Icon

Partager Envoyer

(Logiciel informatique) pf BSD

[OpenBSD] pf Firewall

Le pare-feu pf est configuré dans le fichier /etc/pf.conf (ici pour un serveur possédant une interface ix0) :

# Network interface
ext_if="ix0"
# Macros to define the set of TCP and UDP ports to open
# on ext_if (for services set up on this server)
# Add additional ports or ranges separated by commas.
# UDP 60000-60010 is mosh control http://mosh.mit.edu/
tcp_services = "{22,80,443,53,5901}"
udp_services = "{53}" #first port is used by openvpn, last two ports are for Darknet and Opennet
# If you block all ICMP requests you will break things like path MTU
# discovery. These macros define allowed ICMP types. The additional
# ICMPv6 types are for neighbor discovery (RFC 4861)
icmp_types = "{echoreq, unreach}"
icmp6_types="{echoreq, unreach, 133, 134, 135, 136, 137}"
# Private networks (if we need to block incoming traffic from them)
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }" #VPN adresses are excluded from this list

# Modulate the initial sequence number of TCP packets.
# Broken operating systems sometimes don't randomize this number,
# making it guessable.
tcp_state="flags S/SA keep state"
udp_state="keep state"
# Don't send rejections. Just drop.
set block-policy drop
# Exempt the loopback interface to prevent services utilizing the
# local loop from being blocked accidentally.
set skip on lo0
set loginterface $ext_if
# all incoming traffic on external interface is normalized and fragmented
# packets are reassembled.
scrub in all
scrub in on $ext_if all fragment reassemble

### filter rules
block in log all
antispoof for $ext_if inet
antispoof for $ext_if inet6
block in from urpf-failed to any
#drop broadcast requests quietly
block in quick on $ext_if from any to 255.255.255.255

# Rules that work with fail2ban:
table <fail2ban> persist
block quick proto tcp from <fail2ban> to $ext_if port ssh

# block incoming traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any

# block outgoing traffic to private networks on external interface
block drop out quick on $ext_if from any to $priv_nets

# allow access to tcp_services on external interface
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet6 proto tcp from any to any port $tcp_services $tcp_state

# allow access to udp_services on external interface
pass in on $ext_if inet proto udp from any to any port $udp_services $udp_state
pass in on $ext_if inet6 proto udp from any to any port $udp_services $udp_state

# allow in FTP control port
#pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state

# allow in ping replies
pass in inet proto icmp all icmp-type $icmp_types keep state
pass inet6 proto icmp6 all icmp6-type $icmp6_types keep state

# allow tcp and udp traffic out via external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state


On lui ajoute pfstat et pflog (pour enregistrer les événements et créer des graphes) :

pkg inst pflog pfstat

Pour démarrer automatiquement les services, il faut ajouter les lignes suivantes au fichier /etc/rc.conf :

pf_enable="YES" #this requires to open appropriate ports for filesharing through cifs, nfs, etc.)
pf_rules="/etc/pf.conf"               # rules definition file for pf
pf_flags=""                                      # additional flags for pfctl startup
pflog_enable="YES"                     # start pflogd(8)
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_flags=""                                 # additional flags for pflogd startup
pflogd_enable="YES"
pfsync_enable="YES"
pfstatd_enable="YES"



 


Ce document a été publié le 2018-06-28 14:25:35. (Dernière mise à jour : 2019-03-31 13:12:27.)

Icon (Sujet) Sujets » Sécurité




This website uses 'cookies' to enhance user experience and provide authentification. You may change which cookies are set at any time by clicking on more info. Accept
x