Setup For Single Box
Between what I've studied on the OpenBSD PF FAQ pages , in Jacek Artimiak's
book, Building Firewalls with OpenBSD and PF, Second Edition which I highly
recommend, in the pertinent man pages pf(4) and pf.conf(5) , and in what I've
found using search engines and reading on the OpenBSD mailing lists, I managed
to put together a rudimentary firewall for my OpenBSD box. I wanted to tighten
it down fairly well by default, then selectively choose exactly what I wanted to let
in. I had a fairly rough time of it, searching on the internet for an example that
was close to what I needed, probably because I'm not the world's greatest searcher.
There are those purists who would say it's not right to put up too detailed of examples,
that folks need to learn on their own, but I found using some of the examples I found
and watching how they worked actually helped me. That being said, right or wrong,
I'm putting up an example of what I came up with. Here's what the firewall attempts
to accomplish:
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# Macros
# interface to the outside world
ext_if="fxp0"
# trusted hosts on local area network
trusted = "{LAN Box IP address, LAN Box IP address}"
# just the windoze box on local area network
windoze = "{LAN Box IP address}"
# Tables
table <bruteforce> persist
# Added the following to Tables after running into problems with local
# boxes getting blocked when accessing this box too often, too quickly.
# They were getting caught by the bruteforce protection.
table <friends> persist { LAN Box IP address, LAN Box IP address}"
# Options
set require-order yes
set block-policy drop
set optimization normal
set loginterface none
set skip on lo0
# Normalize packets
scrub in all
scrub out all
# Filter packets
# block all incoming connections sent from the outside
# log all blocked packets
block in log all
# Block all inbound connections to port 113 (auth)
# Return ICMP destination-unreachable
block return-icmp in quick on $ext_if proto tcp \
from any to $ext_if port auth
# Block brute force attackers
block quick from <bruteforce>
# OS fingerprinting to block external linux zombie boxes
block log quick on $ext_if proto tcp from any os "Linux" to port 22
# Pass out all connections sent from the host
pass out quick on $ext_if inet \
from ($ext_if) to any flags S/SA keep state
# Pass all connections originating from external
# hosts to port 22 (SSH) on this host.
# Waste some time for the Brute Forcers.
# Then trash 'em!
pass inet proto tcp from any to $ext_if port 22 \
flags S/SA keep state \
(max-src-conn 3, max-src-conn-rate 3/30, \
overload <bruteforce> flush global)
#Added the following to work with the friends entry in Tables.
pass inet proto tcp from <friends> to $ext_if port 22 \
flags S/SA keep state \
# pass ntpd calls from local area network boxes
pass inet proto udp \
from $trusted to $ext_if port 123 \
keep state
# Pass all from LAN windows box to Samba.
# Ports 137, 138, 139, and 445.
pass inet proto tcp \
from $windoze \
to $ext_if port {137:139,445} \
flags S/SA keep state
# antispoof rule on the external interface
antispoof for $ext_if
Bear in mind that I'm really just getting started with pf. If you see something you think
is wrong, could be improved on, or have a question, email me from the Contact Page or
leave a comment on the Blog Page and I'll get back to you on it, make changes on this
page, or take care of whatever it is. Hope this helps anyone looking to explore security
with pf.
Back to Tips and Tricks
Home
No affiliation between this site and the OpenBSD project exists or is implied.
