Questions

pfctl firewall question on FreeBSD server question

+
0 Votes
Locked

pfctl firewall question on FreeBSD server question

DanLM
I will soon be in the position where I will be the proud lease owner of a server(FreeBSD) that will be used for hosting a number of different accounts(irc, web site, and Internet radio). Please don't bust my chops cause I still do irc, met my current wife to be on irc. And she is a teacher of 22(something like that anyway).
There will be a hardware firewall in front of this server which I have no control over, but has defense's in place for dealing with DDS attacks. And they work, I have been leasing shells off this company for 12 years. But, to deal with ssh/ftp brute force attempts I wish to put in place pfctl rules on the server. I have written pfctl rules, but never for multiple external ip's which there will be 7 of at start up. So, I need a second set of eyes to look at what I have put together. Which, by the way are based on what I am using my home BSD machine to a certain extent. They are as follows:
intf_in = "vr0"

ircd_pass = { 6659 7001 }
ftp_ssh_pass = { 21 22 }
web_pass { 80 8080 }
ssl_pass { 443 }

set optimization normal
set block-policy drop
set state-policy if-bound
set loginterface vr0

table <ircdips> { 192.168.1.100, 192.168.1.101, 192.168.1.102 }
table <webips> { 192.168.1.102, 192.168.1.103, 192.168.1.104 }
table <sslips> { 192.168.1.102, 192.168.1.103 }

#block all ip address's from china. They are the assholes that are
# port scanning me constantly.
#
table <idiotblacklist> persist file "/etc/ib.pf.blacklist"
table <floodtable>
table <LinuxProbe>

#set require-order yes
set fingerprints "/etc/pf.os"

scrub in all
scrub out on $intf_in all random-id
scrub reassemble tcp

antispoof quick for lo0
antispoof quick for $intf_in
block in all

block log quick on $intf_in proto tcp from any os "Linux" to any port ssh

# block public pings
block in quick on $intf_in inet proto icmp all icmp-type 8

# Block ident
block in quick on $intf_in proto tcp from any to any port 113

# Block public pings
block in quick on $intf_in inet proto icmp all icmp-type 8

# Block ident
block in quick on $intf_in proto tcp from any to any port 113

block in log quick from <idiotblacklist> to any
block in log quick from <floodtable> to any

pass quick from lo0 to any keep state


pass in on $intf_in proto tcp to $intf_in port $ftp_ssh_pass flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 5/20, overload <floodtable> flush)

pass in on $intf_in proto tcp from <ircdips> to port $ircd_pass
pass out on $intf_in proto tcp from <ircdips> to port $ircd_pass

pass in on $intf_in proto tcp from <webips> to port $web_pass
pass out on $intf_in proto tcp from <webips> to port $web_pass


Now, the biggest problem that I have noticed on my home machine is brute force attempts. Which the threshold should deal with. I have written some scripts that parse the pf.log and ftp logs for blocks that add to the idiotblocker table which is a file, which makes the blocks more permanent. This script gets executed every 2 minutes. I also will be looking at the hosts.allow rules for tightening things down there.

I don't expect to make a lot of money off this server(if I break Evan I'll be lucky), but I'll be damned if I'm going to let some twit brute force his way into that machine if I can help it.

What I want out of those rules are as follows:
1). Segregate the rules by web ip's, ircd ip's, and ssl ip's. These will be the different types of accounts.
2). Only allow the ports required for those types of accounts to be open on the respective Ip's.
3). When a block occurs, it is to occur across all ip's. (I'm still questioning this in my mind).

On my home machine, I have ftp set up for active only. On the business server, I probably should set it up as passive. But, I have no idea how to build firewall rules for passive ftp. I could reserve an ip for ftp only, and not allow it to any other ip.

Constructive criticism is greatly appreciated here. And if I did something right, please tell me before I get ticked at myself and delete it out for something else.

Dan