PF Firewall

Posted on

Configureren

Commando om de firewall (PF) aan te zetten:

# kldload pf

Firewall automatisch bij het opstarten aanzetten:

# ee /etc/rc.conf

# Enable PF (load module if required)
pf_enable="YES"
# rules definition file for pf
pf_rules="/etc/pf.conf"
# additional flags for pfctl startup
pf_flags=""
# start pflogd(8)
pflog_enable="YES"
# where pflogd should store the logfile
pflog_logfile="/var/log/pflog"
# additional flags for pflogd startup
pflog_flags=""

PF rules laden:

pfctl -f /etc/pf.conf

PF Configuratie file:

# ee /etc/pf.conf

#       $FreeBSD: src/etc/pf.conf,v 1.2.2.1 2006/04/04 20:31:20 mlaier Exp $
#       $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.

# Macros: define common values, so they can be referenced and changed easily.
ext_if="fxp0"   # replace with actual external interface name i.e., dc0
#int_if="fxp1"  # replace with actual internal interface name i.e., dc1
#internal_net="192.168.1.1/8"
external_addr="192.168.1.139"

# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }

# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
#scrub in all

# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing  bandwidth 15%

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
#nat on $ext_if from $internal_net to any -> ($ext_if)

# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678

# rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

# spamd-setup puts addresses to be redirected into table <spamd>.
#table <spamd> persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025

# Filtering: the implicit first two rules are
#pass in all
#pass out all

# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
block in log on $ext_if all
pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
pass out on $ext_if proto tcp all keep state
pass out on $ext_if proto udp all keep state

# pass incoming packets destined to the addresses given in table <foo>.
pass in on $ext_if proto tcp from any to any port 80 keep state
pass in on $ext_if proto udp from any to any port 80 keep state
pass in on $ext_if proto tcp from any to any port 8880 keep state
pass in on $ext_if proto udp from any to any port 8880 keep state

# pass incoming ports for ftp-proxy
pass in on $ext_if proto tcp from any to any port 20 keep state
pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep state

# Alternate rule to pass incoming ports for ftp-proxy
# NOTE: Please see pf.conf(5) BUGS section before using user/group rules.
pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state

# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing

# HTTPS
pass in on $ext_if proto tcp from any to any port 443 keep state

# PLESK
pass in on $ext_if proto tcp from any to any port 8443 keep state

# POPPASSD (Plesk)
pass in on $ext_if proto tcp from 127.0.0.0/8 to any port 106 keep state
pass out on $ext_if proto tcp from 127.0.0.0/8 to any port 106 keep state
pass in on $ext_if proto udp from 127.0.0.0/8 to any port 106 keep state
pass out on $ext_if proto udp from 127.0.0.0/8 to any port 106 keep state

# AUTH (Plesk)
pass in on $ext_if proto tcp from any to any port 113 keep state

# SMTPS (Plesk)
pass in on $ext_if proto tcp from any to any port 465 keep state
pass out on $ext_if proto tcp from any to any port 465 keep state
pass in on $ext_if proto udp from any to any port 465 keep state
pass out on $ext_if proto udp from any to any port 465 keep state

# FTPS (Plesk)
pass in on $ext_if proto tcp from any to any port 990 keep state
pass out on $ext_if proto tcp from any to any port 990 keep state
pass in on $ext_if proto udp from any to any port 990 keep state
pass out on $ext_if proto udp from any to any port 990 keep state

# plesk-license-update
pass out on $ext_if proto tcp from any to any port 5224 keep state
pass out on $ext_if proto udp from any to any port 5224 keep state

# ISP DNS
pass out on $ext_if proto tcp from any to 80.84.224.249 port 53 keep state
pass out on $ext_if proto udp from any to 80.84.224.249 port 53 keep state
pass out on $ext_if proto tcp from any to 80.84.224.26 port 53 keep state
pass out on $ext_if proto udp from any to 80.84.224.26 port 53 keep state
pass out on $ext_if proto tcp from any to 83.96.192.26 port 53 keep state
pass out on $ext_if proto udp from any to 83.96.192.26 port 53 keep state

# SEND & GET EMAIL
pass in on $ext_if proto tcp from any to any port 25 keep state
pass out on $ext_if proto tcp from any to any port 25 keep state
pass in on $ext_if proto tcp from any to any port 110 keep state
pass out on $ext_if proto tcp from any to any port 110 keep state
pass in on $ext_if proto tcp from any to any port 143 keep state
pass out on $ext_if proto tcp from any to any port 143 keep state
pass in on $ext_if proto tcp from any to any port 993 keep state
pass out on $ext_if proto tcp from any to any port 993 keep state
pass in on $ext_if proto tcp from any to any port 995 keep state
pass out on $ext_if proto tcp from any to any port 995 keep state

# PING
pass in on $ext_if proto icmp from any to any keep state
pass out on $ext_if proto icmp from any to any keep state

# TIME
pass out on $ext_if proto tcp from any to any port 37 keep state

# NTP
pass out on $ext_if proto udp from any to any port 123 keep state

# NNTP NEWS (i.e. news groups)
pass in on $ext_if proto tcp from any to any port 119 keep state
pass out on $ext_if proto tcp from any to any port 119 keep state

# WHOIS
pass in on $ext_if proto tcp from any to any port 43 keep state
pass out on $ext_if proto tcp from any to any port 43 keep state

# FDSD (make install & CVSUP)
pass out on $ext_if proto tcp from any to any keep state

# Deny all Netbios service
deny in on $ext_if proto tcp from any to any port 137 keep state
deny in on $ext_if proto tcp from any to any port 138 keep state
deny in on $ext_if proto tcp from any to any port 139 keep state
deny in on $ext_if proto tcp from any to any port 81 keep state

# MYSQL
pass in on $ext_if proto tcp from 192.168.1.34 to any port 3306 keep state
pass in on $ext_if proto udp from 192.168.1.34 to any port 3306 keep state

# PostgreSQL
pass in on $ext_if proto tcp from 192.168.1.34 to any port 5432 keep state

# TOMCAT
pass in on $ext_if proto tcp from any to any port 8080 keep state

# Coyote and Warp (Tomcat Java) connectors in Plesk
pass in on $ext_if proto tcp from any to any port 9080 keep state
pass in on $ext_if proto tcp from any to any port 9008 keep state

Controleer of de instellingen juist zijn:

# pfctl -s all

De regels:

# pfctl -s rules

Logfiles:

# tcpdump -n -e -ttt -i pflog0
# tcpdump -netttvvv -i pflog0

Regels herladen

# pfctl -f /etc/pf.conf

Firewall Port scan

Installeren:

cd /etc/ports/security/nmap
make install

Scannen:

# nmap -v -iR 10 -P0 -p 80

nmap port scanning TCP Connect scanning for localhost and network 192.168.0.0/24

# nmap -v -sT localhost
# nmap -v -sT 192.168.0.0/24

nmap TCP SYN (half-open) scanning

# nmap -v -sS localhost
# nmap -v -sS 192.168.0.0/24

nmap TCP FIN scanning

# nmap -v -sF localhost
# nmap -v -sF 192.168.0.0/24

nmap TCP Xmas tree scanning
Useful to see if firewall protecting against this kind of attack or not:

# nmap -v -sX localhost
# nmap -v -sX 192.168.0.0/24

nmap TCP Null scanning
Useful to see if firewall protecting against this kind attack or not:

# nmap -v -sN localhost
# nmap -v -sN 192.168.0.0/24

nmap TCP Windows scanning

# nmap -v -sW localhost
# nmap -v -sW 192.168.0.0/24

nmap TCP RPC scanning
Useful to find out RPC (such as portmap) services

# nmap -v -sR localhost
# nmap -v -sR 192.168.0.0/24

nmap UDP scanning
Useful to find out UDP ports

# nmap -v -O localhost
# nmap -v -O 192.168.0.0/24

nmap remote software version scanning
You can also find out what software version opening the port.

# nmap -v -sV localhost
# nmap -v -sV 192.168.0.0/24

Links

Geef een reactie

Je e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *