閱讀文章 - 看板 FB_stable - 批踢踢實業坊

發信人david.i.noel@gmail.com (David Noel),

看板FB_stable

標題Re: What is your favourite/best firewall on FreeBSD and why?

發信站NCTU CS FreeBSD Server (Sat May 24 08:31:56 2014)

轉信站ptt!csnews.cs.nctu!news.cednctu!FreeBSD.cs.nctu!.POSTED!freebsd.org!ow

On 5/23/14, David Noel <david.i.noel@gmail.com> wrote: > On 5/20/14, Lucius Rizzo <Lucius.Rizzo@the.ie> wrote: >> If you use any of the firewalls, and have interesting >> or even optimized rule sets, I would really like to see them :) > > I'll post them shortly. > Let me know if I missed anything. ########################### ## Macros ## ########################### ext_if="em0" #jail_ips="{192.168.1.21,192.168.1.22,192.168.1.23,192.168.1.24}" lan_ip="192.168.1.20" lan_subnet="192.168.1.0/24" ########################### ## Tables ## ########################### # set up abuse detection and prevention # any host that hammers more than 3 connections in 5 seconds # gets their packet states killed and address blackholed #table <ssh_abuse> persist file "/var/db/pf.blacklist" ########################### ## Options ## ########################### set fingerprints "/etc/pf.os" set debug urgent set block-policy drop set skip on lo0 set limit frags 5000 # default set limit src-nodes 5000 # default set limit states 10000 # default set limit tables 1000 # default set limit table-entries 200000 # default set loginterface $ext_if set optimization normal # default set ruleset-optimization basic # default set state-policy floating # default set timeout interval 10 # default set timeout frag 30 # default set timeout src.track 0 # default ########################### ## Traffic Normalization ## ########################### # normalize and fragment all incoming traffic # scrub in on $ext_if all fragment reassemble scrub in on $ext_if all random-id fragment reassemble ########################### ## Queueing Rules ## ########################### ########################### ## Translation Rules ## ########################### #nat on $ext_if inet proto { tcp, udp, icmp } from $jail_ips to $lan_subnet -> $lan_ip #nat on $ext_if from !($ext_if) to any -> ($ext_if:0) #nat on $ext_if from !($ext_if) to any -> 192.168.1.20 #nat pass on $ext_if from $lan_subnet to any -> 192.168.1.20 #nat on $ext_if from 192.168.1.21 to any -> 192.168.1.20 ########################### ## Packet Filtering ## ########################### # default to drop everything #block in log all block drop in log all label "default in deny rule" block drop out log all label "default out deny rule" # block ipv6 #block drop in quick inet6 "default in deny ipv6 rule" #block drop out quick inet6 label "default out deny ipv6 rule" # enable antispoofing antispoof log quick for $ext_if inet label "antispoof rule" # block all if no back routes block in log quick from no-route to any label "no-route rule" # block all if reverse fails (probably spoofed) block in log quick from urpf-failed to any label "reverse lookup failed rule (probably spoofed)" # drop broadcast requests quietly block in log quick on $ext_if from any to 255.255.255.255 # block os-fingerprinting probes # F=FIN,S=SYN,R=RST,P=PUSH,A=ACK,U=URG,E=ECE,W=CWR block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF block in log quick on $ext_if proto tcp flags /WEUAPRSF block in log quick on $ext_if proto tcp flags SR/SR block in log quick on $ext_if proto tcp flags SF/SF block in log quick on $ext_if proto tcp flags FUP/FUP block in log quick on $ext_if from any os "NMAP" to any label "NMAP scan block rule" # keep state on any outbound tcp, udp, or icmp traffic # modulate the isn (initial sequence number) of outgoing packets pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state ## how to allow only certain outbound ports? is needed? # allow inbound postgresql connections #pass in on $ext_if proto {tcp,udp} from 192.168.1.20 to $ext_if port = 5432 # allow inbound ssh traffic with synproxy handshaking #pass in log on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state # allow inbound www traffic with synproxy handshaking #pass in log on $ext_if proto tcp from any to any port www flags S/SA synproxy state # uses table defined above for blacklisting #block in quick from <ssh_abuse> #pass in on $ext_if proto tcp to any port {ssh,www} flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush) _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"