings more secure would be appreciated.

To be sure; I am running pf on my laptop, and there is no other computer connected to my laptop.

Jan

Lontronics Mailinglist account

2007-05-28 20:01:53 UTC

Permalink

Okay, found some stuff on the internet; this is it at the moment:

# $OpenBSD: PF firewall rules $

# ports: see /etc/services
# 21 = ftp
# 22 = ssh
# 25 = smtp
# 53 = domain
# 80 = www
# 110 = pop3
# 123 = ntp
# 631 = ipp (CUPS)
# 6667 = irc

tcp_pass = "{ 21 22 25 53 80 110 123 6667}"
udp_pass = "{ 53 110 }"

# scrub
scrub in all

# setup a default deny policy
block in all
block out all

antispoof for { bce0, wpi0 } inet

pass out on { bce0, wpi0 } proto tcp to any port $tcp_pass
pass out on { bce0, wpi0 } proto udp to any port $udp_pass

Post by Lontronics Mailinglist account
Any help to make my pf settings more secure would be appreciated.
To be sure; I am running pf on my laptop, and there is no other computer connected to my laptop.
Jan

Lontronics Mailinglist account

2007-05-28 21:27:46 UTC

Permalink

Okay, this should be it, any commends are appreciated.
The >1023 is used for ftp;

###########################################################

# $OpenBSD: PF firewall rules $

tcp_pass = "{ 21 22 25 53 80 110 123 >1023}"
udp_pass = "{ 53 110 }"

# scrub
scrub in all

# setup a default deny policy
block in all
block out all

antispoof for { bce0, wpi0 } inet

pass out on { bce0, wpi0 } proto tcp to any port $tcp_pass
pass out on { bce0, wpi0 } proto udp to any port $udp_pass

###########################################################

On Mon, 28 May 2007 22:01:53 +0200

Joachim Schipper

2007-05-29 15:14:09 UTC

Permalink

Post by Lontronics Mailinglist account
Okay, this should be it, any commends are appreciated.
The >1023 is used for ftp;

That is not the proper solution; use ftp-proxy, as documented in the
FAQ.

Post by Lontronics Mailinglist account
###########################################################
# $OpenBSD: PF firewall rules $
tcp_pass = "{ 21 22 25 53 80 110 123 >1023}"
udp_pass = "{ 53 110 }"

I'd recommend symbolic names for legibility:

tcp_pass = { ftp ssh smtp domain http pop3 }
udp_pass = { domain ntp }

I'm pretty certain you mean the above, by the way; NTP over TCP is about
as useful as POP3 over UDP...

Post by Lontronics Mailinglist account
# scrub
scrub in all

'scrub' is useful when using an OpenBSD machine as a firewall, as it
makes it far harder for attackers to get weird packets to machines with
badly-written TCP/IP stacks. However, the OpenBSD network stuff is
usually very good, and enabling scrub enables an attacker to attack far
more code (notably, the PF code as well). Plus it consumes some cycles.
Just skip it.

Post by Lontronics Mailinglist account
# setup a default deny policy
block in all
block out all

'block all'

Post by Lontronics Mailinglist account
antispoof for { bce0, wpi0 } inet
pass out on { bce0, wpi0 } proto tcp to any port $tcp_pass
pass out on { bce0, wpi0 } proto udp to any port $udp_pass

As noted, you should add icmp.

Also, if you are sure that you will never use IPv6, 'block inet6'.

You didn't post it, but you will want to add 'set skip lo0' at least.
Strange things happen when pf blocks everything on the loopback
interface...

Joachim

--
TFMotD: fingerd (8) - remote user information server

Lontronics Mailinglist account

2007-05-29 21:02:14 UTC

Permalink

Thanks Joachim and Woodchuck for your replies.

To be RFC compliant I will add icmp.
I will also add logging to check the output, can indeed be very helpfull.

I am not using ssh and dhcp, so I have blocked those ports

About 'block inet6'; I thought that 'block all' did that job?

I will also add 'set skip lo0'; good point!

Scrub is removed now because of the notes from Joachim.

I will add the ftp proxy too.

Thanks again, will post the result later for a last check.

Lontronics Mailinglist account

2007-05-30 21:59:07 UTC

Permalink

Sorry to bother again.

Still no luck with pf in combination with ftp-proxy.
A connection is made, but then it is blocked (getting no route to host):

Here is the output of gftp:

Looking up ftp.lontronics.nl
Trying ftp.lontronics.nl:21
Connected to ftp.lontronics.nl:21
220 Gene6 FTP Server v3.9.0 (Build 2) ready...
USER lontronics
331 Password required for lontronics.
PASS xxxx
230 User lontronics logged in.
SYST
215 UNIX Type: L8
TYPE I
200 Type set to I.
CWD /lontronics
550 CWD failed. "/lontronics" : no such file or directory.
PWD
257 "/" is current directory.
Loading directory listing / from server (LC_TIME=C)
PASV
227 Entering Passive Mode (195,8,208,48,81,216)
Cannot create a data connection: No route to host
Disconnecting from site ftp.lontronics.nl

I am running pf as firewall now with the following settings:

pf.conf:

# $OpenBSD: PF firewall rules $

# macros
# 6667 is used for irc
int_if = "{ bce0, wpi0 }"
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, ftp, sftp, pop3s, imap, imaps, https, 6667 }"
udp_services = "{ domain, ntp }"

# options
set block-policy drop
set skip on lo0

#Translation
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

antispoof for $int_if inet

# block all ipv6 and setup a default deny policy for ipv4
block inet6 all
block all

anchor "ftp-proxy/*"
pass out on $int_if proto tcp to any port $tcp_services
pass out on $int_if proto udp to any port $udp_services
pass out on $int_if inet proto icmp all icmp-type echoreq

inetd.conf:

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -US
ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -US

rc.conf.local:

pf=YES # enable pf firewall
pf_rules=/etc/pf.conf # use /etc/pf.conf for pf setttings
pflogd_flags=NO # disable logging on pf firewall

ftpproxy_flags="" # enable the internal ftp proxy

Any suggestions of what settings are wrong?

Any help would really be appreciated, because I did not find the info on the internet, news groups and forums

Jan.

Woodchuck

2007-05-28 21:20:28 UTC

Permalink

Post by Lontronics Mailinglist account
# $OpenBSD: PF firewall rules $
# ports: see /etc/services
# 21 = ftp
# 22 = ssh
# 25 = smtp
# 53 = domain
# 80 = www
# 110 = pop3
# 123 = ntp
# 631 = ipp (CUPS)
# 6667 = irc
tcp_pass = "{ 21 22 25 53 80 110 123 6667}"
udp_pass = "{ 53 110 }"
# scrub
scrub in all
# setup a default deny policy
block in all
block out all
antispoof for { bce0, wpi0 } inet
pass out on { bce0, wpi0 } proto tcp to any port $tcp_pass
pass out on { bce0, wpi0 } proto udp to any port $udp_pass

You may wish to add pass in and out rules for icmp, to be RFC compliant.

If you are passing to 80 outbound, you may want to also pass 443
(SSL, https).

You may wish to add "log" options to the block statements, particularly
the "out" -- if you are trying to pass packets that you have forbidden,
you probably want to know that, either to allow those packets, or to
wonder where they are coming from, going to, and why.

If you are going to be using pop and irc, you may wish to evalute
allowing inbound tcp on 113, the identd/auth service. (Also enabling
it in /etc/inetd.conf). Or not.

I wonder if this setup will allow you to do dhcp. Probably during
boot, (before it takes effect, when the rules in /etc/rc are active),
but afterwards, not. This might be an issue. I dunno how dhcp
communicates, don't use it myself.

But do try logging, maybe all packets at first, to familiarize
yourself with your normal network traffic. A tcpdump process
in a little xterm can be fascinating and make debugging a more
complicated pf setup easy or possible. I use

# /usr/sbin/tcpdump -n -e -ttt -i pflog0

to watch in realtime.

Dave

Rogier Krieger

2007-05-30 03:06:37 UTC

Permalink

Post by Woodchuck
I wonder if this setup will allow you to do dhcp. Probably during
boot, (before it takes effect, when the rules in /etc/rc are active),
but afterwards, not.

Typically, dhclient(8) uses the bpf(4) devices and is not troubled by
PF's ruleset. If I'm not mistaken, this behaviour is hinted at in the
man page.

Post by Woodchuck
This might be an issue. I dunno how dhcp communicates, don't use it myself.

If you're interested, you may want to see RFC 2131 and RFC 2132. In
short: DHCP uses UDP datagrams to/from ports 67 and 68.

Typically, conversations start with a discovery (broadcast by the
client). An active DHCP server may then provide a lease offer.
Normally, the client requests the address listed in the offer. If all
goes well, the server acknowledges the request.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.