# Do I need pf in this scenario...



## xy16644 (Jul 4, 2013)

I currently host my own server at home. It sits behind my router (that has a static IP) and I port forward ports 25, 80, 443, 993 and 587 to the server. What I would like to know is, is there any point in having pf run on my server that sits behind the router? Is there any benefit?

Currently I do run pf on my server but it is due for replacement soon and I was wondering if I should configure/set[]up pf on the new server at all.

Appreciate any thoughts or ideas concerning this or pros and cons. Thanks!


----------



## SirDice (Jul 4, 2013)

It'll be rather pointless. Nobody can access your server unless you forward ports on your router. You are forwarding those because you want to run services. If you had PF running on the server itself you'd need to open the same ports there too.

Enabling PF on the server would protect against attacks coming from the internal network. And it can be used to protect against any unauthorized _outgoing_ connections from the server. But if they got that far it's probably easy to circumvent because there's always some traffic allowed to go outside.


----------



## kpa (Jul 4, 2013)

It depends on what you can do on the router in terms of port forwarding and firewalling. If you feel that the router already gives you enough features there's no point in keeping a firewall on the server itself.


----------



## Dies_Irae (Jul 4, 2013)

xy16644 said:
			
		

> It sits behind my router (that has a static IP) and I port forward ports 25, 80, 443, 993 and 587 to the server.



Except those ports, you server is unreachable from the outside, but if you router is "blindly" forwarding these ports to your server, the services listening on these ports are open to the entire world. You can use pf to create a sort of "blacklist" and further protect your services (again, if not already done by the router).

Similarly, if your router does not provide some kind of DoS protection, pf could be of some help.


----------



## xy16644 (Jul 4, 2013)

Thanks for all the input. The router I have is a Vigor 2820 Series ADSL Router Firewall. I'm not sure how good the built-in firewall is but their website has this to say about it:



> The firewall features measures for protection against attacks including DoS (Denial of Service) attacks, IP-based attacks and access by unauthorised remote systems



So I'm not sure if this is sufficient on its own? Or if I should enable PF on the server too? On my new server port 80 will not be enabled. I'm not concerned at all about attacks coming from the internal network as there are only a couple devices on it and I control/manage them all.


----------



## Dies_Irae (Jul 4, 2013)

From the point of view of a paranoid (me :e) keeping pf enabled won't do any harm. It has a near-zero "performance impact" and you could keep it running in "allow all" mode. If you find yourself in the need to block/test something, you just have to drop a line in /etc/pf.conf.

The only drawback is that if you have some connection problem, you have to investigate both the router configuration and the rules (if any) in /etc/pf.conf.


----------



## xy16644 (Jul 4, 2013)

It sounds like there*'*s little to no point in me running PF on my server so I think I will run the server (for now) without a firewall unless I find a good enough reason to do so.

Thanks for all the tips/ideas.


----------



## throAU (Jul 5, 2013)

If it*'*s for home, no point. If it is in a business, I'd still consider setting up PF to allow all connections outbound with keep-state, and only allow the ports in that should be open to the outside world. If you're really paranoid, I'd also set up egress filtering (i.e., filter outbound traffic to allow out only what should be making connections).

Security is a matter of what you trust, and how much of it.

_If_ someone was to compromise your router (or one of the hosts behind it via web exploit, etc), you'd never have any idea if everything behind it is totally open.

But in a home use scenario it is probably overkill in terms of level of paranoia, unless you are interested in doing it as a learning exercise


----------



## SirDice (Jul 5, 2013)

throAU said:
			
		

> If it is in a business, I'd still consider setting up PF to allow all connections outbound with keep-state, and only allow the ports in that should be open to the outside world.  If you're really paranoid, I'd also set up egress filtering (i.e., filter outbound traffic to allow out only what should be making connections).


If it's a business I'd use a separate firewall for this. A local firewall doesn't do much if your attacker was able to gain root. The attacker can just as easily remove or modify the local firewall. Granted, the attacker would need to gain root first. You'd probably have other things to worry about when that happens


----------



## xy16644 (Jul 5, 2013)

I think I will leave PF off my new server in the beginning. Later on I may enable it to experiment and enhance the security of the server.


----------



## blazingice (Jul 5, 2013)

I had the same scenario. Initially I didn't use any firewall. Depending on your use you might need to use pf, not so much to block traffic but to redirect traffic, especially to jails. I was using net/mediatomb in a jail but no internal device could see the UPnP server. Soon I found out that the best solution was to redirect traffic from host to jail.


----------



## xy16644 (Jul 6, 2013)

One thing I forgot to mention was my future plans. One day I'd like to replace the router with a custom-built pfSense firewall. This should be WAY better than the DrayTek router/firewall.


----------



## throAU (Jul 9, 2013)

SirDice said:
			
		

> If it's a business I'd use a separate firewall for this. A local firewall doesn't do much if your attacker was able to gain root. The attacker can just as easily remove or modify the local firewall. Granted, the attacker would need to gain root first. You'd probably have other things to worry about when that happens



Definitely use a seperate firewall (as well) if budget allows.

But an edge firewall doesn't save you from local machine compromise (or a malicious internal end user) as I described above - if the firewall trusts the inside machine to open an outbound connection, then a local compromise on any of your internal hosts (either via user at console, or while it was on another network if it is a laptop or a number of other scenarios) can potentially open a hole into your network.

Security is a trade-off between convenience and effort expended in mitigating as many holes as you can.

The second you decide "Oh, but my XXX will block that" or "This traffic is from XXX, which is a trusted internal host", you should be considering "What happens if my XXX box is compromised?".  

Given the increase in WiFi usage and cellular networks etc. by devices that are normally considered to be safe behind your firewall (typically laptops running Windows no less - that may be used on any number of potentially hostile networks), the days of being able to trust an edge firewall (only) to keep you safe are pretty much over.

YMMV of course and all this depends on your environment, and the trade off you are willing to make with regards to effort vs. paranoia.  But they are certainly factors you should be aware of IMHO, even if it is to decide "OK, I'll bear that in mind, but I don't believe the risk justifies the effort required in my case".

Layering your security also protects you from any potential configuration screw ups.  I.e., if you were to accidentally (for example) open access to a particular protocol on your edge, you've got a second chance to defend against it with the host based firewalls on your internal hosts, and (if doing egress filtering) any outbound filtering rules you may have (e.g., internal virus infected Windows machine wants to send SMTP direct out - egress filtering will prevent this).

It is certainly more work though.


----------

