Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Background:
- rl0 = very external (72.151.228.245)
- xl0 = multihomed
- 10.4.0.1
- 10.2.4.1
- 10.2's router has a route that any packets going to 10.4 go through 10.2.4.1
- This works.
- This is the 10.4 router
- Nothing flows from 10.4 to 10.2
- DNS and another service are on 10.2
- $ cat /etc/pf.conf
- ### macro name for external interface.
- ext_if = "rl0"
- ### and the one for the internal interface
- int_if = "xl0"
- ### We should not get external traffic from ANY of these addresses
- martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
- 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
- 0.0.0.0/8, 240.0.0.0/4 }"
- ### all incoming traffic on external interface is normalized and fragmented
- ### packets are reassembled.
- scrub in on $ext_if all fragment reassemble
- ### Allow anything from the LAN
- pass out quick on $int_if proto { tcp, udp, icmp } from any to any modulate state
- pass in quick on $int_if flags S/SA synproxy state
- ### set a default deny everything policy.
- block all
- ### exercise antispoofing on the external interface, but add the local
- ### loopback interface as an exception, to prevent services utilizing the
- ### local loop from being blocked accidentally.
- set skip on lo0
- antispoof for $ext_if inet
- ### block anything coming from sources that we have no back routes for.
- block in from no-route to any
- ### block packets that fail a reverse path check. we look up the routing
- ### table, check to make sure that the outbound is the same as the source
- ### it came in on. if not, it is probably source address spoofed.
- block in from urpf-failed to any
- ### drop broadcast requests quietly.
- block in quick on $ext_if from any to 255.255.255.255
- ### block packets claiming to come from reserved internal address blocks, as
- ### they are obviously forged and cannot be contacted from the outside world.
- block in log quick on $ext_if from $martians to any
- block out quick on $ext_if from any to $martians
- ### block probes that can possibly determine our operating system by disallowing
- ### certain combinations that are commonly used by nmap, queso and xprobe2, who
- ### are attempting to fingerprint the server.
- ### * F : FIN - Finish; end of session
- ### * S : SYN - Synchronize; indicates request to start session
- ### * R : RST - Reset; drop a connection
- ### * P : PUSH - Push; packet is sent immediately
- ### * A : ACK - Acknowledgement
- ### * U : URG - Urgent
- ### * E : ECE - Explicit Congestion Notification Echo
- ### * W : CWR - Congestion Window Reduced
- block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
- block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
- block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
- block in quick on $ext_if proto tcp flags /WEUAPRSF
- block in quick on $ext_if proto tcp flags SR/SR
- block in quick on $ext_if proto tcp flags SF/SF
- ### keep state on any outbound tcp, udp or icmp traffic. modulate the isn of
- ### outgoing packets. (initial sequence number) broken operating systems
- ### sometimes don't randomize this number, making it guessable.
- pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
- ### Allow ICMP (the OS automatically throttles ICMP)
- pass in on $ext_if proto icmp to any keep state
- ### normally, a client connects to the server and we handshake with them, then
- ### proceed to exchange data. by telling pf to handshake proxy between the client
- ### and our server, tcp syn flood attacts from ddos become uneffective because
- ### a spoofed client cannot complete a handshake.
- ### set a rule that allows inbound ssh traffic with synproxy handshaking.
- pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
- ### please don't let me break this... D=
- pass in on $ext_if proto tcp from any to any port 8022 flags S/SA synproxy state
- ### set a rule that allows inbound www traffic with synproxy handshaking.
- pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state
- ### Again for finger
- pass in on $ext_if proto tcp from any to any port finger flags S/SA synproxy state
- ### identd
- pass in on $ext_if proto tcp from any to any port ident flags S/SA synproxy state
- ### setup a table and ruleset that prevents excessive abuse by hosts
- ### that attempt to brute force the ssh daemon with repeated requests.
- ### any host that hammers more than 3 connections in 5 seconds gets
- ### all their packet states killed and dropped into a blackhole table.
- table <ssh_abuse> persist file "/etc/abuse/ssh_abuse"
- block in log quick from <ssh_abuse>
- pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 5, max-src-conn-rate 3/5, overload <ssh_abuse> flush global)
- ### setup another table to block excessive http requests, but let's be nicer here.
- table <http_abuse> persist file "/etc/abuse/http_abuse"
- block in log quick from <http_abuse>
- pass in on $ext_if proto tcp to any port www flags S/SA keep state (max-src-conn 24, max-src-conn-rate 32/5, overload <http_abuse> flush global)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement