User Tools

Site Tools


packetfilterfirewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

packetfilterfirewall [2014/10/02 14:19] (current)
admin created
Line 1: Line 1:
 +**External Resources**
 +
 +http://​www.freebsd.org/​doc/​en_US.ISO8859-1/​books/​handbook/​firewalls-pf.html
 +
 +  *http://​home.nuug.no/​~peter/​pf/​en/​
 +  *http://​www.openbsd.org/​faq/​pf/​index.html
 +
 +The following script will pull all the ip's out of all the FTP servers in the ports collection so we can create a whitelist for PF. Make sure the script have execute permissions and then run it. It takes a while to finish but eventually it will generate a '​wlist'​ file which needs to be put in /​usr/​local/​etc.
 +
 +<file bash>
 +#!/bin/sh
 +# Copyright (c) 2009, Aldis Berjoza <​killasmurf86@gmail.com>​
 +#
 +# Redistribution and use in source and binary forms, with or without
 +# modification,​ are permitted provided that the following conditions are
 +# met:
 +#
 +# * Redistributions of source code must retain the above copyright
 +#   ​notice,​ this list of conditions and the following disclaimer.
 +# * Redistributions in binary form must reproduce the above
 +#   ​copyright notice, this list of conditions and the following disclaimer
 +#   in the documentation and/or other materials provided with the
 +#   ​distribution.
 +# * Neither the name of the  nor the names of its
 +#   ​contributors may be used to endorse or promote products derived from
 +#   this software without specific prior written permission.
 +#
 +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 +
 +# This scrip will create '​wlist'​ file, that will contain IP of all
 +#   ftp servers found in ports collection
 +# You may use this script to generate ftp server whitlist for pf
 +#
 +# http://​killasmurf86.blogspot.com
 +
 +find /usr/ports -name Makefile > /​tmp/​.ftp_list_1
 +find /​usr/​ports/​Mk -name bsd.*.mk >> /​tmp/​.ftp_list_1
 +
 +for i in `cat /​tmp/​.ftp_list_1`;​ do 
 + grep -e '​ftp://'​ $i >> /​tmp/​.ftp_list_2
 +done
 +
 +sed '​s/#​.*$//​g'​ /​tmp/​.ftp_list_2 | sed '​s/​^.*ftp:​\/​\///'​ | sed '​s/​\/​.*$//'​ | sort | uniq - /​tmp/​.ftp_list_3
 +
 +grep -E -e '​[0-9]{1,​3}\.[0-9]{1,​3}\.[0-9]{1,​3}\.[0-9]{1,​3}'​ /​tmp/​.ftp_list_3 > /​tmp/​.ftp_list_4
 +
 +for i in `cat /​tmp/​.ftp_list_3`;​ do
 + dig +short "​$i"​ | grep -E -e '​[0-9]{1,​3}\.[0-9]{1,​3}\.[0-9]{1,​3}\.[0-9]{1,​3}'​ >> /​tmp/​.ftp_list_4
 +done
 +
 +sort /​tmp/​.ftp_list_4 | uniq - wlist
 +rm -f /​tmp/​.ftp_list_[1234]
 +
 +exit
 +</​file>​
 +
 +<​code>​
 +sh/bash: export FTP_PASSIVE_MODE=true
 +csh: setenv FTP_PASSIVE_MODE true
 +</​code>​
 +
 +<box 100% round blue|/​etc/​pf.conf>​
 +<​code>​
 +#Interfaces
 +ext_if="​em0"​
 +int_if = "​lo1"​
 +jailnet = $int_if:​network
 +
 +# Names correspond to ports as listed in /​etc/​services
 +server_out = "​{"​ http nicname "​}"​
 +udp_services = "​{"​ domain ntp "​}"​
 +icmp_types = "​{"​ echoreq unreach "​}"​
 +web_ports = "​{"​ http https "​}"​
 +email = "​{"​ smtp "​}"​
 +
 +#Jails
 +NGINX="​10.1.1.1"​
 +MAIL="​10.1.1.2"​
 +
 +#Tables
 +table <​ftp_ports_wlist>​ const file "/​usr/​local/​etc/​wlist"​
 +table <​sshguard>​ persist
 +martians = "{ 127.0.0.0/​8,​ 192.168.0.0/​16,​ 172.16.0.0/​12,​ 10.0.0.0/8, 169.254.0.0/​16,​ 192.0.2.0/​24,​ 0.0.0.0/8, 240.0.0.0/4 }"
 +
 +#General Options
 +set skip on lo
 +set loginterface $ext_if
 +set ruleset-optimization basic
 +set optimization normal
 +set block-policy return
 +
 +#Traffic Normalization
 +scrub in all
 +
 +# NAT for all jails to allow internet access
 +nat on $ext_if from $jailnet to any -> ($ext_if)
 +
 +# Redirect any packets requesting port 80 or 443 to jailed NGINX webserver
 +rdr pass on $ext_if inet proto tcp to port http -> $NGINX port http
 +rdr pass on $ext_if inet proto tcp to port https -> $NGINX port https
 +
 +# Redirect any packets requesting port 25 jailed MAIL server
 +rdr pass on $ext_if inet proto tcp to port smtp -> $MAIL port smtp
 +
 +#​Anti-Spoofing
 +antispoof for { $ext_if $int_if }
 +
 +#Packet Filtering
 +block all
 +pass inet proto tcp from $ext_if to any port $server_out
 +pass log inet proto tcp from $ext_if to any port smtp synproxy state
 +pass quick inet proto { tcp, udp } from $ext_if to any port $udp_services
 +pass log inet proto icmp all icmp-type $icmp_types
 +pass log on $ext_if inet proto tcp from any to $ext_if port ssh synproxy state
 +pass in on $ext_if proto tcp from any to $NGINX port $web_ports synproxy state
 +pass in on $ext_if proto tcp from any to $MAIL port smtp synproxy state
 +block drop in quick on $ext_if from $martians to any
 +block drop out quick on $ext_if from any to $martians
 +pass out log on $ext_if inet proto tcp from $ext_if port >1023 to { <​ftp_ports_wlist>​ } port { ftp, >1023 }
 +block in quick on $ext_if proto tcp from <​sshguard>​ to any port 22 label "ssh bruteforce"​
 +</​code>​
 +</​box>​
  
packetfilterfirewall.txt ยท Last modified: 2014/10/02 14:19 by admin