# Set PF to only block SSH and Ping



## adripillo (Jun 28, 2013)

Hello, any idea of how can set PF to only block incoming SSH and Pings? ?. Thanks.


----------



## wblock@ (Jun 28, 2013)

See http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html#pftut-icmp.  Blocking pings is questionable, they are not terrifying as some people believe.

For SSH and other TCP protocols that might be allowed if they originate inside the LAN, use a 
	
	



```
pass out on $ext_if proto tcp
```
 rule.  Then later in the rules, 
	
	



```
pass in on $ext_if inet proto tcp from any to $ext_if port $tcpservers
```
 will allow just the protocols listed in tcpservers in.


----------



## adripillo (Jun 28, 2013)

I was following the handbook and I get this:


```
# service pf start
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:40: macro 'icmp_types' not defined
/etc/pf.conf:40: syntax error
/etc/pf.conf:41: macro 'icmp_types' not defined
pfctl: Syntax error in config file: pf rules not loaded
No ALTQ support in kernel
ALTQ related functions disabled
```


----------



## wblock@ (Jun 28, 2013)

The icmp_types macro is defined in the next two sections, but I wonder if the intent in the first example was to leave it out entirely:

```
pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from any to $ext_if keep state
```


----------



## wblock@ (Jun 29, 2013)

Mr. Hansteen confirms, so document updated:
http://svnweb.freebsd.org/doc/head/...r1=42084&r2=42083&pathrev=42084&diff_format=h


----------



## kpa (Jun 29, 2013)

Why would you block only SSH and ICMP? Are you sure no other ports have services listening on them?


----------



## adripillo (Jul 1, 2013)

kpa said:
			
		

> Why would you block only SSH and ICMP? Are you sure no other ports have services listening on them?



I do not want _i_nco_m_ing SSH and ICMP.


----------



## throAU (Jul 2, 2013)

Standard response:

Maintaining a firewall that is open by default is a bad idea. Block everything, allow only what you want, from where you want explicitly. If you set things to allow by default, there's nothing to stop an exploited program opening a high port and enabling a non-root remote shell that can then be used for a local exploit. If everything is closed by default, even if a non-root compromise can open a port for the attacker to connect to in an attempt to perform a local root exploit, the port is blocked by the firewall.

Obviously it's not a 100% failsafe defence, but the harder you can make it for the bad guys the better.

2c.


----------



## adripillo (Jul 2, 2013)

Finally found a nice guide about IPFW, so I could configure it very easy. Now I just need to deny ICMP there but I will open another thread to not make a confusion here. Thanks all for the replies.


----------



## wblock@ (Jul 2, 2013)

The PF configuration was done. Why go back to ipfw(8)?


----------



## adripillo (Jul 3, 2013)

wblock@ said:
			
		

> The PF configuration was done. Why go back to ipfw(8)?



_It_ was giving me some problems with the kernel. Based on what I read _I_ needed to add ALTQ to the kernel and found some guide about it but _it_ was kind of complicate_d_. So I investigate_d_ more and found that IPFW comes with FreeBSD and the guide I found for IPFW was more simple so that*'*s for I decided to go for IPFW.


----------



## DutchDaemon (Jul 3, 2013)

The ALTQ remark on screen when running e.g. a pfctl command is just a remark. ALTQ does not have to be in the kernel, unless you want to use traffic shaping. It is not an error, nor a requirement. It is just a (rather annoying) informative remark.


----------



## adripillo (Jul 3, 2013)

DutchDaemon said:
			
		

> The ALTQ remark on screen when running e.g. a pfctl command is just a remark. ALTQ does not have to be in the kernel, unless you want to use traffic shaping. It is not an error, nor a requirement. It is just a (rather annoying) informative remark.



Oh ok, thanks a lot for the info.


----------

