User Tools

Site Tools


packetfilterfirewall

External Resources

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html

The following script will pull all the ip's out of all the FTP servers in the ports collection so we can create a whitelist for PF. Make sure the script have execute permissions and then run it. It takes a while to finish but eventually it will generate a 'wlist' file which needs to be put in /usr/local/etc.

#!/bin/sh
# Copyright (c) 2009, Aldis Berjoza <killasmurf86@gmail.com>
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
#   notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
#   copyright notice, this list of conditions and the following disclaimer
#   in the documentation and/or other materials provided with the
#   distribution.
# * Neither the name of the  nor the names of its
#   contributors may be used to endorse or promote products derived from
#   this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
# This scrip will create 'wlist' file, that will contain IP of all
#   ftp servers found in ports collection
# You may use this script to generate ftp server whitlist for pf
#
# http://killasmurf86.blogspot.com
 
find /usr/ports -name Makefile > /tmp/.ftp_list_1
find /usr/ports/Mk -name bsd.*.mk >> /tmp/.ftp_list_1
 
for i in `cat /tmp/.ftp_list_1`; do 
	grep -e 'ftp://' $i >> /tmp/.ftp_list_2
done
 
sed 's/#.*$//g' /tmp/.ftp_list_2 | sed 's/^.*ftp:\/\///' | sed 's/\/.*$//' | sort | uniq - /tmp/.ftp_list_3
 
grep -E -e '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' /tmp/.ftp_list_3 > /tmp/.ftp_list_4
 
for i in `cat /tmp/.ftp_list_3`; do
	dig +short "$i" | grep -E -e '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' >> /tmp/.ftp_list_4
done
 
sort /tmp/.ftp_list_4 | uniq - wlist
rm -f /tmp/.ftp_list_[1234]
 
exit
sh/bash: export FTP_PASSIVE_MODE=true
csh: setenv FTP_PASSIVE_MODE true

<box 100% round blue|/etc/pf.conf>

#Interfaces
ext_if="em0"
int_if = "lo1"
jailnet = $int_if:network

# Names correspond to ports as listed in /etc/services
server_out = "{" http nicname "}"
udp_services = "{" domain ntp "}"
icmp_types = "{" echoreq unreach "}"
web_ports = "{" http https "}"
email = "{" smtp "}"

#Jails
NGINX="10.1.1.1"
MAIL="10.1.1.2"

#Tables
table <ftp_ports_wlist> const file "/usr/local/etc/wlist"
table <sshguard> persist
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

#General Options
set skip on lo
set loginterface $ext_if
set ruleset-optimization basic
set optimization normal
set block-policy return

#Traffic Normalization
scrub in all

# NAT for all jails to allow internet access
nat on $ext_if from $jailnet to any -> ($ext_if)

# Redirect any packets requesting port 80 or 443 to jailed NGINX webserver
rdr pass on $ext_if inet proto tcp to port http -> $NGINX port http
rdr pass on $ext_if inet proto tcp to port https -> $NGINX port https

# Redirect any packets requesting port 25 jailed MAIL server
rdr pass on $ext_if inet proto tcp to port smtp -> $MAIL port smtp

#Anti-Spoofing
antispoof for { $ext_if $int_if }

#Packet Filtering
block all
pass inet proto tcp from $ext_if to any port $server_out
pass log inet proto tcp from $ext_if to any port smtp synproxy state
pass quick inet proto { tcp, udp } from $ext_if to any port $udp_services
pass log inet proto icmp all icmp-type $icmp_types
pass log on $ext_if inet proto tcp from any to $ext_if port ssh synproxy state
pass in on $ext_if proto tcp from any to $NGINX port $web_ports synproxy state
pass in on $ext_if proto tcp from any to $MAIL port smtp synproxy state
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
pass out log on $ext_if inet proto tcp from $ext_if port >1023 to { <ftp_ports_wlist> } port { ftp, >1023 }
block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"

</box>

packetfilterfirewall.txt · Last modified: 2014/10/02 14:19 by admin