PF pf config & log questions

[Mayhem30]

I'm trying to understand how to read the logs properly.

00:00:00.019892 rule 0..16777216/0(match): block in on em0: 180.188.246.156.29044 > 11.22.33.44.23: Flags S, seq 1208588937, win 23644, length 0
00:00:01.172317 rule 0..16777216/0(match): block in on em0: 151.226.32.226.24131 > 11.22.33.44.5900: Flags S, seq 1208588934, win 15147, length 0

For the IP address 11.22.33.44.xx, is xx the port number?

As for the pf.conf file, is it really necessary to restrict outbound traffic? What's wrong / could go wrong with doing something like this?

block in all
pass in on $EXT_IF keep state
block in quick from <fail2ban> to any
pass in on ...

I'm assuming omitting the word quick from the "pass in" rule above, further "pass in" and "block in" rules will be evaluated below?

I have my own dedicated server and I'm trying to keep things a simple as possible in order not to break nginx, apache, postfix, dovecot, etc

 

[SirDice]

For the IP address 11.22.33.44.xx, is xx the port number?

Correct.

As for the pf.conf file, is it really necessary to restrict outbound traffic? What's wrong / could go wrong with doing something like this?

Filtering outgoing traffic is good practice. Suppose your system got hacked, the outgoing rules could prevent your infection spreading to others. Or prevent the malware from contacting its command and control. It's good to always assume the worst possible outcome and build your rules based on that. No guarantees of course, if your attacker manages to gain root access the attacker can disable or modify the firewall. But most infections run on 'regular' user accounts, typically www if it's a web application.

I'm assuming omitting the word quick from the "pass in" rule above, further "pass in" and "block in" rules will be evaluated below?

Yes. The quick keyword causes PF to stop evaluating further rules.

 

[Mayhem30]

Ok, I'll filter outgoing traffic as well then. Is this the proper way to handle the start of the rules?

Block all, then the pass in/out rules (without quick) and finally the real filtering rules below?

block log all

pass in on $EXT_IF keep state
pass out on $EXT_IF keep state

block quick from <fail2ban> to any
....

The examples I've seen on the internet don't include the pass in / pass out rules after the "block all" line - which confuses me.

 

[Mayhem30]

I managed to figure it how to handle the rules.

However, I seem to be having issues with a couple of things.

1) Some -not all- IP addresses are getting blocked when trying to access the web server (and vice versa).
2) Postfix emails immediately go into queue are not delivered while using the new pf rules.

Any ideas?

PF Logs for webserver:

00:00:00.003019 rule 32..16777216/0(match): block in on em0: 46.229.168.70.14320 > xx.xx.xx.xx.80: Flags ...
00:00:01.275409 rule 32..16777216/0(match): block out on em0: xx.xx.xx.xx.80 > 104.138.184.250.5617: Flags ...

Postfix Logs :

Sep 28 22:33:53 localhost postfix/smtpd[39576]: connect from smtp-out-no.example.com[xx.59.134.9]
Sep 28 22:33:55 localhost policyd-spf[39587]: None; identity=helo; client-ip=xx.59.134.9; helo=smtp-out-no.example.com; envelope-from=test@example.com; receiver=ken@mydomain.com
Sep 28 22:33:55 localhost policyd-spf[39587]: Pass; identity=mailfrom; client-ip=xx.59.134.9; helo=smtp-out-no.example.com; envelope-from=test@example.com; receiver=ken@mydomain.com
Sep 28 22:33:55 localhost postfix/smtpd[39576]: 2088845CE27: client=smtp-out-no.example.com[xx.59.134.9]
Sep 28 22:33:55 localhost postfix/cleanup[39588]: 2088845CE27: message-id=<2B4AA6AEE5434870A2CF5E985302EDCC@MCS2>
Sep 28 22:33:55 localhost postfix/qmgr[23622]: 2088845CE27: from=<test@example.com>, size=2620, nrcpt=1 (queue active)

PF Config:

EXT_IF="em0"

MAIL="xx.xx.xx.xx"
WHITELIST="xx.xx.xx.xx"
SSH="xxxx"
ALLOWED_ICMP_TYPES="echoreq"

# set limit { states 20000, frags 20000 }

set optimization aggressive
set block-policy return
set state-policy if-bound
set skip on lo0

table <blacklist> persist
table <fail2ban> persist

# http://openbsd.default.rs/faq/pf/scrub.html
scrub in on $EXT_IF all fragment reassemble

# alternate smtp port - this is needed so I can send mail with <domain>
rdr on $EXT_IF proto tcp from $WHITELIST to $MAIL port 587 -> $MAIL port 25

pass in quick on $EXT_IF proto { tcp, udp } from any to xx.xx.xx.xx port $SSH

# block anything coming from source we have no back routes for
block in log quick on $EXT_IF from no-route to any

# block anyone who is banned - and ignore any further rules below
block quick from <blacklist> to any
block quick from <fail2ban> to any

# block packets claiming to come from reserved internal address blocks, as
# they are obviously forged and cannot be contacted from the outside world.
block in quick on $EXT_IF from 10.0.0.0/8 to any
block in quick on $EXT_IF from 172.16.0.0/12 to any
block in quick on $EXT_IF from 192.168.0.0/16 to any

# Allows inbound www traffic with synproxy handshaking.
pass in quick on $EXT_IF proto tcp from any to any port { 80, 443 } flags S/SA synproxy state
pass out quick on $EXT_IF proto tcp from any to any port { 80, 443 } flags S/SA synproxy state

# Allow mail (postfix, dovecot)
pass in quick on $EXT_IF proto tcp from any to any port { 25, 143, 465, 587, 993, 995 } flags S/SA synproxy state
pass out quick on $EXT_IF proto tcp from any to any port { 25, 143, 465, 587, 993, 995 } flags S/SA synproxy state

# Allow select ICMP types in and PING to leave the server
pass in quick inet proto icmp all icmp-type $ALLOWED_ICMP_TYPES keep state
pass out quick inet proto icmp all keep state

# Traceroute
pass out quick on $EXT_IF inet proto udp from any to any port 33433 >< 33626 keep state

# Allow NTP, DNS
pass out quick on $EXT_IF proto { tcp, udp } to any port { ntp, domain }

# block ssh scanners
pass in log quick on $EXT_IF proto tcp from any to any port $SSH \
        flags S/SA synproxy state \
        (max-src-conn-rate 3/30, overload <blacklist> flush global)

# deny everything not allowed above
block log quick all