PF Seeking for config remarks, and advise.

[rigoletto@]

Hello,

I did an upgrade on my pf.conf and would like if you could take a look on it, and point out weak points, please.

### Interfaces ###
Ext_If = "em0"
Int_If = "em1"


### Hosts ###
HOST      = "192.168.0.200"
AFP_Jail  = "192.168.0.210"
WEB_Jail  = "192.168.0.254"
DNS1_Jail = "192.168.0.220"
DNS2_Jail = "192.168.0.221"


### Queues, States and Types ###
IcmpType = "echoreq"
SynState = "flags S/SAFR synproxy state"
TcpState = "flags S/SAFR modulate state"


### Stateful Tracking Options (STO) ###
Ssh_STO  = "(max  100, source-track rule, max-src-conn 10, max-src-nodes 100, max-src-conn-rate  100/30, overload <bruteforce> flush global)"
Web_STO  = "(max 4096, source-track rule, max-src-conn 64, max-src-nodes 512, max-src-conn-rate 500/100, overload <blocktemp> flush global)"


### Ports ###
tcp_AFP  = "{ 548 }"                                                                                                                                                    
tcp_DNS  = "{ 53 }"                                                                                                                                                     
udp_DNS  = "{ 53 }"


### Tables ###
table <fail2ban>   persist
table <bruteforce> persist
table <blocktemp>  counters
table <blockperm>  counters file "/usr/local/etc/blocked"
table <DNS_Host>   { $DNS1_Jail $DNS2_Jail }
table <local>      { 192.168.0.0/24 }


### Misc. Options ###
set skip on lo
set skip on lo1
set debug urgent
set block-policy drop
set loginterface $Ext_If
set state-policy if-bound
set fingerprints "/etc/pf.os"


### Normalization ###
scrub out on $Ext_If all fragment reassemble random-id
scrub in  on $Ext_If all fragment reassemble


### Antispoof ###
antispoof log quick for $Ext_If inet


### Filtering ###

# Block #
block drop log all
block quick from <bruteforce>
block quick from <blocktemp>
block quick from <blockperm>
block quick from <fail2ban>

# Pass OUT #
pass out all

# Pass IN ICMP #
pass inet proto icmp all icmp-type $IcmpType keep state
pass inet proto icmp from <local> to any keep state

# Pass IN TCP #
pass in quick proto tcp from <local> to $HOST      port ssh
pass in quick proto tcp from <local> to $AFP_Jail  port $tcp_AFP
pass in quick proto tcp from <local> to <DNS_Host> port $tcp_DNS

#pass in log on $Ext_If inet proto tcp from !($EXt_If) to $HOST     port ssh   $TcpState $Ssh_STO
pass in log on $Ext_If inet proto tcp from !($Ext_If) to $WEB_Jail port http  $TcpState $Web_STO
pass in log on $Ext_If inet proto tcp from !($Ext_If) to $WEB_Jail port https $TcpState $Web_STO

# Pass IN UDP #
pass in quick proto udp from <local> to <DNS_Host> port $udp_DNS

This new pf.conf was made using a lot of the Calomel example, and there is some things I do not know exactly what difference they can do:

[SOLVED] 1 - What is the difference of using $Ext_If, ($Ext_If), and !($Ext_If)?

[SOLVED] 2 - What debug urgent and state-policy if-bound exactly do in practice?

3 - What would be good tracking options for a public available DNS server?

[SOLVED] 4- Where can I find the list of default ports PF have pre-configured (ie. https -> 443).

Thank you!

 

[getopt]

4- Where can I find the list of default ports PF have pre-configured (ie. https -> 443).

pf.conf(5) refers to services(5) refers to /etc/services.

 

[getopt]

2 - What debug urgent and state-policy if-bound exactly do in practice?

From pf.conf(5):

urgent Generate debug messages only for serious errors.

if-bound States are bound to interface.

 

[rigoletto@]

Hi, thank you getopt.

pf.conf(5) refers to services(5) refers to /etc/services.

I did not saw it in there.

if-bound States are bound to interface.

What it means in practice?

EDIT: Got it.

 

[kpa]

If you use if-bound states you're putting more load on the processing of the ip packets. With that option set the packet filter has to also match the interface of every incoming packet with interface entries in the state table. This is almost always a waste of processing power and doesn't buy you any more security.

 

[rigoletto@]

If you use if-bound states you're putting more load on the processing of the ip packets. With that option set the packet filter has to also match the interface of every incoming packet with interface entries in the state table. This is almost always a waste of processing power and doesn't buy you any more security.

I will remove then.

Thank you.

 

[rigoletto@]

I contacted Calomel about the differences between:

$Ext_If

this is the ip address of the interface when Pf is loaded. If the ip address on the interface is static then using $ExtIf is fine.

($Ext_If)

the parentheses surrounding the interface name is included when the IP address of the external interface is dynamically assigned, like with DHCP. The parentheses ensures that network traffic runs without serious interruptions even if the external IP address changes.

!($Ext_If)

means NOT ($ExtIf). This is helpful when you want to make sure that traffic can originate from anywhere other than the ExtIf to avoid network loops.