1 Topic by Enter4

  • Registered: 15-12-2007
  • Posts: 19

Topic: FreeBSD in PF

Pozdravljeni!

Pred nekaj dnevi sem se odločil, da spišem svoja pravila(jih preuredim) v PFju. Ker sem bolj ko ne nov v PFju bi vas prosil, če bi lahko na hitro preverili ali je vse ok oz. kaj manjka, kaj bi bilo pametno dodati. (Do zdaj sem pa uporabljal ipfw)

### macros name for external interface
ext_if = "bge0"

### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled
scrub in on $ext_if all fragment reassemble


### set a default deny everything policy.
set skip on lo0
block log all
antispoof for $ext_if inet

### block anything coming from sources that we have no back routes for.
block in from no-route to any

### block packets that fail a reverse path check. we look up the routing
### table, check to make sure that the outbound is the same as the source
### it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any

### drop broadcast requests quietly.
# block in quick on $ext_if from any to 255.255.255.255

### block packets claiming to come from reserved internal address blocks, as
### they are obviously forged and cannot be contacted from the outside world.
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### keep state on any outbound tcp, udp or icmp traffic. modulate the isn of
### outgoing packets. (initial sequence number) broken operating systems
### sometimes don't randomize this number, making it guessable.
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### spodnji ipji pridejo cez firewall
# pass quick in on $ext_if from XXX.XXX.XXX.XXX to any keep state

### spodaj navedeni porti ostanejo odprti (21,22,25,80,...)
pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 flags S/SA keep state

### crna lista ip naslovov
table <blockedips> persist file "/etc/pf.blocked.ip.conf"
block drop in log (all) quick on $ext_if from <blockedips> to any

Sama pravila bolj ko ne delujejo... razen tale tale vrstica ne deluje ok:

### spodaj navedeni porti ostanejo odprti (21,22,25,80,...)
pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 flags S/SA keep state

Za vaše odgovore se vam že v naprej zahvaljujem.

2 Reply by Nightweaver

  • From: Singidunum
  • Registered: 28-03-2005
  • Posts: 1,086

Re: FreeBSD in PF

Za koju su namenu ova pravila? Koju verziju FreeBSD-a koristis? (Slobodno pisi na SI... sve te ja razumem ali je davno bilo kada sam aktivno koristio slovenacki pa ne bih da lupetam.)


Those who do not understand Unix are condemned to reinvent it, poorly.

Nightweaver's Website

3 Reply by Enter4

  • Registered: 15-12-2007
  • Posts: 19

Re: FreeBSD in PF

Pozdravljen Nightweaver,

Ta pravila nameravam uporabiti na svojem serverju(http,ftp,mail,dns,...), koristil bi ga pa na 8.0 verziji.

Predvsem tudi hvala, da se trudiš razumeti naš jezik. (Čeprav vem kdo je kriv za si se ga začel učiti-razumet big_smile )

4 Reply by Nightweaver

  • From: Singidunum
  • Registered: 28-03-2005
  • Posts: 1,086

Re: FreeBSD in PF

OK. Daklem, pravila u sustini deluju OK. Ja bih to malo redukovao. Moja pravila obicno pocnu sa:

block in all
block out all

Te odatle idem dalje. smile Sto se ovih pravila tice, mozda bi mogao malo detaljnije da mi objasnis sta imas tacno za cilj da postignes. Neka pravila mozes redukovati. Recimo:

pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 flags S/SA keep state

mozes ulepsati u:

protos = "{ tcp udp }"
ports = "{ 22 80 443 }"
pass in quick on $ext_if proto $protos from any to $ext_if port $ports

Ja volim da sve sto mogu strpam u makroe.:D

Nema potrebe za "flags S/SA keep state" jer je to podrazumevano stanje u novijim PF verzijama. Predlazem ti da za sve mogucnosti koje imas konsultujes: http://www.openbsd.org/faq/pf/index.html

A ko je kriv za moje poznavanje slovenackog... jedna punca. wink


Those who do not understand Unix are condemned to reinvent it, poorly.

Nightweaver's Website

5 Reply by Enter4

  • Registered: 15-12-2007
  • Posts: 19

Re: FreeBSD in PF

Hm... ta moja skripta še me vedno ne uboga hmm

Namesto: pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 flags S/SA keep state
sem uporabil vrstice od Nightweaver-a...: protos = "{ tcp udp }" ports = "{ 22 80 443 }" pass in quick on $ext_if proto $protos from any to $ext_if port $ports

Ampak portscanerji pravijo, da so še vedno vsi porti zaprti... hmm
Je pa interesantno... da se mi PF pravila ne poženejo ob startu računalnika... le ročno (pfctl -e...), je možno, da bi bila kakšna napaka v vrstnem redu?

Se mi je zdelo, da je bila punca kriva za učenje novega jezika smile smile smile
Sicer razumevanje še nekako gre... bolj težko je govoriti v tujem jeziku... saj meni :$ smile