PF firewall /etc/pf.conf script to protect BSD servers

PF firewall /etc/pf.conf script to protect BSD servers

In this tutorial I will give a sample full working PF firewall /etc/pf.conf script to protect BSD servers.

You can use this script for dedicated / colo *BSD (FreeBSD/OpenBSD/NetBSD) servers too.

Sample /etc/pf.conf

  1. #### First declare a couple of variables ####
  2. ### Outgoing tcp / udp port ####
  3. ### 43 – whois, 22 – ssh ###
  4. tcp_services = “{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}”
  5. udp_services = “{ domain, ntp }”
  6. ### allow ping / pong ####
  7. icmp_types = “{ echoreq, unreach }”
  8. #### define tables. add all subnets and ips to block
  9. table <blockedip> persist file “/etc/pf.block.ip.conf”
  10. martians = “{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }”
  11. ### admin server ranges ###
  12. adminrange = “112.220.11.0/23”
  13. # connected to internet
  14. ext_if = “em1”
  15. # connected to vpn / lan
  16. int_if = “em0”
  17. ##### ftp proxy
  18. #proxy=“127.0.0.1”
  19. #proxyport=“8021”
  20. #### Normalization
  21. #scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments
  22. scrub in all
  23. #### NAT and RDR start
  24. #nat-anchor “ftp-proxy/*”
  25. #rdr-anchor “ftp-proxy/*”
  26. # redirect ftp traffic
  27. #rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
  28. # Drop incoming everything
  29. block in all
  30. block return
  31. # keep stats of outgoing connections
  32. pass out keep state
  33. # We need to have an anchor for ftp-proxy
  34. #anchor “ftp-proxy/*”
  35. # unlimited traffic for loopback and lan / vpn
  36. set skip on {lo0, $int_if}
  37. # activate spoofing protection for all interfaces
  38. block in quick from urpf-failed
  39. #antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
  40. antispoof log for $ext_if
  41. #Block RFC 1918 addresses
  42. block drop in log (all) quick on $ext_if from $martians to any
  43. block drop out log (all) quick on $ext_if from any to $martians
  44. # Block all ips
  45. # pfctl -t blockedip -T show
  46. block drop in log (all) quick on $ext_if from <blockedip> to any
  47. block drop out log (all) quick on $ext_if from any to <blockedip>
  48. # allow outgoing
  49. pass out on $ext_if proto tcp to any port $tcp_services
  50. pass out on $ext_if proto udp to any port $udp_services
  51. # Allow trace route
  52. pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
  53. # Allow admin to get into box
  54. pass in on $int_if from $adminrange to any
  55. # Allow incoming ssh, http, bind traffic
  56. # pass in on $ext_if proto tcp from any to any port 25
  57. pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
  58. pass in on $ext_if proto udp from any to any port domain
  59. pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
  60. pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy modulate state
  61. pass inet proto icmp all icmp-type $icmp_types keep state
  62. ## add your rule below ##

Was this Tutorial helpful? Help others share on Facebook, Twitter, and Google Plus!

 
Enjoyed this video?
PF firewall /etc/pf.conf script to protect BSD servers
"No Thanks. Please Close This Box!"