|
⇤ ← Revision 1 as of 2020-01-21 14:01:40
Size: 632
Comment:
|
Size: 2539
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 13: | Line 13: |
| For the most basic of usecases, this is perfect. {{{ block in all pass out all keep state }}} |
|
| Line 18: | Line 25: |
A server needs to be addressable by the external network. In order to minimize repetition, macros should be used to store the TCP and UDP ports that need to be opened. {{{ tcp_services = "{ 22 53 80 443 }" udp_services = "{ 53 }" icmp_types = "echoreq" # Basic inbound TCP rule pass in inet proto tcp $tcp_services flags S/SA keep state # Basic inbound UDP rule pass in inet proto udp $udp_services keep state # Basic ICMP ping rule pass inet proto icmp all icmp-type $icmp_types keep state # Basic outbound connections rule pass out proto tcp all modulate state flags S/SA pass out proto { udp, icmp } all keep state }}} If you have dedicated interfaces for internal and external networks, it becomes much simpler to create rules. {{{ ext_if="xl0" int_if="xl1" localnet=$int_if:network # hardened firewall block drop in quick on $ext_if from $localnet to any block drop out quick on $ext_if from any to $localnet # hardened ICMP rules pass inet proto icmp from $localnet to any keep state pass inet proto icmp from any to $ext_if keep state }}} ---- == Blocking Brute Force Attacks == Clients that attempt a high number of connections are often brute force attackers. `pf` can easily add such clients to a blacklisted table. {{{ localnet = "{ 192.168.100.0/24 }" tcp_services = "{ 22 }" table <bruteforce> persist block quick from <bruteforce> pass inet proto tcp from any to $localnet port $tcp_services \ flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, \ overload <bruteforce> flush global) }}} The `<bruteforce>` table can be cleared based on an expiry time (in seconds) using `pfctl`. {{{ pfctl -t bruteforce -T expire 86400 }}} And this, of course, can be automated with a cronjob. |
pf
Packet Filter (pf) is a very powerful firewall software for BSDs.
pf is run as a service, while pfctl is a userland interface.
Basic PC Setup
For the most basic of usecases, this is perfect.
block in all pass out all keep state
Basic Server Setup
A server needs to be addressable by the external network. In order to minimize repetition, macros should be used to store the TCP and UDP ports that need to be opened.
tcp_services = "{ 22 53 80 443 }"
udp_services = "{ 53 }"
icmp_types = "echoreq"
# Basic inbound TCP rule
pass in inet proto tcp $tcp_services flags S/SA keep state
# Basic inbound UDP rule
pass in inet proto udp $udp_services keep state
# Basic ICMP ping rule
pass inet proto icmp all icmp-type $icmp_types keep state
# Basic outbound connections rule
pass out proto tcp all modulate state flags S/SA
pass out proto { udp, icmp } all keep stateIf you have dedicated interfaces for internal and external networks, it becomes much simpler to create rules.
ext_if="xl0" int_if="xl1" localnet=$int_if:network # hardened firewall block drop in quick on $ext_if from $localnet to any block drop out quick on $ext_if from any to $localnet # hardened ICMP rules pass inet proto icmp from $localnet to any keep state pass inet proto icmp from any to $ext_if keep state
Blocking Brute Force Attacks
Clients that attempt a high number of connections are often brute force attackers. pf can easily add such clients to a blacklisted table.
localnet = "{ 192.168.100.0/24 }"
tcp_services = "{ 22 }"
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp from any to $localnet port $tcp_services \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <bruteforce> flush global)The <bruteforce> table can be cleared based on an expiry time (in seconds) using pfctl.
pfctl -t bruteforce -T expire 86400
And this, of course, can be automated with a cronjob.
Common Issues
Cannot ping URLs
First, check if the below section better describes your issue.
If the issue is specific to URLs, then DNS is being blocked. DNS uses port 53 over both TCP and UDP.
Cannot ping IP addresses
You likely are blocking ICMP protocol connections, chiefly the "echo request" message type.