# I have tried to enhance my FreeBSD desktop's security with some tweaks without knowing what they do ....Any other useful tweaks ?



## john_rambo (Oct 30, 2021)

I wanted to harden my FreeBSD install so I searched the web but nothing useful. The only wiki that I found was this https://wiki.ghostbsd.org/index.php/Security.

I have added the following lines to to */etc/sysctl.conf.*

```
hw.kbd.keymap_restrict_change=4
   kern.sugid_coredump=0
   net.inet.icmp.bmcastecho=0
   net.inet.icmp.drop_redirect=1
   net.inet.ip.accept_sourceroute=0
   net.inet.ip.check_interface=1
   net.inet.ip.forwarding=0
   net.inet.ip.process_options=0
   net.inet.ip.random_id=1
   net.inet.ip.redirect=0
   net.inet.ip.sourceroute=0
   net.inet.tcp.always_keepalive=0
   net.inet.tcp.blackhole=2
   net.inet.tcp.drop_synfin=1
   net.inet.tcp.icmp_may_rst=0
   net.inet.tcp.nolocaltimewait=1
   net.inet.tcp.path_mtu_discovery=0
   net.inet.udp.blackhole=1
   net.inet6.icmp6.rediraccept=0
   net.inet6.ip6.forwarding=0
   net.inet6.ip6.fw.enable=1
   net.inet6.ip6.redirect=0
```

I haven't yet added these fearing breakage


```
# The settings below will change the user experience
   security.bsd.hardlink_check_gid=1
   security.bsd.hardlink_check_uid=1
   security.bsd.see_other_gids=0
   security.bsd.see_other_uids=0
   security.bsd.stack_guard_page=1
   security.bsd.unprivileged_proc_debug=0
   security.bsd.unprivileged_read_msgbuf=0
```

I tried to find out what each of these line actually do by searching them using multiple search engines but unfortunately didn't find any useful information. Q1) If anyone can tell *what's the function of these lines it will be awesome*. I know there are quite a few of them so its going to require some effort and patience. Q2) The lines that are below the heading *"The settings below will change the user experience" what do these line do & what kind of change in user experience can I expect ? *I have only one desktop at home. I don't have a separate test machine where I can experiment. Q3) *If you know about any other security tweaks that is not mentioned in that wiki please tell me about it.

Note : My primary goal is to enhance network security. Local security is secondary for me.*


----------



## Deleted member 30996 (Oct 30, 2021)

john_rambo said:


> I haven't yet added these fearing breakage


You're ahead of the curve, to your credit.

If it's not broke don't fix it.


john_rambo said:


> "The settings below will change the user experience" what do these line do & what kind of change in user experience can I expect ?


A bad one if you change settings without knowing what they do and don't yet know how to fix it if it breaks something.

I have examples of all the Security and System files I edit and a tight pf firewall ruleset fI use for general desktop purposes posted in my tutorial.









						Beginners Guide - How To Set Up A FreeBSD Desktop From Scratch
					

I'm going to guide you though the process of getting a fully functional FreeBSD 13.0-RELEASE desktop up and running, complete with system files and security settings, step-by-step as if you've never used UNIX or the command line. Now let's get started:  Insert your boot media and at the Welcome...




					forums.freebsd.org
				




I have this in /etc/rc.conf:

```
tcp_drop_synfin="YES"
```

This in /boot/loader.conf

```
security.bsd.allow_destructive_dtrace=0
```

/etc/sysctl.conf

```
security.bsd.unprivileged_proc_debug=0
kern.randomid=1
```

That doesn't cover everything in the tutorial, it covers what I don't see in yours. The only thing you have listed I use is the one line in /etc/sysctl.conf.
There are sshd tweaks and such you don't list that I edit as standard practice.


----------



## john_rambo (Oct 30, 2021)

Added the three tweaks that you have mentioned & rebooted. I read your tutorial where you mention how to configure PF. The rules that you suggest is basically the exact same rule that I was using when I was using Linux. Its simple deny all in and allow all out. I am using IPFW & didn't find that particular rule for IPFW. If you read the IPFW wiki page you will find these presets 



> The available types are:
> 
> open: passes all traffic.
> client: protects only this machine.
> ...



I am using the workstation type. This is what the workstation type does


```
~ [69]> sudo ipfw list
Password:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
01100 check-state :default
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state :default
01400 allow udp from me to any keep-state :default
01500 allow icmp from me to any keep-state :default
01600 allow ipv6-icmp from me to any keep-state :default
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01800 allow udp from any 67 to me 68 in
01900 allow udp from any 67 to 255.255.255.255 68 in
02000 allow udp from fe80::/10 to me 546 in
02100 allow icmp from any to any icmptypes 8
02200 allow ipv6-icmp from any to any icmp6types 128,129
02300 allow icmp from any to any icmptypes 3,4,11
02400 allow ipv6-icmp from any to any icmp6types 3
65000 count ip from any to any
65100 deny { tcp or udp } from any to any 135-139,445 in
65200 deny { tcp or udp } from any to any 1026,1027 in
65300 deny { tcp or udp } from any to any 1433,1434 in
65400 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any 520 in
65500 deny tcp from any 80,443 to any 1024-65535 in
65500 deny ip from any to any
65535 allow ip from any to any
```


----------



## Deleted member 30996 (Oct 30, 2021)

This is what mine does:

```
root@bakemono:/ # pfctl -s all
FILTER RULES:
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.74 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state

STATES:
all tcp 192.168.1.74:42959 -> 34.214.1.68:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.74:52319 -> 204.109.59.195:443       TIME_WAIT:TIME_WAIT
all tcp 192.168.1.74:48612 -> 204.109.59.195:443       FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.1.74:30955 -> 204.109.59.195:443       TIME_WAIT:TIME_WAIT

INFO:
Status: Enabled for 49 days 03:59:43          Debug: Urgent

State Table                          Total             Rate
  current entries                        4               
  searches                        35744378            8.4/s
  inserts                           136549            0.0/s
  removals                          136545            0.0/s
Counters
  match                             306949            0.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            60000 states
adaptive.end             120000 states
src.track                     0s

LIMITS:
states        hard limit   100000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit   200000

OS FINGERPRINTS:
762 fingerprints loaded
root@bakemono:/ #
```


----------



## chrbr (Oct 30, 2021)

There is security(7). I just remembered that. There are quite some man pages one would not expect to exist.


----------



## john_rambo (Oct 30, 2021)

Trihexagonal
Okay I just disabled IPFW and enabled PF. I followed your tutorial. Right now I am using the rules that you mentioned in your tutorial which is


```
block in all
pass out all keep state
```

What I want to do next is block all outgoing ports by default and allow only specific ports like 80, 443, 53, etc.
Please show me how to that with any one example like port 80. By following that I will create rules for the remaining ports like 443, 53 & so on.


----------



## fernandel (Oct 30, 2021)

Look at https://vez.mrsk.me/freebsd-defaults.txt


----------



## hardworkingnewbie (Oct 30, 2021)

Wow quite the opinionated piece of $hit rant behind that link by somebody who confuses FreeBSD with OpenBSD.


----------



## zirias@ (Oct 30, 2021)

Oh, this stuff is circulating now for a long time. A lot of points are just obsolete (so, there was an issue some time in the past). Some points don't make sense whatsoever. Maybe some valid points could be found there as well, but yeah, who cares, it's not like you can't configure your system the way you want. E.g. none of my installs has sendmail


----------



## hardworkingnewbie (Oct 30, 2021)

Well for me it's been more than enough when I read his rant about the broken RNG... which was part of -current only. I mean that's what -current is being for, development and bleeding edge - use at your own risk! Whoever runs -current should expect things to be broken. So ranting for nothing!


----------



## john_rambo (Oct 30, 2021)

There is one point in that link which found to be true & that's about PF. The PF that is included in FreeBSD is not accepting any rules. What I mean is I just applied the rules mentioned here >> https://imaprettykitty.com/wof/ & did
*sudo pfctl -f /etc/pf.conf *& after that I lost all connectivity. Firefox won't load any pages. So the lesson that I learned is if you want to use PF under FreeBSD you will have to learn how write rules which is specific to FreeBSD's PF not OpenBSD's PF. I am back to IPFW.


----------



## zirias@ (Oct 30, 2021)

Yes, -CURRENT is broken "by definition".

There's more nonsense: building ports as root? Only if you choose to do so! The times when that was obligatory are LONG gone. And poudriere nowadays defaults to using `nobody`.

All the stuff about OpenSSH is old as well.

IMHO, there might be a valid point about sendmail, including such a complex thing in base IMHO isn't the best choice. But for quite some time, there's also dma, so users can just opt out of sendmail.

Ah, let's not talk about the rest…


----------



## zirias@ (Oct 30, 2021)

> I have tried to enhance my FreeBSD desktop's security with some tweaks without knowing what they do


In general, I'd say that's a sure way to weaken security.

It's a lot of work, but for every setting you want to change from defaults, do some research to understand what it really does. That's the only possible way for informed decisions…


----------



## john_rambo (Oct 30, 2021)

Zirias said:


> In general, I'd say that's a sure way to weaken security.
> 
> It's a lot of work, but for every setting you want to change from defaults, do some research to understand what it really does. That's the only possible way for informed decisions…


What I did was I copy pasted those lines on multiple search engines but couldn't find anything useful. So I created this topic here in hope that someone will explain what each of those lines do.


----------



## mer (Oct 30, 2021)

The "workstation" config for IPFW is very similar, but not identical to what Trihexagonal has in his pf ruleset.
It is basically "block in all, allow out all" with keep state.
It also explicitly blocks a bunch of the windows and other .

And the whole FreeBSD PF is not OpenBSD PF, is true, but a lot of the syntax should work.  One could go ask on the FreeBSD PF mailing list "what version of OpenBSD PF is the FreeBSD PF syntax"  or something similar.  That is the important part for the rules.
Under the hood, there are going to be differences because FreeBSD and OpenBSD are different with regards to SMP, locking in the kernel, probably even down the networking paths.
FreeBSD PF mailing list




__





						freebsd-pf@FreeBSD.org
					





					lists.freebsd.org
				




This is the security section in the handbook.  In sec 14.2.7 it has some info about the meaning of some of the sysctl you have set.








						Chapter 15. Security
					

Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must




					docs.freebsd.org
				




This is a link to a hardening script from 2010:  *DO NOT APPLY IT BLINDLY.*  I'm linking it because it seems to be well commented and may help you understand some of the things you're asking about.








						FreeBSD System Hardening Script
					

FreeBSD System Hardening Script. GitHub Gist: instantly share code, notes, and snippets.




					gist.github.com


----------



## tux2bsd (Oct 30, 2021)

hardworkingnewbie said:


> fernandel said:
> 
> 
> > Look at https://vez.mrsk.me/freebsd-defaults.txt
> ...


There is no confusion and it is not an opinionated rant, it is a critique by someone with a security focus.  Note: that page is at least 4 years old.


----------



## fernandel (Oct 30, 2021)

tux2bsd said:


> There is no confusion and it is not an opinionated rant, it is a critique by someone with a security focus.  Note: that page is at least 4 years old.


I agree but some thinkgs are helpful still.


----------



## hardworkingnewbie (Oct 30, 2021)

tux2bsd said:


> There is no confusion and it is not an opinionated rant, it is a critique by someone with a security focus.  Note: that page is at least 4 years old.


It is an opionated rant. Just look for example on his complaint about the broken RNG - this happened in Freebsd-current. While this is a serious matter, -current comes with a clear warning: 
24.4.1 Staying Current with FreeBSD​As you read this, keep in mind that FreeBSD-CURRENT is the “bleeding edge” of FreeBSD development. FreeBSD-CURRENT users are expected to have a high degree of technical skill, and should be capable of solving difficult system problems on their own. If you are new to FreeBSD, think twice before installing it.

But that guy doesn't care and treats current like it is stable. So it's not critique, but a rant. He's got some ideal on mind, which is OpenBSD. But he doesn't care about that FreeBSD might have other goals, and his text is full of such stuff when taking a closer look his complaint more or less poofs away.


----------



## tux2bsd (Oct 30, 2021)

hardworkingnewbie said:


> He's got some ideal on mind, which is OpenBSD.


No, you are choosing to frame it as OpenBSD vs FreeBSD.  His frame was security.  I don't give a shit if he went with CURRENT at the time, you are choosing to use that detail as your pivotal evidence to decry him further.

It was simply a good piece of information that fernandel posted.


----------



## zirias@ (Oct 31, 2021)

No, it's mostly misleading crap, a mixture of completely outdated things, things that never made sense, and maybe very few relevant things, if any.


----------



## astyle (Oct 31, 2021)

Quoting Zirias from another thread on firewalls and security:









						Other - Confusing documentation
					

decuser I think the expectation to get "recipes" just doesn't apply too well to firewalling. For a real firewall, you WILL write a ruleset, and it will be your own.  On my firewall box, supporting several zones (internal clients, internal servers, guests, management and dmz), it currently looks...




					forums.freebsd.org
				



OP should really pay attention to a couple pitfalls mentioned in that post. 

And I just don't know how to react to this thread's title... On one hand, shame on  OP for not doing his homework before applying the tweaks... That might fly on a personal machine, but not in a work environment. On another - at least OP fessed up to that. Even leaning that way (in the direction of OP acknowleding his own messup), I would strongly encourage OP to read the Handbook to get *started* before looking around on the Internet. On these forums, I would think that most members would be quite willing to coach OP through the process of reading the Handbook, trying out what's there, understanding what's there, and formulating the questions in ways that invite constructive and helpful responses.


----------



## Deleted member 30996 (Oct 31, 2021)

john_rambo said:


> Right now I am using the rules that you mentioned in your tutorial which is
> 
> 
> ```
> ...


That's the basic ruleset and pf will provide Stateful Packet Inspection.



john_rambo said:


> What I want to do next is block all outgoing ports by default and allow only specific ports like 80, 443, 53, etc.


Why? It's already performing SPI.



john_rambo said:


> Please show me how to that with any one example like port 80. By following that I will create rules for the remaining ports like 443, 53 & so on.


I already have my full ruleset posted in my tutorial and show you how to block incoming and outgoing traffic on TCP and UDP port 0. It also shows how to block IPv6.

Please refer to that as I show you how to use macros and tables with the CUPD version I wrote afterward.


----------



## john_rambo (Oct 31, 2021)

Trihexagonal said:


> I already have my full ruleset posted in my tutorial and show you how to block incoming and outgoing traffic on TCP and UDP port 0. It also shows how to block IPv6.
> 
> Please refer to that as I show you how to use macros and tables with the CUPD version I wrote afterward.


I tried searching for the specific post in that thread where you have shown how to block incoming and outgoing traffic on TCP and UDP port 0 but I can't find it. See problem is the PF that FreeBSD has is not accepting rules that are available on the web. For example I used the rules mentioned in this website & then when I used the command pfctl -f /etc/pf.conf I lost all connectivity. Firefox refused to load websites.

All I want to know is how to block all outgoing ports & how add allow rule for a specific outgoing port.

So from what I have learned so far my configuration should look like this


```
block out all
block in all
<What should I type here to allow outgoing port 80 ?? >
```

Just show me that one line which is for port 80. I will follow that & just keep adding that same line replacing 80 with 443 & so on.


----------



## tux2bsd (Oct 31, 2021)

How To Configure Packet Filter (PF) on FreeBSD 12.1  | DigitalOcean
					

PF is a renown firewall application that is maintained upstream by the security-driven OpenBSD project. It is more accurately expressed as a packet filtering…




					www.digitalocean.com
				




That will help you (it will be fine for FreeBSD 13 too)


----------



## john_rambo (Oct 31, 2021)

tux2bsd said:


> How To Configure Packet Filter (PF) on FreeBSD 12.1  | DigitalOcean
> 
> 
> PF is a renown firewall application that is maintained upstream by the security-driven OpenBSD project. It is more accurately expressed as a packet filtering…
> ...


That's just awesome ! Success ! Thanks a lot for that.
This is my PF conf.

```
block all
pass out proto { tcp udp } to port { 53 80 443 995 }
pass out inet proto icmp icmp-type { echoreq }
```


----------



## zirias@ (Oct 31, 2021)

Not sure whether pf would already allow enough of it as part of the "connection state" implementation, but you normally want to also allow the ICMP type `unreach`. It's needed for reliable networking, e.g. to signal an unreachable UDP port, or to detect when path MTU is too small…

If you use IPv6, you'd need theses additional icmpv6 types to make SLAAC work correctly: `neighbradv, neighbrsol, routeradv, routersol`.


----------



## john_rambo (Oct 31, 2021)

Zirias said:


> Not sure whether pf would already allow enough of it as part of the "connection state" implementation, but you normally want to also allow the ICMP type `unreach`. It's needed for reliable networking, e.g. to signal an unreachable UDP port, or to detect when path MTU is too small…
> 
> If you use IPv6, you'd need theses additional icmpv6 types to make SLAAC work correctly: `neighbradv, neighbrsol, routeradv, routersol`.


When you say ICMP type unreach do you mean allow outgoing ping ? If yes I have added this rule


----------



## john_rambo (Oct 31, 2021)

Zirias said:


> Not sure whether pf would already allow enough of it as part of the "connection state" implementation, but you normally want to also allow the ICMP type `unreach`. It's needed for reliable networking, e.g. to signal an unreachable UDP port, or to detect when path MTU is too small…
> 
> If you use IPv6, you'd need theses additional icmpv6 types to make SLAAC work correctly: `neighbradv, neighbrsol, routeradv, routersol`.


When you say ICMP type unreach do you mean allow outgoing ping ? If yes I have added this rule

```
pass out inet proto icmp icmp-type { echoreq }
```

Honestly, I don't understand about any of the rest of the points you mentioned. I will have to search and learn.


----------



## tux2bsd (Oct 31, 2021)

john_rambo said:


> That's just awesome ! Success ! Thanks a lot for that.
> This is my PF conf.
> 
> ```
> ...



Good to hear.  There's more to learn, when you're ready you can revisit the topic (I'm not a PF expert).


----------



## a6h (Oct 31, 2021)

john_rambo said:


> Honestly, I don't understand about any of the rest of the points you mentioned. I will have to search and learn.



When a packet exceeds the MTU limit, the host sends back an ICMP message:

_Type 3: unreach (Destination unreachable)
Code 4: needfrag (Fragmentation needed but DF bit set)._
Hence, the unreach


```
icmp_types = "{ unreach }"
```

In short, don't block ICMPv4, unless you know what you are doing -- some limits are okay.

Some people hate ping and love NAT. They have websites to show you that your network is bad, because it's ping-able.
But ping is good! Hence,


```
icmp_types = "{ echoreq }"
```

Finally, to wrap it up:


```
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp icmp-type $icmp_types
```


----------



## john_rambo (Oct 31, 2021)

vigole said:


> In short, don't block ICMPv4, unless you know what you are doing -- some limits are okay.


I am the only person in my house who uses a computer. I maintain only one desktop. *So the question is since there is only one client behind my 4G router (my desktop running FreeBSD) does it really matter if incoming ping is enabled or not ?*

BTW, when I check my router at grc.com all ports are blocked including ICMP. The website grc.com too thinks that allowing ping is not a good idea. If a user has enabled ping on his perimeter firewall grc.com reports the port scan test as "Failed".


----------



## zirias@ (Oct 31, 2021)

john_rambo said:


> I check my router at grc.com


Unfortunately, you found the site of the greatest buffoon in network security. That's the same guy who recommends cascading two times NAT, cause more NAT, more secure 

Just forget about it. There's no way to hide the presence of a machine on the network, as Gibson claims (btw, BECAUSE of ICMP and routers sending appropriate messages back when a machine _really_ isn't there), so there's also nothing wrong with just _rejecting_ what you don't want (which allows the other peer to fail quickly) instead of _dropping_ it (which kind of breaks IP and requires the peer to wait for timeout).

As for ICMP, ping (`echoreq`) probably isn't very relevant for full functionality of your network. It's just a nice way for quick diagnostics. But `unreach` definitely _is_ important for correct operation.


----------



## john_rambo (Oct 31, 2021)

Zirias said:


> Unfortunately, you found the site of the greatest buffoon in network security. That's the same guy who recommends cascading two times NAT, cause more NAT, more secure
> 
> Just forget about it. There's no way to hide the presence of a machine on the network, as Gibson claims (btw, BECAUSE of ICMP and routers sending appropriate messages back when a machine _really_ isn't there), so there's also nothing wrong with just _rejecting_ what you don't want (which allows the other peer to fail quickly) instead of _dropping_ it (which kind of breaks IP and requires the peer to wait for timeout).
> 
> As for ICMP, ping (`echoreq`) probably isn't very relevant for full functionality of your network. It's just a nice way for quick diagnostics. But `unreach` definitely _is_ important for correct operation.


Okay I am I am enabling `unreach` now buy adding the rule vigole has mentioned. I am just curious. Despite the fact that unreach is not allowed at the moment everything is working as usual. What kinds of symptoms may appear later if `unreach` is not enabled ?


----------



## zirias@ (Oct 31, 2021)

john_rambo said:


> What kinds of symptoms may appear later if `unreach` is not enabled ?


If pf doesn't allow it anyways because of connection state (might be, I don't know), you're running into timeouts trying to connect to some service that's down – instead of detecting that instantly.

Even worse (but rare), if somewhere on the path to a remote host, MTU is smaller than normal, and your protocol forbids packet fragmentation, those packets will just be lost and you'll never know unless, again, running into timeouts. Normal operation would be that the router that *would* need to fragment informs you about that fact using an icmp unreach packet, so your side can immediately retry sending smaller packets.

*edit:* again, I'm not sure this would be a problem with pf. Maybe pf's connection state would correctly attribute these ICMP packets to your connection and implicitly allow them. Someone on here knows for sure? Anyways, just allowing `unreach` doesn't hurt and makes sure IP works as designed.


----------



## zirias@ (Oct 31, 2021)

vigole said:


> When a packet exceeds the MTU limit, the host sends back an ICMP message:


To be precise, it's most certainly a _router_ sending this back (because the unfragmented packet can't make the next hop for being too large for the link MTU). But apart from that nitpick, thanks for adding details


----------



## mickey (Oct 31, 2021)

Zirias said:


> *edit:* again, I'm not sure this would be a problem with pf. Maybe pf's connection state would correctly attribute these ICMP packets to your connection and implicitly allow them. Someone on here knows for sure? Anyways, just allowing `unreach` doesn't hurt and makes sure IP works as designed.


From pf.conf(5):

```
Furthermore, correct handling of ICMP error messages is critical to many
     protocols, particularly TCP.  pf(4) matches ICMP error messages to the
     correct connection, checks them against connection parameters, and passes
     them if appropriate.  For example if an ICMP source quench message
     referring to a stateful TCP connection arrives, it will be matched to the
     state and get passed.
```
If that doesn't quite answer your question ...
So there should be no need to explicitly allow icmp type unreach messages.


----------



## a6h (Oct 31, 2021)

Zirias said:


> Unfortunately, you found the site of the greatest buffoon in network security. That's the same guy who recommends cascading two times NAT, cause more NAT, more secure


Upvote and DOUBLE_THUMS_UP!
john_rambo just undo/un-learn whatever that GRC _buffoon_ has ever said.


----------



## zirias@ (Oct 31, 2021)

mickey said:


> If that doesn't quite answer your question ...
> So there should be no need to explicitly allow icmp type unreach messages.


Unfortunately, it doesn't talk about UDP


----------



## mickey (Oct 31, 2021)

Zirias said:


> Unfortunately, it doesn't talk about UDP


It talks about state matching, which I presume would include UDP, just not _particularly_


----------



## john_rambo (Oct 31, 2021)

vigole said:


> Upvote and DOUBLE_THUMS_UP!
> john_rambo just undo/un-learn whatever that GRC _buffoon_ has ever said.


I never visited grc.com to learn anything in particular. Whenever I have installed a new router or changed my ISP which again made me change my router I visited grc.com & used grc.com's sheilds up service to make sure all ports are closed. That's it.


----------



## zirias@ (Oct 31, 2021)

john_rambo said:


> I never visited grc.com to learn anything in particular. Whenever I have installed a new router or changed my ISP which again made me change my router I visited grc.com & used grc.com's sheilds up service to make sure all ports are closed. That's it.


This service actually works quite fine, it just gives bad advice (all this nonsense about "stealth"). It's ok to verify the ports you want "closed" on your machine are indeed closed… (like, btw, many other online port scanning services)

*Edit:* I just had another look and noticed it completely ignored the fact that my host is "dual-stack" with IPv6. If you use IPv6, you definitely need other tools to verify your firewall rules


----------



## mer (Oct 31, 2021)

as root sockstat -l will give you a list of the "Listening Sockets" on your system.  a "-4" will give IPV4, -6 IPV6.  Without either, gives all including unix domain sockets.
Example on one of my systems:
`sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
root     sshd       81036 3  tcp4   *:22                  *:*
root     syslogd    72938 6  udp4   127.0.0.1:514         *:*`

Shows on this machine I have sshd on port22 open (yes, on purpose, its on my internal LAN) and syslogd listening on port 514 BUT only on 127.0.0.1.
The whole LAN is behind a packet filter device that does "default deny in on WAN" so a connection from outside world should not be able initate conversation with anything behind it or the packet filter itself.

There are also a couple of sysctls that you can set to have the kernel explicitly drop the packet if there is nothing listening on the port (I think the tcp/udp blackhole sysctls).  The normal behavior is to send back an ICMP if there is no listener for a given port.

I have no opinion on grc.com or the folks running and posting there.  One has to be careful with any "tool":  you have to make sure you understand what it's saying.
Example:
I remember a port scanner tool that would any ICMP response coming back from a system as an indication the port is open.
Concrete example:
using my system above, if it tried to connect to a.b.c.d port 837 it would normally get back an ICMP unreachable.  The scanner would then say "System at a.b.c.d has port 837 open" which it does not.

That's why I set the sysctls to just drop the inbound packets if there are no listening sockets open.


----------



## john_rambo (Oct 31, 2021)

Zirias said:


> *Edit:* I just had another look and noticed it completely ignored the fact that my host is "dual-stack" with IPv6. If you use IPv6, you definitely need other tools to verify your firewall rules


I just checked my router's admin page. On the WAN page lists both an IPV4 & an IPV6 address. So which online site is capable of verifying my router's firewall rules ?


----------



## john_rambo (Oct 31, 2021)

mer 
This is what I see on my system


```
~> sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
root     cupsd      1973  6  tcp4   127.0.0.1:631         *:*
avahi    avahi-daem 1961  14 udp4   *:5353                *:*
avahi    avahi-daem 1961  16 udp4   *:13614               *:*
ntpd     ntpd       1931  21 udp4   *:123                 *:*
ntpd     ntpd       1931  24 udp4   127.0.0.1:123         *:*
ntpd     ntpd       1931  25 udp4   192.168.225.21:123    *:*
root     syslogd    1839  7  udp4   *:514                 *:*
root     wpa_suppli 1381  3  udp4   *:*
```


```
~> sockstat -6l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
root     cupsd      1973  5  tcp6   ::1:631               *:*
avahi    avahi-daem 1961  15 udp6   *:5353                *:*
avahi    avahi-daem 1961  17 udp6   *:13094               *:*
ntpd     ntpd       1931  20 udp6   *:123                 *:*
ntpd     ntpd       1931  22 udp6   ::1:123               *:*
ntpd     ntpd       1931  23 udp6   fe80::1%lo0:123       *:*
root     syslogd    1839  6  udp6   *:514                 *:*
```


----------



## mer (Oct 31, 2021)

That's pretty much "normal".
cupsd is printer support, if you don't need it, disable it.  Other wise, it's listening on loopback so not really a big deal.
avahi:  "multicast DNS" stuff.  I turn it off, regular DNS works fine for me.
ntpd:  even if you only use it for a client the base ntpd will open a couple of listening sockets.  If you are not going to serve time from this machine, take a look at the openntpd port/package.  Works fine and if in client mode, no listening sockets.  But if your machine has firewall rules that start out with 'default deny' it's ok, because that prevents outside machines from initiating a connection to your ntpd.
syslogd:  that's the default, if you add:
`syslogd_flags=" -b 127.0.0.1"`
to your /etc/rc.conf and service syslogd restart it will listen only on loopback so the local machine can log.
Again, if your firewall rules are default deny, outside machines can't initiate a connection to it.


----------



## zirias@ (Oct 31, 2021)

john_rambo said:


> I just checked my router's admin page. On the WAN page lists both an IPV4 & an IPV6 address. So which online site is capable of verifying my router's firewall rules ?


Google will find many portscanning services for IPv6  

But first verify that your host actually has a public IPv6 address (one without an interface scope at the end like e.g. `%re0`). I assume it doesn't, cause you'd have to configure FreeBSD to accept router advertisements etc. In that case, your host won't be reachable by IPv6 anyways.


----------



## john_rambo (Oct 31, 2021)

Zirias said:


> Google will find many portscanning services for IPv6
> 
> But first verify that your host actually has a public IPv6 address (one without an interface scope at the end like e.g. `%re0`). I assume it doesn't, cause you'd have to configure FreeBSD to accept router advertisements etc. In that case, your host won't be reachable by IPv6 anyways.


I used the ifconfig command but see only a IPV4 address for wlan0. Under Linux I used to get both a IPV4 and IPV6 local address . So my router has both an IPV4 & IPV6 *public IP* address while FreeBSD has only a IPV4* local IP* address. Are there any disadvantages of not having a IPV6 *local IP address* that I should be aware of?


----------



## zirias@ (Oct 31, 2021)

john_rambo said:


> Are there any disadvantages ?


You can't reach IPv6-only services. But these are still _very_ rare. The only example I know right now are the official FreeBSD package builders, if you want to browse build logs there  (E.g. this link to a package build for fbsd13/amd64 won't work without IPv6)

So well, maybe you _might_ want to enable IPv6, but then, you should make sure it's properly secured as well!


----------



## john_rambo (Oct 31, 2021)

Zirias said:


> You can't reach IPv6-only services. But these are still _very_ rare. The only example I know right now are the official FreeBSD package builders, if you want to browse build logs there


Okay, then my plan is to continue using FreeBSD with only the IPV4 address. If in future if I face any issues like a web page not loading in  Firefox due to lack of IPV6 address I will attempt to enable IPV6 locally.


----------



## john_rambo (Oct 31, 2021)

Zirias said:


> So well, maybe you _might_ want to enable IPv6, but then, you should make sure it's properly secured as well!


When I look at how the rules of PF are created, they neither mention IPV4 nor IPV6. So doesn't that mean when you are creating a block rule both IPV4 & IPV6 are getting blocked & similarly when there is a pass/allow rule it applies to to both IPV4 & IPV6 ?


----------



## zirias@ (Oct 31, 2021)

john_rambo said:


> When I look at how the rules of PF are created, they neither mention IPV4 nor IPV6. So doesn't that mean when you are creating a block rule both IPV4 & IPV6 are getting blocked & similarly when there is a pass/allow rule it applies to to both IPV4 & IPV6 ?


If there's nothing specific to either IPv4 or IPv6 (like e.g. a concrete address) in the rule, then yes, the rule applies to both protocols.


----------



## Jose (Oct 31, 2021)

john_rambo said:


> That's just awesome ! Success ! Thanks a lot for that.
> This is my PF conf.
> 
> ```
> ...


Looks like you didn't read far enough. You don't even have `set skip on lo0`. That'll end in tears sooner or later.


----------



## john_rambo (Oct 31, 2021)

Jose said:


> Looks like you didn't read far enough. You don't even have `set skip on lo0`. That'll end in tears sooner or later.


No, I didn't miss that. While I was experimenting I noticed that everything is working without that rule so I thought lets just avoid it. If that can cause any issues in the future I will add it right now & reload PF.


----------



## Jose (Oct 31, 2021)

OK. For anyone else reading this thread, blocking traffic on the loopback interface is a profoundly stupid thing to do. It adds absolutely no security, and is likely to cause problems.


----------



## mer (Oct 31, 2021)

"The Book Of PF" by Peter N.M. Hansteen is like a Michael W Lucas book:  easy to understand, good examples.  Yes a little bit dated by now, but it covers the basics very well and in the past, the rules worked in FreeBSD.


----------



## hardworkingnewbie (Oct 31, 2021)

And Hansteen even clearly mentions the differences in syntax between FreeBSD and OpenBSD, if existant!


----------



## mer (Oct 31, 2021)

hardworkingnewbie said:


> And Hansteen even clearly mentions the differences in syntax between FreeBSD and OpenBSD, if existant!


Yes he does.  I've had a copy for a long time, I think it's one of the best "how to do and understand" books I've seen.


----------



## Deleted member 30996 (Nov 1, 2021)

john_rambo said:


> I tried searching for the specific post in that thread where you have shown how to block incoming and outgoing traffic on TCP and UDP port 0 but I can't find it.


Here is the ruleset on this desktop:

/etc/pf.conf

```
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
```

 This is it at work right now:


```
root@obake:/ # pfctl -s all
FILTER RULES:
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet6 from ::1 to any
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state

INFO:
Status: Enabled for 18 days 22:01:55          Debug: Urgent

State Table                          Total             Rate
  current entries                        0               
  searches                         4469011            2.7/s
  inserts                            42894            0.0/s
  removals                           42894            0.0/s
Counters
  match                              98854            0.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            60000 states
adaptive.end             120000 states
src.track                     0s

LIMITS:
states        hard limit   100000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit   200000

OS FINGERPRINTS:
762 fingerprints loaded
root@obake:/ #
```


----------



## astyle (Nov 1, 2021)

john_rambo said:


> I tried searching for the specific post in that thread where you have shown how to block incoming and outgoing traffic on TCP and UDP port 0 but I can't find it.


Makes me wonder what in the world is Trihexagonal doing with port 0...   A quick Google search on "tcp port 0" turned up a pretty nice explanation about why port 0 even exists, and why it should not be used in network configs.

Edit: After actually reading the config - his rules are trying to block any connections from port 0, be it outside or inside. The link I provided actually explains that port 0 sometimes works like a wildcard in network scanners.

 Security is a neverending rabbit hole. Yeah, it's important to do some basic lockdown, and not leave yourself exposed. But generally, even "consumer plastic" routers offer some level of protection. Mine has DD-WRT flashed on it. It's a Linux distro, but offers the kind of config flexibility that just doesn't come with the default firmwares of consumer plastic.


----------



## Deleted member 30996 (Nov 1, 2021)

astyle said:


> Makes me wonder what in the world is _*[FONT=monospace]Trihexagonal[/FONT]*_ doing with port 0...


None are so blind as those who cannot search to see - Yo Momma  









						Other - Port 0
					

Last night I was looking at a security forum and saw someone mention Steve Gibson's Shields Up port scanner site. I know all about Steve Gibson and don't frequent his site, but thought what could it hurt to run an outside scan on the ISP provided cable modem. So I did:  GRC Port Authority Report...




					forums.freebsd.org


----------



## astyle (Nov 1, 2021)

Trihexagonal said:


> None are so blind as those who cannot search to see - Yo Momma
> 
> 
> 
> ...


Yeah, this would be good for OP to see, too, IMHO. But I wonder - are we dumping too much info on OP?  After all, while UNIX is not a religion, it does have the philosophy of keeping the implementations clean and simple.


----------



## Deleted member 30996 (Nov 1, 2021)

Well I've stuck to one thread and tried to reference what has already been posted. I thought I had my port 0 rule listed in the tutorial but had left that out. For simplicity. So I porvided my ruleset.

If john_rambo follows the outline of programs installed, like for updating the CPU firmware, limits himself to editing the Security and System files I have provided examples of and uses my pf ruleset he will be using the same system hardening settings I use on all my laptops.

Except for the browser extensions and everyone has their own preferences in that area.

If that's not good enough for him, it is for me, and how I've been doing it a long time now.
Clean and simply as possible.


----------



## john_rambo (Nov 1, 2021)

Trihexagonal
I have combined my existing rules with your rules. This is how it looks now


```
### Macro name for external interface
ext_if = "wlan0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"


set skip on lo0
block all
pass out proto { tcp udp } to port { 53 80 443 995 6697 }
pass out inet proto icmp icmp-type { echoreq }
antispoof quick for wlan0
icmp_types = "{ unreach }"

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
```

I had to change this >> ext_if = "wlan0" otherwise it refuses to work.
You have rules which specifically blocks IPV6 both in and out. What's the reason ? My rules blocks all incoming both IPV4 & IPV6. I guess yours does the same. What's the risk in allowing IPV6 ?


----------



## zirias@ (Nov 1, 2021)

A firewall config _really_ isn't for copy&paste. Now you have three unused (and therefore unnecessary) variables: `netbios_tcp`, `netbios_udp` and `icmp_types`. *edit:* did you update your post? Now I see these netbios ports _are_ used, for rules that are functionally redundant, but add logging for these specific ports. (why?) The `icmp_types` variable is still unused…

Really, you must understand what the rules are doing and you must decide what you actually want…

I only use packet filtering on my actual firewall box, not on the machines "behind" it (again, I think this would only make sense for mobile devices that could be used in untrusted networks as well). I won't show my ruleset: I's useless for anyone else anyways (every network is different), but would unnecessarily expose information about the inner structure of my network.



john_rambo said:


> You have rules which specifically blocks IPV6 both in and out. What's the reason ? My rules blocks all incoming both IPV4 & IPV6. I guess yours does the same. What's the risk in allowing IPV6 ?


I'd have an answer to that. You typically only allow what you want to use. If you're sure you don't want to use IPv6, there's nothing wrong with just blocking it.

Without any IPv4- or IPv6-specific rules, this is kind of redundant as the other rules apply to both protocols. But it might help to avoid errors. If you e.g. add a "block" rule that has an IPv4 address, it will only match for IPv4.


----------



## john_rambo (Nov 1, 2021)

Zirias said:


> A firewall config _really_ isn't for copy&paste. Now you have three unused (and therefore unnecessary) variables: `netbios_tcp`, `netbios_udp` and `icmp_types`.
> 
> Really, you must understand what the rules are doing and you must decide what you actually want…
> 
> I only used packet filtering on my actual firewall box, not on the machines "behind" it (again, I think this would only make sense for mobile devices that could be used in untrusted networks as well). I won't show my ruleset: I's useless for anyone else anyways (every network is different), but would unnecessarily expose information about the inner structure of my network.


I will tell what I understand what my own config is doing


```
set skip on lo0
block all
pass out proto { tcp udp } to port { 53 80 443 995 6697 }
pass out inet proto icmp icmp-type { echoreq }
antispoof quick for wlan0
```
(1) It blocks all incoming traffic.
(2) It blocks all outgoing traffic excepting ports 53, 80, 443, 995 & 6697
(3) I have read what antispoof does so no point in discussing it here.

Now what's new to me when I see Trihexagonal 's rules are  (1) specific rules for blocking traffic to port 0, (2) specifically blocking IPV6 & (3) Rules for keeping modulate state of outbound tcp, udp and icmp traffic

I am not sure if I need to add this or since I am using "deny all in & deny out with only specific out ports allowed".


----------



## zirias@ (Nov 1, 2021)

What's also new is a rule about blocking some specific (netbios-related?) ports and _logging_ that. Do you really want to specifically log attempts to connect to these ports? If not, don't just copy this stuff.

About rules for port 0: port 0 is invalid, if machines do something with it when it actually hits the wire, that's broken behavior. I'd recommend a `scrub` rule instead which is documented to check for many invalid things and drop these packets, port 0 should be included.

About IPv6: see above. Redundant, might help to avoid errors once you add rules specific to e.g. some IPv4-address (and might forget the IPv6 equivalent)

No idea about that state stuff, for me, connection state was working just fine so far.

Finally: I'd still suggest to allow ICMP `unreach`, even if PF gets ist correct. The manual at least isn't fully specific here. I don't see any reason to block it, what should be the risk (question to everyone)? But that isn't done by just declaring an unused variable `icmp_types`.


----------



## Jose (Nov 1, 2021)

> The modulate state option works just like keep state, except that it only applies to TCP packets. With modulate state, the initial sequence number (ISN) of outgoing connections is randomized. This is useful for protecting connections initiated by certain operating systems that do a poor job of choosing ISNs.







__





						OpenBSD PF: Packet Filtering
					





					www.openbsd.org
				








__





						TCP sequence prediction attack - Wikipedia
					






					en.wikipedia.org
				




At least some of the "certain operating systems" were old versions of Windows that used an ancient BSD TCP/IP stack. Dunno how applicable it is nowadays. I think ISNs were also used for OS fingerprinting, but I can't find a reference for that now.


----------



## Deleted member 30996 (Nov 1, 2021)

john_rambo said:


> _*[FONT=monospace]Trihexagonal[/FONT]*_
> I have combined my existing rules with your rules. This is how it looks now


And you did it wrong.

You have your additions to my ruleset in the wrong place and it is all messed up now.

Remove these lines from where they are in your example:


```
pass out proto { tcp udp } to port { 53 80 443 995 6697 }
pass out inet proto icmp icmp-type
{ echoreq }icmp_types = "{ unreach }"
```
wlan0 is your wi-fi internet interface.

The ruleset is fine the way it is.
If you add to it without knowing what you're doing you're going to break things.



> If it's not broke don't fix it.


----------



## john_rambo (Nov 1, 2021)

Trihexagonal 
I want to ask a question. I read many articles about network security. Almost all of them suggests that closing all incoming ports is enough to protect a home network. Blocking outgoing ports doesn't really make any sense in a home environment. If you see my rules, I mean the rules that I had set myself.


```
# sudo cat /etc/pf.conf
set skip on lo0
block all
pass out proto { tcp udp } to port { 53 80 443 995 6697 }
pass out inet proto icmp icmp-type { echoreq }
antispoof quick for wlan0
```

Not only it blocks all incoming ports I have blocked outgoing ports too leaving the ones which are necessary for daily activities like web browsing, using an email client, IRC chat client, etc.

So my question is can a home desktop be made more secure than this ?


----------



## john_rambo (Nov 1, 2021)

Zirias said:


> I won't show my ruleset: I's useless for anyone else anyways (every network is different), but would unnecessarily expose information about the inner structure of my network.


Doesn't that apply to people who deliberately open incoming port(s) so that they can host some kind of a server. I mean suppose a hacker knows that I am using FreeBSD with PF & all my incoming ports are blocked & he also gets to know exactly which outgoing ports I have allowed. So what can hacker possible do ?

Is it possible to hack a FreeBSD box which is using PF with all incoming ports blocked ?


----------



## zirias@ (Nov 1, 2021)

john_rambo said:


> Doesn't that apply to people who deliberately open incoming port(s) so that they can host some kind of a server.


It applies to me, not so much because there _are_ services offered (everyone can scan that from the outside anyways), but because this is a real firewall between multiple network zones, and a published ruleset would reveal their structure, making it easier for an attacker to know what to try next if they somehow managed to get into some machine in the DMZ.


john_rambo said:


> Is it possible to hack a FreeBSD box which is using PF with all incoming ports blocked ?


Wrong question. There's no "absolute" security. Even packet filtering code could have bugs itself. That's why a real firewall box (where this code doesn't run on a machine it should protect) is preferable.


----------



## john_rambo (Nov 1, 2021)

Zirias said:


> Wrong question. There's no "absolute" security. Even packet filtering code could have bugs itself. That's why a real firewall box (where this code doesn't run on a machine it should protect) is preferable.


Can you elaborate a bit ? I mean suppose I assemble a new machine & install pfSense or OPNsense. How are these firewall OSs made ? OPNsense used to use the HardenedBSD as their base which they no longer do I have no idea why they took this decision & pfSense uses FreeBSD as their base & uses PF. So my question is how is a pfSense box different than my desktop which is also running FreeBSD and PF ? I mean if my FreeBSD install can have bugs can't a pfSense or an OPNsense box also have bugs ?


----------



## zirias@ (Nov 1, 2021)

If there's a remote-exploitable bug in packet filtering code, with a dedicated firewall, an attacker would compromise _that_ machine, not the one to protect. Add some extra hardening on that special-purpose machine (e.g. no shell or a very limited one, no runtime rule changes allowed, etc), this gives a much better chance the attack will be unsuccessful in the end.


----------



## john_rambo (Nov 1, 2021)

Zirias said:


> If there's a remote-exploitable bug in packet filtering code, with a dedicated firewall, an attacker would compromise _that_ machine, not the one to protect. Add some extra hardening on that special-purpose machine (e.g. no shell or a very limited one, no runtime rule changes allowed, etc), this gives a much better chance the attack will be unsuccessful in the end.


Got it. I was reading about pfSense Vs OPNsense & one of the points that article mentions which is one the reasons why pfSense was forked & OPNsense was created  is this



> Security issues related to the web UI being run as root



This is the article >>> https://teklager.se/en/pfsense-vs-opnsense/

What's your opinion about this if you are a pfSense user or have pfSense in the past ?


----------



## zirias@ (Nov 1, 2021)

Well, I don't use it and I don't have any opinion about it. For a professional installation, you'd typically buy some ready-to-use appliance anyways (and make sure the vendor gives some warranties). For me at home, I just use FreeBSD with PF in a virtual machine, that "owns" the NICs on PCI level (not perfect, but hey, it's a private installation, you don't want to operate more than 1 machine 24/7).

In a nutshell:

There's nothing wrong with packet filtering on your own host, and it makes sense if you also operate it in untrusted networks. It just can't give the same level of defense as a dedicated firewall.
In any case, packet filtering rules MUST be understood and tailored to YOUR needs and (risk) decisions. NO copy&paste.
Never ever think "you can't be hacked". That's always wrong unless you "pull the plug". The goal is to make it as unlikely as possible while keeping functionality you need and with effort in relation to your usecase.


----------



## john_rambo (Nov 1, 2021)

Zirias 
One last thing. Do you know how to run Firefox inside a JAIL ? After I replaced Linux with FreeBSD this the only thing left for me to do. I was using firejail under Linux to isolate Firefox. It was very easy you need to install firejail from the repos & run sudo firecfg which adds firejail to all the desktop launchers. I couldn't find anything like that under FreeBSD so I am really desperate to setup Firefox inside a jail. Should I create a new thread & give you the link ?


----------



## zirias@ (Nov 1, 2021)

That's most likely a different topic and I'm not really interested in it – I just assume running a browser in a jail isn't exactly a new idea, so I'd suggest to search the forum first (as well as read the handbook on jails and the manpages) before creating a new thread…


----------



## john_rambo (Nov 1, 2021)

Zirias said:


> That's most likely a different topic and I'm not really interested in it – I just assume running a browser in a jail isn't exactly a new idea, so I'd suggest to search the forum first (as well as read the handbook on jails and the manpages) before creating a new thread…


Is this theory correct that if Firefox is compromised an attacker can gain access to my personal data ? I mean on the one hand I am trying to choose the most restrictive rules for PF & on the other hand my browser if compromised is opening another way for the attacker to get it.


----------



## Deleted member 30996 (Nov 1, 2021)

john_rambo said:


> So my question is can a home desktop be made more secure than this ?


I'm not here for a Q&A session.

I'm here to help you with a tight ruleset.

You are breaking it.

As long as you don't require remote access using one of the ports blocked in my macros it cannot be more secure than it is now, or I would make it so.

Don't you think? I've been using it 16 years.

This is how yours should look using the wlan0 internet interface, copy and paste it in as is, save and exit:


```
### Macro name for external interface
ext_if = "wlan0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
```

Anything beyond that you do on your own.

And, yes, that is a Copy&Paste ruleset for the other 5 FreeBSD general purpose desktops I've got going right now.


----------



## zirias@ (Nov 1, 2021)

As I see it, the likeliness of a successful attack is roughly ordered like this

Social engineering, tricking people into doing something stupid
Exploiting a weakness in some client software (especially browsers)
Exploiting some other remote weakness
Packet filtering will only help with the last one. So yes, "secure browsing" is an issue. Putting the browser in a jail is _one_ possible measure. Keep in mind, it will still have all the data it collects itself. Extensions like "NoScript" are another idea: only trust selected sites to execute their scripts on your machine. Even Adblockers can help. And, of course, just staying away from any "shady" websites can help.


----------



## Deleted member 30996 (Nov 1, 2021)

Zirias said:


> Extensions like "NoScript" are another idea: only trust selected sites to execute their scripts on your machine. Even Adblockers can help. And, of course, just staying away from any "shady" websites can help.


With NoScript, uBlock Origin, my other browser extensions and machines set up like they are there's no website I won't go to.

I had NoScript block an XSS Cross-Site Script attack downloading an .mp3 yesterday and went right on downloading them after that.

Of course I just made that up and would never download pirated .mp3's. I drink chocolate milk. Lot's of it.


----------



## hardworkingnewbie (Nov 1, 2021)

john_rambo said:


> Not only it blocks all incoming ports I have blocked outgoing ports too leaving the ones which are necessary for daily activities like web browsing, using an email client, IRC chat client, etc.
> 
> So my question is can a home desktop be made more secure than this ?


Sure - disconnect it from the internet, problem solved! It makes attacking your system much harder, but not impossible.

Security is not a product nor a feature - in reality it is a neverending process. The promise that you've got only to install Norton UltraSuperDuperInternetCleaner HyperSmart or stuff like that, or just some firewall and you're forever safe is a lie.

And in most of the times the biggest security problem between the screen and chair.

Also the idea when blocking outgoing ports is mostly to mitigate some of the potential damage which might happen once your machine is infested by let's say a trojan. You can block SPAM runs quite surely and other stuff.

What you will be unable to do is to block this machine from communicating with its command instance. Typically this is done either by standard ports like 443, so HTTPS, or 53/UDP - DNS. The art of punching holes into a firewall is also something which is well known since Skype utilized this at large scale for commercial use. So if the purpose of that trojan is to log your keyboard for security PINs, make nice screenshots of you watching porn and similar stuff it will most likely do it.

Such stuff you will only be aware off mostly with deep packet inspection, IDS in place or other systems. And in general if your machine is infected there is not without reason the golden rule to completely wipe it and start anew.


----------



## ralphbsz (Nov 1, 2021)

john_rambo said:


> I want to ask a question. I read many articles about network security. Almost all of them suggests that closing all incoming ports is enough to protect a home network. Blocking outgoing ports doesn't really make any sense in a home environment.



That depends.

To think about security, you need to answer a lot of questions. Here are three basic ones: What are you trying to protect: what is the asset you don't want attackers to get access to? Who are your enemies: who are those attackers? Who are your friends: whom can you trust?

If you say that a sensible protection for a home environment is a firewall that doesn't allow any incoming connections, but allows all outgoing connections, that's sort of like giving the following three answers to these questions:

What are you trying to protect: All information that is stored or processed inside the home network.
Who are your enemies: Everyone who is outside the home network.
Who are your friends: You completely trust everything and anything inside the home network.
Is that a sensible security posture? To begin with, not in isolation. Even with these assumptions, common sense says that you should still do things like use passwords (or fingerprint sensors or 2FA tokens) in case someone gets hold of devices that you have trusted. And maybe you should encrypt disks that store data, in case of theft. And probably control access to the home network, for example a WPA password on your WiFi.

The really toothache comes when I look at your complete trust in the security of the internal network. The moment your security perimeter (for example your PF firewall, but also many other places) has been breached, all is lost. Allowing all outgoing connections is one symptom of that trust you place in internal devices. Modern network security thinking often works different. First, silo information, so not everyone can get at everything. Second, NoTrust: just because a device is on your internal network doesn't mean it has good intentions.


----------



## zirias@ (Nov 1, 2021)

ralphbsz said:


> Allowing all outgoing connections is one symptom of that trust you place in internal devices.


Well, not sure "allow all outgoing" is the main problem here. What I do is place devices like my chinese vacuum robot in a separate network zone. They can still connect to the internet, but not to anything in any other network zone…


----------



## astyle (Nov 1, 2021)

Zirias said:


> Well, not sure "allow all outgoing" is the main problem here. What I do is place devices like my chinese vacuum robot in a separate network zone. They can still connect to the internet, but not to anything in any other network zone…


While we're at it, you can place your Roomba in a box. Or better yet, don't buy the Roomba in the first place, and use a dumb Hoover to lick the floors clean.  Roombas are dangerous, they can phone back home to China, y'know.


----------



## Deleted member 30996 (Nov 1, 2021)

Here are the Services I have running:

```
jitte@bakemono:/ $ sockstat -l46
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS   
avahi    avahi-daem 96008 14 udp4   *:5353                *:*
avahi    avahi-daem 96008 15 udp6   *:5353                *:*
avahi    avahi-daem 96008 16 udp4   *:26298               *:*
avahi    avahi-daem 96008 17 udp6   *:32433               *:*
root     sendmail   94363 3  tcp4   127.0.0.1:25          *:*
ntpd     ntpd       92089 20 udp6   *:123                 *:*
ntpd     ntpd       92089 21 udp4   *:123                 *:*
ntpd     ntpd       92089 23 udp6   ::1:123               *:*
ntpd     ntpd       92089 24 udp6   fe80::1%lo0:123       *:*
ntpd     ntpd       92089 25 udp4   127.0.0.1:123         *:*
ntpd     ntpd       92089 29 udp4   192.168.1.5:123       *:*
jitte@bakemono:/ $
```

Here are my macros, no IPv6 traffic is allowed in or out by a specific rule:

```
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"
```

NTP on port 123 is allowed only when my machine initiates the connection (Stateful Packet Inspection) and I have TCP and UDP blocked as it's possible to use either.

No outside access to port 25 is allowed and I still get my daily Security and System logs.

avahi_deamon is port 5353, listed as msds in the `pfctl -s all` readout on page 1 and shown as blocked
avaki_deamon on UDP port 262298 is blocked by the default `block log all` firewall rule.

Stateful Packet Inspection comes in to block the random port that is always used in addition to port 5353.

That's why the 2 line ruleset works:

```
block in all
pass out all keep state
```

It's up to me to make sure nothing wants outside connections that shouldn't have them. Firefox and all that aside, that's considered normal operation for that browser.

I'm talking rootkits and run security/rkhunter as a cron job nightly with security/nmap checking for suspicious open ports when it does so.


As a side note, there are chromecast wi-fi signals in my building I can connect to but have no internet access from them.


----------



## ralphbsz (Nov 1, 2021)

Zirias said:


> Well, not sure "allow all outgoing" is the main problem here. What I do is place devices like my chinese vacuum robot in a separate network zone. They can still connect to the internet, but not to anything in any other network zone…


This is a fine idea. I actually do the opposite: I have devices (like laser printers) that need to be available on the internal network, so laptops and the print server can reach them, but there is no need for them to ever talk to the outside world. So I put those into a network zone that is deliberately not allowed outgoing external connections. In theory, Linux devices (in particular Raspberry Pis used as IoT nodes) should be in the same category, since I don't trust Linux all that much ... but that makes it hard to upgrade their OS, so I have reluctantly moved them back to the fully trusted tier. I guess I could adjust my PF configuration so the Linux boxes can only get to Debian upgrade servers and nowhere else, but that's extra work.

This is an example of a generally nasty category of nodes: those that need to be reached from the internal network, but also need some contact with the outside world. It also includes weather stations, sprinkler controllers, remote-controllable thermostats. To make them more secure, I could do fine-grain control of what protocols they can use to what nodes (inside and outside), but that level of detail will make the whole system brittle.

Another nasty category is that I actually have to run servers that are reachable from the outside internet, to allow me to remotely log in, and remotely retrieve data. I handle that by having exactly one machine, just two ports (ssh and https, on obscured ports), and lots of attention to detail, such as authentication.

If there is one thing the OP needs to understand: In security, there is no "one size fits all". One common case (single workstation or laptop, on the unsecured worldwide network, only used by a local user) can be handled by following recipes found on the internet. But that common case should be handled on that one machine itself, and is not where the complexity will be found.

P.S. No, I won't publish my pf configuration here. I don't want attackers to find holes in it.


----------

