Differences between revisions 2 and 8 (spanning 6 versions)
Revision 2 as of 2020-01-21 20:27:49
Size: 2539
Editor: DominicRicottone
Comment:
Revision 8 as of 2023-04-08 17:07:13
Size: 2729
Editor: DominicRicottone
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= pf = = Pf =
Line 3: Line 3:
'''Packet Filter''' ('''pf''') is a very powerful firewall software for BSDs. The '''Berkeley Packet Filter''' ('''pf''') is a firewall utility.
Line 5: Line 5:
`pf` is run as a service, while `pfctl` is a userland interface. `pf(4)` is run as a service, while `pfctl(8)` is a userland interface.

<<TableOfContents>>
Line 11: Line 13:
== Basic PC Setup == == Installation ==

All [[BSD]] distributions have `pf(8)` installed.

Note that the [[BSD/FreeBSD|FreeBSD]] implementation has diverged from the upstream project.

----



== Configuration ==
Line 20: Line 32:
---- To check the configuration of `pf(4)`, run...

{{{
pfctl -nf /usr/local/etc/pf.conf
}}}
Line 24: Line 40:
== Basic Server Setup == === Basic Server Setup ===
Line 64: Line 80:
----
Line 66: Line 81:
=== Blocking Brute Force Attacks ===
Line 67: Line 83:

== Blocking Brute Force Attacks ==

Clients that attempt a high number of connections are often brute force attackers. `pf` can easily add such clients to a blacklisted table.		 Clients that attempt a high number of connections are often brute force attackers. `pf(4)` can easily add these addresses to a blacklisted table.
Line 85: Line 98:
The `<bruteforce>` table can be cleared based on an expiry time (in seconds) using `pfctl`. The `<bruteforce>` table can be cleared based on an expiry time (in seconds) using `pfctl(8)`.
Line 91: Line 104:
And this, of course, can be automated with a cronjob. This can be automated with a `cron` job.
Line 97: Line 110:
== Common Issues == == See also ==
Line 99: Line 112:
=== Cannot ping URLs === [[https://man.freebsd.org/cgi/man.cgi?pf(4)|pf(4) (FreeBSD)]]
Line 101: Line 114:
First, check if the below section better describes your issue. [[https://man.freebsd.org/cgi/man.cgi?pf.conf(5)|pf.conf(5) (FreeBSD)]]
Line 103: Line 116:
If the issue is specific to URLs, then DNS is being blocked. DNS uses port 53 over both TCP and UDP. [[https://man.openbsd.org/pf|pf(4) (OpenBSD)]]
Line 105: Line 118:


=== Cannot ping IP addresses ===

You likely are blocking ICMP protocol connections, chiefly the "echo request" message type.		 [[https://man.openbsd.org/pf.conf|pf.conf(5) (OpenBSD)]]

Pf

The Berkeley Packet Filter (pf) is a firewall utility.

pf(4) is run as a service, while pfctl(8) is a userland interface.

Contents

  1. Pf
    1. Installation
    2. Configuration
      1. Basic Server Setup
      2. Blocking Brute Force Attacks
    3. See also

Installation

All BSD distributions have pf(8) installed.

Note that the FreeBSD implementation has diverged from the upstream project.

Configuration

For the most basic of usecases, this is perfect. 

block in all
pass out all keep state

To check the configuration of pf(4), run... 

pfctl -nf /usr/local/etc/pf.conf

Basic Server Setup

A server needs to be addressable by the external network. In order to minimize repetition, macros should be used to store the TCP and UDP ports that need to be opened. 

tcp_services = "{ 22 53 80 443 }"
udp_services = "{ 53 }"
icmp_types = "echoreq"

# Basic inbound TCP rule
pass in inet proto tcp $tcp_services flags S/SA keep state

# Basic inbound UDP rule
pass in inet proto udp $udp_services keep state

# Basic ICMP ping rule
pass inet proto icmp all icmp-type $icmp_types keep state

# Basic outbound connections rule
pass out proto tcp all modulate state flags S/SA
pass out proto { udp, icmp } all keep state

If you have dedicated interfaces for internal and external networks, it becomes much simpler to create rules. 

ext_if="xl0"
int_if="xl1"
localnet=$int_if:network

# hardened firewall
block drop in  quick on $ext_if from $localnet to any
block drop out quick on $ext_if from any to $localnet 

# hardened ICMP rules
pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from any to $ext_if keep state

Blocking Brute Force Attacks

Clients that attempt a high number of connections are often brute force attackers. pf(4) can easily add these addresses to a blacklisted table. 

localnet = "{ 192.168.100.0/24 }"
tcp_services = "{ 22 }"
table <bruteforce> persist

block quick from <bruteforce>

pass inet proto tcp from any to $localnet port $tcp_services \
  flags S/SA keep state \
  (max-src-conn 100, max-src-conn-rate 15/5, \
  overload <bruteforce> flush global)

The <bruteforce> table can be cleared based on an expiry time (in seconds) using pfctl(8). 

pfctl -t bruteforce -T expire 86400

This can be automated with a cron job.

See also

pf(4) (FreeBSD)

pf.conf(5) (FreeBSD)

pf(4) (OpenBSD)

pf.conf(5) (OpenBSD)

CategoryRicottone

Pf (last edited 2023-04-08 17:07:13 by DominicRicottone)