Author Topic: /etc/pf.conf  (Read 5657 times)

amaron

  • Newbie
  • *
  • Posts: 20
/etc/pf.conf
« on: November 16, 2005, 06:24:39 pm »
Kako ste konfigurisali svoj firewall? Ja sam svoj odradio na osnovu sample-a datog na samom sajtu za svoj gw na kucnoj mrezi. Voleo bih da cujem iskusnije admine sta preporucuju.
XIQUAL UDINBAK

Admin

  • Administrator
  • Hero Member
  • *****
  • Posts: 1367
    • http://www.bsdserbia.org
/etc/pf.conf
« Reply #1 on: November 16, 2005, 08:20:59 pm »
Zavsii sta ti treba.:) Ja sam se poigrao proprukom sa sajta koja se odnosi na malu mrezu. Zapravo, blokirao sam sve zivo a onda samo napravio par pravila za pristup mojoj masini sa mreze jer sam stalno na netu pa mi je potrebno na ljudi ulaze na moj SSH i Apache.:)

If it moves, crypt it. Unless it's static - than you should double-crypt it

Shadow

  • Jr. Member
  • **
  • Posts: 65
    • http://www.emptywords.org/
/etc/pf.conf
« Reply #2 on: February 15, 2006, 03:58:59 pm »
A je'l bi mogao neko ovde,da okaci konfiguraciju ili svoje konf fajlove pf-a za kucnu,uobicajenu upotrebu,ja koristim ipwf,ali kazu ljudi da je pf bolji...
Pa?
Every man has to find his own destiny.....
Just follow your heart and let it be.....
Soulfly,I Belive

Admin

  • Administrator
  • Hero Member
  • *****
  • Posts: 1367
    • http://www.bsdserbia.org
/etc/pf.conf
« Reply #3 on: February 15, 2006, 04:35:11 pm »
Naravno, evo podesavanja sa jednog servera koji sam skoro sredio:

Quote
# Pravila za XXXXX
ext_if="rl0"
services="{ 80, 21 }"
friends="{ 87.xxx.xxx.xxx }"

# scrub
scrub in

# pravila za filtriranje
# blokiram sve spolja na server
block in log

# pustam sve sto potice s lokala napolje
pass out keep state
pass quick on lo0 all

# Dozvoljen ulaz
pass  in  on $ext_if proto { tcp, udp } from any to $ext_if port $services keep state
pass  out on $ext_if proto { tcp, udp } all keep state
pass  in  on $ext_if proto tcp from $friends to $ext_if port 10000 keep state
pass  in  on $ext_if proto { tcp, udp } from any to $ext_if port 53 keep state

#Redirekcija (ako nekad zatreba)
#rdr pass on $ext_if proto tcp from any  to port 80
#       -> $ext_if port 80

# antispoof
antispoof quick for { lo $ext_if}
pass in on $ext_if proto tcp to ($ext_if) port $services keep state

# neprivilegovani portovi koje otvaraju aplikacije startovane na lo0 a kostiste tcp
pass in on $ext_if proto tcp to ($ext_if) port > 49151 user proxy keep state

Moja kucna podesavanja su slicna mada se oko njih i nisam nesto preterano cimao jer nas SBB ionako blokira samo tako.:)

If it moves, crypt it. Unless it's static - than you should double-crypt it

Zeleni_Obad

  • Administrator
  • Hero Member
  • *****
  • Posts: 969
    • BSDSrbija
/etc/pf.conf
« Reply #4 on: March 12, 2006, 06:22:53 pm »
Od Kulina-bana, pa preko spanskih sela, do haiku-a, a sve ukratko:

http://www.bgnett.no/~peter/pf/en/index.html

:)

dragon

  • Newbie
  • *
  • Posts: 9
/etc/pf.conf
« Reply #5 on: May 08, 2006, 11:53:56 am »
Može ovo da se testira i u ovom okruženju...
http://www.fwbuilder.org/archives/cat_man_fwb_pf.html

Zeleni_Obad

  • Administrator
  • Hero Member
  • *****
  • Posts: 969
    • BSDSrbija
/etc/pf.conf
« Reply #6 on: September 28, 2006, 03:49:02 pm »
Daniel Hartmeier, tvorac pf-a, dodao je na blogu dva od, kako je najavio, tri clanka koji su se trebali naci u stampi, ali, evo, zavrsavaju na blogu devlopera :)

Izvrsno shtivo!

PF: Firewall Ruleset Optimization
PF: Testing Your Firewall

soxxx

  • Administrator
  • Hero Member
  • *****
  • Posts: 1438
/etc/pf.conf
« Reply #7 on: September 28, 2006, 07:59:39 pm »
Vidim da u prvom clanku pominje lose strane stateful filtering-a (secas se pitanja na IRC-u kada sam pominjao ogranicenje od 10,000 unosa?).

Veoma dobro, da nemam neka posla preveo bih ovo i okacio na Wiki...:(

Iscekujemo i treci nastavak...:)
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD

Zeleni_Obad

  • Administrator
  • Hero Member
  • *****
  • Posts: 969
    • BSDSrbija
/etc/pf.conf
« Reply #8 on: September 28, 2006, 08:43:36 pm »
Quote
Originalno postavio/la soxxx
Vidim da u prvom clanku pominje lose strane stateful filtering-a (secas se pitanja na IRC-u kada sam pominjao ogranicenje od 10,000 unosa?).

Yup, sad mi je jasnije o cemu se radilo... Bilo kako bilo - da, iscekujemo i treci dio, jer, "feljton" :) je sjajan, a Hartmaier je ne samo vrsan 'aker :), no, ocito, i dobar pisac: clanak je pitak, koncizan i interesantan, i demistifikuje stvari.

S prevodjenjem bih sacekao, jer, koliko ga prozivaju tamo, na Undeadly-ju, zavrsice, nakon redigovanja, kao dio PF dokumentacije... Svakako vrijedi procitati vec sada.

soxxx

  • Administrator
  • Hero Member
  • *****
  • Posts: 1438
/etc/pf.conf
« Reply #9 on: September 29, 2006, 01:34:16 am »
Quote
Originalno postavio/la Zeleni_Obad
da, iscekujemo i treci dio, jer, "feljton" :) je sjajan, a Hartmaier je ne samo vrsan 'aker :), no, ocito, i dobar pisac: clanak je pitak, koncizan i interesantan, i demistifikuje stvari.

S prevodjenjem bih sacekao, jer, koliko ga prozivaju tamo, na Undeadly-ju, zavrsice, nakon redigovanja, kao dio PF dokumentacije... Svakako vrijedi procitati vec sada.

I meni svideo nacin na koji je pisano. Zbog toga sam i mislio da treba da se okaci na Wiki pa da i oni koji se malo slabije snalaze sa engleskim jezikom procitaju ova dva clanka.;)


DOPUNA:

Pojavio se i treci clanak:

Firewall Management

;):)


[Izmenjeno 29-9-2006  soxxx]
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD

Oko

  • Administrator
  • Hero Member
  • *****
  • Posts: 992
/etc/pf.conf
« Reply #10 on: May 14, 2009, 02:45:47 am »
Samo kopiram svoj post sa Daemon foruma u kome sam zeleo da cujem sta drugi korisnici misle o pf.conf napisanom za moj laptop. Dodao sam par quick and drop stvari u medjuvremenu. Upozoravam da su neka block pravila duplirana ali ovaj pf.conf bi trebao da radi za vecinu korisnika koji zele da imaju malo tvrdju konfiguraciju. Odmah upozoravam da stvari kao sto su irc, catovanje, mrezno stampanje/skeniranje, ping ili cak i instaliranje binarnih paketa nece raditi. Kompajliranje porti ce raditi.
Pravila je vrlo lako promeniti tako da ping, irc i neki drugi servisi rade.
Instaliranje paketa je potpuno netrivijalno jer koristi ftp protokol koji koristi port 21 da pocne komunikaciju ali onda koristi random ports za prenos fajlova. To izikusuje koriscenje ftp proxy-ija koji zahtevaju da  inetd radi. On je kod mene po defaultu iskljucen kao sigurnosna mera. Moja preporuka je da koristite porte za kompajliranje paketa. Za to vam netreba ftp

Code: [Select]
#########
## Macros      
#########

ext_if="rl0"
#int_if=" "

tcp_services = "{ssh, sftp, imap, imaps, smtp, 587,\
                                              domain, ntp, www, https}"
udp_services= "{domain, ntp}"


#########
## Tables
#########

#table persist


##########
## Options
##########

set require-order yes
set block-policy return
set optimization normal
set skip on lo
set loginterface $ext_if


########################
## Traffic normalization
########################

scrub in all random-id fragment reassemble
scrub out all random-id fragment reassemble


#######################
## Bandwidth management
#######################


##############
## Translation
##############


##############
## Redirection
##############

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#rdr-anchor "relayd/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#       -> 127.0.0.1 port spamd

#anchor "ftp-proxy/*"
#anchor "relayd/*"


#######################################
## Packet filtering
## block and log everything by default
#######################################

block log all


# Make sure all packets are clean and sane
antispoof quick for { lo $ext_if }

# block anything coming form source we have no back routes for
block drop in quick from no-route to any

# block packets whose ingress interface does not match the one
# the route back to their source address
block drop in quick from urpf-failed to any

# block and log outfoing packates that do not have our address source
# they are either spoofed or something is misconfigured (NAT disabled,
# for instance), we want to be nice and do not send out garbage
# block out log quick on $ext_if from ! 157.161.48.183 to any

# silently drop broadcasts (cable modem noise)
block drop in quick on $ext_if from any to 255.255.255.255



# block and log incoming packets from reserved address space and invalid
# addresses,they are either spoofed or misconfigured, we cannot reply to
# them anyway (hence, no return-rst).
block drop in quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \
                          192.168.0.0/16, 255.255.255.255/32 } to any


####################################################
## Only allow outgoing services which are sensable..
####################################################

# ICMP

# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
# pass out on $ext_if inet proto icmp all icmp-type 8 code 0

# UDP
# pass out certain UDP connections and keep state (DNS)
pass out on $ext_if proto udp to any port $udp_services

# TCP
# pass out certain TCP connections and keep state (SSH, SMTP, DNS)
pass out on $ext_if proto tcp to any port $tcp_services

#############################################
## DEBUG:
##  LOG Blocked Packets [uncomment above]:
##     block log all
##  VIEW LOG VIA:
##     tcpdump -n -e -ttt -i pflog0

### Theo's suggestions instead of pfstat
# systat pf 1
# and then use the right and left cursors to see additional
# interesting views
# this is also a good tool
# pfctl -s all


Moje omiljena altka za pf je

Code: [Select]
systat pf 1
a onda sa strecam levo/desno se pomerate koju sam naucio licno od Thea

Oko

  • Administrator
  • Hero Member
  • *****
  • Posts: 992
/etc/pf.conf
« Reply #11 on: May 14, 2009, 04:54:55 am »
Ovo je pf.conf koji sam kao odgovor dao SoXXX-u na Daemon forumu. U principu  ovo dole su malo pojednostavljena pravila. Mozete da ga koristite za laptop ili radnu stanicu direktno privezanu za Internet.

Code: [Select]
ext_if="rl0"

tcp_services = "{ssh, sftp, imap, imaps, smtp, 587,\
                                              domain, ntp, www, https}"
udp_services= "{domain, ntp}"


set skip on lo
set loginterface $ext_if

scrub in all random-id fragment reassemble

block return in log all
block out all

antispoof quick for $ext_if


pass out quick on $ext_if proto tcp to any port $tcp_services
pass out quick on $ext_if proto udp to any port $udp_services