Background:rl0 = very external (72.151.228.245)xl0 = multihomed10.4.0.11

1. Background:
2. rl0 = very external (72.151.228.245)
3. xl0 = multihomed
4. 10.4.0.1
5. 10.2.4.1
6.  
7. 10.2's router has a route that any packets going to 10.4 go through 10.2.4.1
8. This works.
9.  
10. This is the 10.4 router
11. Nothing flows from 10.4 to 10.2
12.  
13. DNS and another service are on 10.2
14.  
15. $ cat /etc/pf.conf
16. ### macro name for external interface.
17. ext_if = "rl0"
18.  
19. ### and the one for the internal interface
20. int_if = "xl0"
21.  
22. ### We should not get external traffic from ANY of these addresses
23. martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
24. 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
25. 0.0.0.0/8, 240.0.0.0/4 }"
26.  
27. ### all incoming traffic on external interface is normalized and fragmented
28. ### packets are reassembled.
29. scrub in on $ext_if all fragment reassemble
30.  
31. ### Allow anything from the LAN
32. pass out quick on $int_if proto { tcp, udp, icmp } from any to any modulate state
33. pass in quick on $int_if flags S/SA synproxy state
34.  
35. ### set a default deny everything policy.
36. block all
37.  
38. ### exercise antispoofing on the external interface, but add the local
39. ### loopback interface as an exception, to prevent services utilizing the
40. ### local loop from being blocked accidentally.
41. set skip on lo0
42. antispoof for $ext_if inet
43.  
44. ### block anything coming from sources that we have no back routes for.
45. block in from no-route to any
46.  
47. ### block packets that fail a reverse path check. we look up the routing
48. ### table, check to make sure that the outbound is the same as the source
49. ### it came in on. if not, it is probably source address spoofed.
50. block in from urpf-failed to any
51.  
52. ### drop broadcast requests quietly.
53. block in quick on $ext_if from any to 255.255.255.255
54.  
55. ### block packets claiming to come from reserved internal address blocks, as
56. ### they are obviously forged and cannot be contacted from the outside world.
57. block in log quick on $ext_if from $martians to any
58. block out quick on $ext_if from any to $martians
59.  
60. ### block probes that can possibly determine our operating system by disallowing
61. ### certain combinations that are commonly used by nmap, queso and xprobe2, who
62. ### are attempting to fingerprint the server.
63. ### * F : FIN - Finish; end of session
64. ### * S : SYN - Synchronize; indicates request to start session
65. ### * R : RST - Reset; drop a connection
66. ### * P : PUSH - Push; packet is sent immediately
67. ### * A : ACK - Acknowledgement
68. ### * U : URG - Urgent
69. ### * E : ECE - Explicit Congestion Notification Echo
70. ### * W : CWR - Congestion Window Reduced
71. block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
72. block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
73. block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
74. block in quick on $ext_if proto tcp flags /WEUAPRSF
75. block in quick on $ext_if proto tcp flags SR/SR
76. block in quick on $ext_if proto tcp flags SF/SF
77.  
78. ### keep state on any outbound tcp, udp or icmp traffic. modulate the isn of
79. ### outgoing packets. (initial sequence number) broken operating systems
80. ### sometimes don't randomize this number, making it guessable.
81. pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
82.  
83. ### Allow ICMP (the OS automatically throttles ICMP)
84. pass in on $ext_if proto icmp to any keep state
85.  
86. ### normally, a client connects to the server and we handshake with them, then
87. ### proceed to exchange data. by telling pf to handshake proxy between the client
88. ### and our server, tcp syn flood attacts from ddos become uneffective because
89. ### a spoofed client cannot complete a handshake.
90. ### set a rule that allows inbound ssh traffic with synproxy handshaking.
91. pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
92.  
93. ### please don't let me break this... D=
94. pass in on $ext_if proto tcp from any to any port 8022 flags S/SA synproxy state
95.  
96. ### set a rule that allows inbound www traffic with synproxy handshaking.
97. pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state
98.  
99. ### Again for finger
100. pass in on $ext_if proto tcp from any to any port finger flags S/SA synproxy state
101.  
102. ### identd
103. pass in on $ext_if proto tcp from any to any port ident flags S/SA synproxy state
104.  
105. ### setup a table and ruleset that prevents excessive abuse by hosts
106. ### that attempt to brute force the ssh daemon with repeated requests.
107. ### any host that hammers more than 3 connections in 5 seconds gets
108. ### all their packet states killed and dropped into a blackhole table.
109. table <ssh_abuse> persist file "/etc/abuse/ssh_abuse"
110. block in log quick from <ssh_abuse>
111. pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 5, max-src-conn-rate 3/5, overload <ssh_abuse> flush global)
112.  
113. ### setup another table to block excessive http requests, but let's be nicer here.
114. table <http_abuse> persist file "/etc/abuse/http_abuse"
115. block in log quick from <http_abuse>
116. pass in on $ext_if proto tcp to any port www flags S/SA keep state (max-src-conn 24, max-src-conn-rate 32/5, overload <http_abuse> flush global)