PF Tightening PF conf even further for my mail server?

Hello there. I've completed setting my mail server up. Just for the sake of security and connection stability, I tried to implement PF firewall as well, for my services.

Before I proceed and move my mail server into production, could someone please take a quick look at my pf.conf file and give me feedback and suggestions, -in case any-?

Thank you!

Code:
ext_if="vio0"

icmp_types = "{ echoreq, unreach, timex }"
# RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls
icmp6_types = "{ echoreq, unreach, timex, toobig, paramprob, neighbrsol }"

table <whitelist> persist file "/var/pf/whitelist.txt"
table <pfbadhost> persist file "/var/pf/badhost.txt"

set ruleset-optimization basic
set optimization normal
set limit { states 200000, frags 200000, src-nodes 100000, table-entries 350000 }

set reassemble yes

set block-policy drop

set loginterface $ext_if

set skip on lo

match in all scrub (no-df random-id)

antispoof for $ext_if

block drop in log quick on $ext_if from <pfbadhost>

block return in log all

pass quick inet proto icmp icmp-type $icmp_types max-pkt-rate 100/10
pass quick proto ipv6-icmp from any to any max-pkt-rate 100/10

# Whitelist
pass quick from <whitelist> to any flags any keep state

# allow SSH (2222), SMTP, POP3, IMAP and Rspamd stuff
pass in quick on $ext_if proto tcp from any to port { 2222, smtp, submission, smtps, imap, imaps, pop3, pop3s, www, https, 11335 }

# I only want my server and daemons able to resolve domains, hostnames over the Internet and have an up-to-date time.. So do I really need this?
pass out quick on $ext_if proto udp from any to port { ntp, domain }

# outbound traffic
pass out quick on $ext_if proto tcp from any to any
pass out quick on $ext_if proto udp from any to any
 
The last two kind of overrule the pass out rule for NTP and DNS. Also for DNS you should also allow TCP/53. But the rule is rather useless if you follow up with an allow all.

You could further restrict rules like this:
Code:
pass out quick on $ext_if proto udp from any to port { ntp, domain }
To:
Code:
pass out quick on $ext_if proto udp from ($ext_if) to any port { ntp, domain }

Same with the incoming rules:
Code:
pass in quick on $ext_if proto tcp from any to port { 2222, smtp, submission, smtps, imap, imaps, pop3, pop3s, www, https, 11335 }

To:
Code:
allowed_tcp="{ 2222, smtp, submission, smtps, imap, imaps, pop3, pop3s, www, https, 11335 }"

pass in quick on $ext_if proto tcp from any to ($ext_if) port $allowed_tcp
 
Thanks a lot SirDice , much appreciated!

Decided to remove;

pass out quick on $ext_if proto tcp from any to any
pass out quick on $ext_if proto udp from any to any

and had a warning message from Rspamd;
Code:
#10592(controller) <9i1dgi>; map; http_map_error: error reading [URL]https://www.openphish.com/feed.txt(146.185.189.167:443)[/URL]: connection with http server terminated incorrectly: ssl connect error: syscall fail: Broken pipe

Then I had to allow at least port 80 and 443 towards outside, with;
pass out quick on $ext_if proto tcp from ($ext_if) to any port { www, https }

I also added tcp port 53 to "allowed_tcp" list.

So, the final configuration is as follows now, any further tips&tricks or feedback?

Code:
ext_if="vio0"

allowed_tcp="{ 53, 2222, ssh, smtp, submission, smtps, imap, imaps, pop3, pop3s, www, https, 11335 }"
icmp_types = "{ echoreq, unreach, timex }"
# RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls
icmp6_types = "{ echoreq, unreach, timex, toobig, paramprob, neighbrsol }"

table <whitelist> persist file "/var/pf/whitelist.txt"
table <pfbadhost> persist file "/var/pf/badhost.txt"
table <sshguard> persist

set ruleset-optimization basic
set optimization normal
set limit { states 200000, frags 200000, src-nodes 100000, table-entries 350000 }

set reassemble yes

set block-policy drop

set loginterface $ext_if

set skip on lo

match in all scrub (no-df random-id)

antispoof for $ext_if

block in quick proto tcp from <sshguard>
block drop in log quick on $ext_if from <pfbadhost>
block return in log all

pass quick inet proto icmp icmp-type $icmp_types max-pkt-rate 100/10
pass quick proto ipv6-icmp from any to any max-pkt-rate 100/10

# Whitelist
pass quick from <whitelist> to any flags any keep state

# allow SSH, SMTP, POP3, IMAP etc from allowed_tcp ports list
pass in quick on $ext_if proto tcp from any to ($ext_if) port $allowed_tcp
pass out quick on $ext_if proto udp from ($ext_if) to any port { ntp, domain }

# Rspamd needs this
pass out quick on $ext_if proto tcp from ($ext_if) to any port { www, https }
 
And oh, my latest, new rule is: (added smtp)
# SMTP sending and Rspamd needs this
pass out quick on $ext_if proto tcp from ($ext_if) to any port { smtp, www, https }

(had to allow port 25 outgoing, couldn't send e-mails from my mail server otherwise)
 
Back
Top