Differences between revisions 2 and 5 (spanning 3 versions)

Pf

The Berkeley Packet Filter (pf) is a powerful firewall software found on BSD distros and coming soon to Linux distros.

pf(4) is run as a service, while pfctl(8) is a userland interface.

Contents

Pf
1. Installation
2. Configuration
  1. Basic Server Setup
  2. Blocking Brute Force Attacks

Installation

The packet filter is a core component of OpenBSD and FreeBSD, so no installation is required. Bear in mind that FreeBSD's implementation has diverged from the upstream project.

Configuration

For the most basic of usecases, this is perfect.

block in all
pass out all keep state

To check the configuration of pf(4), run...

pfctl -nf /usr/local/etc/pf.conf

Basic Server Setup

A server needs to be addressable by the external network. In order to minimize repetition, macros should be used to store the TCP and UDP ports that need to be opened.

tcp_services = "{ 22 53 80 443 }"
udp_services = "{ 53 }"
icmp_types = "echoreq"

# Basic inbound TCP rule
pass in inet proto tcp $tcp_services flags S/SA keep state

# Basic inbound UDP rule
pass in inet proto udp $udp_services keep state

# Basic ICMP ping rule
pass inet proto icmp all icmp-type $icmp_types keep state

# Basic outbound connections rule
pass out proto tcp all modulate state flags S/SA
pass out proto { udp, icmp } all keep state

If you have dedicated interfaces for internal and external networks, it becomes much simpler to create rules.

ext_if="xl0"
int_if="xl1"
localnet=$int_if:network

# hardened firewall
block drop in  quick on $ext_if from $localnet to any
block drop out quick on $ext_if from any to $localnet 

# hardened ICMP rules
pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from any to $ext_if keep state

Blocking Brute Force Attacks

Clients that attempt a high number of connections are often brute force attackers. pf(4) can easily add these addresses to a blacklisted table.

localnet = "{ 192.168.100.0/24 }"
tcp_services = "{ 22 }"
table <bruteforce> persist

block quick from <bruteforce>

pass inet proto tcp from any to $localnet port $tcp_services \
  flags S/SA keep state \
  (max-src-conn 100, max-src-conn-rate 15/5, \
  overload <bruteforce> flush global)

The <bruteforce> table can be cleared based on an expiry time (in seconds) using pfctl(8).

pfctl -t bruteforce -T expire 86400

This can be automated with a cron job.

CategoryRicottone

-  ⇤ ← Revision 2 as of 2020-01-21 20:27:49 → 
  Size: 2539
  Editor: DominicRicottone
  Comment:
+   ← Revision 5 as of 2021-11-18 08:08:12 → ⇥
  Size: 2544
  Editor: DominicRicottone
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 1:
-= pf =
+= Pf =
 Line 3:
-'''Packet Filter''' ('''pf''') is a very powerful firewall software for BSDs.
+The '''Berkeley Packet Filter''' ('''pf''') is a powerful firewall software found on BSD distros and coming soon to Linux distros.
 Line 5:
-`pf` is run as a service, while `pfctl` is a userland interface.
+`pf(4)` is run as a service, while `pfctl(8)` is a userland interface.

<<TableOfContents>>
-Line 11:
+Line 13:
-== Basic PC Setup ==
+== Installation ==

The packet filter is a core component of OpenBSD and FreeBSD, so no installation is required. Bear in mind that FreeBSD's implementation has diverged from the upstream project.

----



== Configuration ==
-Line 20:
+Line 30:
-----
+To check the configuration of `pf(4)`, run... 

{{{
pfctl -nf /usr/local/etc/pf.conf
}}}
-Line 24:
+Line 38:
-== Basic Server Setup ==
+=== Basic Server Setup ===
-Line 64:
+Line 78:
-----
-Line 66:
+Line 79:
+=== Blocking Brute Force Attacks ===
-Line 67:
+Line 81:
-== Blocking Brute Force Attacks ==

Clients that attempt a high number of connections are often brute force attackers. `pf` can easily add such clients to a blacklisted table.
+Clients that attempt a high number of connections are often brute force attackers. `pf(4)` can easily add these addresses to a blacklisted table.
-Line 85:
+Line 96:
-The `<bruteforce>` table can be cleared based on an expiry time (in seconds) using `pfctl`.
+The `<bruteforce>` table can be cleared based on an expiry time (in seconds) using `pfctl(8)`.
-Line 91:
+Line 102:
-And this, of course, can be automated with a cronjob.

----



== Common Issues ==

=== Cannot ping URLs ===

First, check if the below section better describes your issue.

If the issue is specific to URLs, then DNS is being blocked. DNS uses port 53 over both TCP and UDP.



=== Cannot ping IP addresses ===

You likely are blocking ICMP protocol connections, chiefly the "echo request" message type.
+This can be automated with a `cron` job.

Diff for "Pf"

Pf

Installation

Configuration

Basic Server Setup

Blocking Brute Force Attacks