# My packet filter configuration



## thegolum35 (May 15, 2011)

Hello,

I'd like you to help me to improve my pf configuration. So what do you think about it ?


```
int_if= "wlan0"
table <deny-hosts> persist
table <ssh-bruteforce> persist 

scrub in all
set skip on lo0

block in log all
pass out quick inet
block in quick on $int_if from {<deny-hosts>, <ssh-bruteforce>}
pass in quick on $int_if from ($int_if:network) to any
pass in quick log on $int_if inet proto tcp from any to ($int_if) port 22 flags S/SA keep
 state ( max-src-conn-rate 2/10, overload <ssh-bruteforce> flush global)
```

Thanks, Gollum


----------



## SirDice (May 16, 2011)

```
pass in quick on $int_if from ($int_if:network) to any
pass in quick log on $int_if inet proto tcp from any to ($int_if) port 22 flags S/SA keep
 state ( max-src-conn-rate 2/10, overload <ssh-bruteforce> flush global)
```

The first rule already allows traffic from your internal network to the FreeBSD box. And it has a quick keyword so the ssh rule never gets hit.


----------



## thegolum35 (May 16, 2011)

Do you want to say that ssh rule won't never gets hit if connection come from local network ? How can I solve this issue ?


----------



## SirDice (May 17, 2011)

Try not to use the quick keyword unless you have to.


----------



## thegolum35 (May 17, 2011)

```
pass in quick on $int_if from ($int_if:network) to any
pass in quick log on $int_if inet proto tcp from any to ($int_if) port 22 flags S/SA keep
 state ( max-src-conn-rate 2/10, overload <ssh-bruteforce> flush global)
```

That's okay ?


----------



## ecazamir (May 17, 2011)

It seems that this firewall is protecting a single server. So, I would add another table:

```
table <me> { self }
```
And few rules referring to [font="Courier New"]<me>[/font] instead of [font="Courier New"]any[/font].
I would change the name 'int_if' to something more explicit, like 'net_if1', the int_if name is suggesting a configuration with more than one network interfaces.
Another useful thing is to allow ICMP echo request packets, at least from few networks.

```
[color="Red"]net_if1[/color]= "wlan0"
[color="Red"]icmp_allowed="echoreq"[/color]
table <deny-hosts> persist
table <ssh-bruteforce> persist 
[color="Red"]table <me> { self }[/color]

scrub in all
set skip on lo0
# What to do on 'block' rule? 
set block-policy return

block in log all
pass out quick inet
[color="Red"]pass in inet proto icmp all icmp-type $icmp_allowed[/color]
block in quick on $[color="Red"]net_if1[/color] from {<deny-hosts>, <ssh-bruteforce>}
pass in on $[color="Red"]net_if1[/color] from ($[color="Red"]net_if1[/color]:network) to [color="Red"]<me>[/color] keep state
pass in quick log on $[color="Red"]net_if1[/color] inet proto tcp from any to [color="Red"]<me>[/color] port 22 flags S/SA keep
 state ( max-src-conn-rate 2/10, overload <ssh-bruteforce> flush global)
```


----------



## thegolum35 (May 17, 2011)

> Another useful thing is to allow ICMP echo request packets, at least from few networks.



What is the purpose of that rule because my pc is natted behind my box so only local machines can ping me and it is allowed by 
	
	



```
pass in on $net_if1 from ($net_if1:network) to <me> keep state
```
 ?

Else, thanks for your help.

Gollum


----------



## ecazamir (May 18, 2011)

If your machine is behind a NAT box, then <ssh-bruteforce> and <deny-hosts> are useful only if you want to block some local hosts and/or you use IP forwarding on the NAT box. I see now that the last rule contains 'quick', which is not needed in this context.


----------



## thegolum35 (May 18, 2011)

Yes, it is what I want to do so icmp rule is useless? Which rule is 'quick' that is not needed in?


----------



## gkontos (May 18, 2011)

This should do it without the icmp packets:

```
scrub in on $wlan0 all fragment reassemble

block log all

set skip on lo0
antispoof for $wlan0 inet

pass out log on $wlan0 proto { tcp, udp, icmp } from any to any modulate state

table <ssh_abuse> persist
block in log quick from <ssh_abuse>

pass in on $wlan0 proto tcp to any port ssh flags S/SA keep state (max-src-conn 6, max-src-conn-rate 3/5, overload <ssh_abuse> flush)
```


----------



## bbzz (May 19, 2011)

This is my pf.conf file.

```
ext_if="re0"

scrub in on $ext_if all fragment reassemble

block all

set skip on lo0
antispoof for $ext_if inet

### log nmap queso xprobe fingerprint probes that can possibly determine our operating sys.
block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF

pass out on $ext_if proto { tcp, udp, icmp } from any to any flags any modulate state
pass in on tap0

table <ssh_abuse> persist
block in log quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)
```

TCP block rules are crude, but they sometimes help with OS scanning. Not all scans can be filtered such as scanning with TCP options since pf can't filter these. Still, it gives you option to log these TCP packets.
Might be useful.


----------

