hello
anyone any experience with openbsd and pf?
Thanks
Printable View
hello
anyone any experience with openbsd and pf?
Thanks
FreeBSD and PF :) nothing too complicated in my setups - what's the issue?
i couldnt get my router to route. i had subnet with router then second subnet, with a gw to internet on it.
I was told to add the gw of inside subnet to the internet router, and this seemed to work.
my next question would be to find a simple pf ruleset that allows only incoming ssh traffic from certain ip ranges, and obviusly all out going traffic generated from internal network can get back in
thanks
If I only wanted to allow SSH in from some IPs, something (not actually tested) like this is what I'd do:
Obviously adjusting for interface and the actual whitelisted IP ranges. You could update the whitelist table either using pfctl or you could load it from a file. The PF docs have plenty of examples. I added the brute-forcing here since I find if I leave SSH on the standard ports on my Internet servers all I get is endless bruteforcing attacks so It's become a standard part of deployments. To clean up the IPs in the bruteforce table I'd put something like this in my system crontab:Code:# the Internet facing interface
interface="em0"
# define a table to store bad IP addresses in
table <bruteforce> persist
# define a table with our good IPs in
table <whitelist> { 192.0.2.0/24 } persist
# scrub all incoming packets to clean them up
scrub in all
# block all incoming traffic
block in on $interface
# block any traffic from IPs in the bruteforce table
block quick from <bruteforce>
# limit the number and rate of connections to SSH to prevent brute forcing, put offenders into the bruteforce table
pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 10, max-src-conn-rate 2/1, overload <bruteforce> flush global)
# allow traffic from IP addresses in the whitelist table to SSH in
pass in on $interface proqto tcp from <whitelist> to $interface port ssh
# allow all outbound traffic
pass out on $interface proto { tcp, udp } all
Remember if you're playing with the firewall make sure you have physical access to the sever since it's easy enough to lock yourself out and that's just annoying if the machine is on the other side of the country! Be careful!Code:# Cleanup brute force attackers from PF tables, anthing older than 24hrs
0 * * * * root pfctl -t bruteforce -T expire 86400 >/dev/null 2>&1
In general the PF docs are good with plenty of examples, otherwise the No Starch book on PF is a nice book.
I am running OpenBSD and Pf, can you post the output of "ifconfig" and the version of OpenBSD you are running please ?