# Fatman Looking For Advice: Security - PF



## Fatman (Dec 5, 2008)

Ok,

So I've been working with Freebsd now for 2 months. I'm currently running a couple of 7.0 servers including a PF firewall. Everyday I follow the same routine.

RUN CVSUP
Followed by pkgdb -F, portsdb -Uu, portversion -l '<'
I then read both /usr/src/UPDATING and /usr/ports/UPDATING

Once I think everything is fine, I run portupgrade -arR and then portaudit -Fda.

Is this considered a proper approach to keeping the system to date?

I was also looking for some feedback on my PF.conf file. It took me a long time to understand everything but I feel somewhat secure with what I've constructed. Here it is:

ext_if="rl0"
int_if="rl1"
dmz_if="fxp0"

bad_guys="{125.60.241.227, 205.234.225.159}"

internal_nets="192.168.0.0/24"
dmz_nets="172.16.0.0/24"
rdp_server="172.16.0.89"
www_server="172.16.0.80"
www_ssh="172.16.0.80"
trusted_rdp="{}"
trusted_www="{}"

norouteip = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

trusted_nets = "{ 192.168.0.0/24 }"
trusted_hosts = "{192.168.0.69/32}"

client_out="{ftp-data, cvspserver, ftp, ssh, domain, pop3, auth, nntp, http, https, 8080, 8000}"
www = "{80, 443}"
udp_services = "{domain, ntp}"
sshport="22669"
rdp="3389"

# Set Optimizations:  Set some values to better utilize memory.
set block-policy drop
set limit { frags 5000, states 2500, src-nodes 2000 }
set loginterface $ext_if
set optimization aggressive
set timeout { interval 10, frag 30 }

#Normalization: reassemble fragments and resolve or reduce traffic #ambiguities.
scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
scrub on $ext_if reassemble tcp

nat on $ext_if from $dmz_nets to any -> ($ext_if)
nat on $ext_if from $internal_nets to any -> ($ext_if)
rdr on $ext_if proto {tcp, udp} from $trusted_rdp to any port $rdp -> $rdp_server
rdr on $ext_if proto tcp from $trusted_rdp to any port $www -> $www_server

block all
#needed this or nmap scans showed ports as filtered
block in quick on rl0 proto {tcp, udp} from any to any flags FUP/FUP
block quick on $ext_if from $bad_guys

pass in inet proto tcp from any to $ext_if port $sshport

pass in inet proto tcp from $trusted_www to $www_server port $www keep state
pass in inet proto {tcp, udp} from $trusted_rdp to $rdp_server port $rdp keep state

pass out quick on $dmz_if proto tcp from $trusted_rdp to $www_server port $www keep state
pass out quick on $dmz_if proto tcp from $trusted_rdp to $rdp_server port $rdp keep state
pass out quick on $dmz_if proto tcp from $trusted_hosts to $www_ssh port 22 keep state

#Let traffic out for the External Interface
pass out quick on $ext_if inet proto tcp from $ext_if to any flags S/SA keep state
pass out quick on $ext_if inet proto udp from $ext_if to any keep state
pass out quick on $ext_if inet proto icmp from $ext_if to any keep state

#Outbound Rules for the Firewall
#Pass ISAKMP out
pass out quick on $ext_if inet proto udp from $ext_if to any port = 500 keep state
pass out quick on $ext_if inet proto udp from $ext_if to any port = 4500 keep state
pass out quick on $ext_if inet proto esp from $ext_if to any keep state

#Allow cvsup to dmz hosts
pass in quick on $dmz_if inet proto tcp from any to any port cvsup keep state
pass out quick on $dmz_if inet proto tcp from any to any port cvsup keep state

#Let Internal Traffic Flow Freely to DMZ
pass in quick on $dmz_if inet proto tcp from $trusted_hosts to $dmz_nets keep state

pass inet proto tcp from $www_ssh to !$internal_nets port $sshport
pass inet proto tcp from 172.16.0.1 to $www_ssh keep state

#Let Internal Traffic Flow out
pass inet proto tcp from $internal_nets to any port $client_out
pass inet proto udp from $internal_nets to any port $udp_services

#Let Trusted Host Anywhere
pass inet proto {tcp, udp, icmp} from $trusted_hosts to any keep state

Thanks for reading and hopefully I'll be able to contribute to this forum as time passes.

Sincerely,

Fatman


----------



## anomie (Dec 5, 2008)

Fatman said:
			
		

> RUN CVSUP
> Followed by pkgdb -F, portsdb -Uu, portversion -l '<'
> I then read both /usr/src/UPDATING and /usr/ports/UPDATING
> 
> ...



Speaking only to this part of your question: in the context of your thread (which had "security" in the title), I would suggest installing portaudit. It will be automatically run daily via periodic, and it will be included in your periodic security output. 

I _only_ update packages when portaudit reports a security issue with them. 

---

As for your base system, I'd recommend subscribing to freebsd-announce. It's a low-volume list that receives notifications when security issues are discovered with the base system (along with a few other announcements).


----------



## Fatman (Dec 6, 2008)

Thanks for the advice. I will definetely subscribe to the mailing list and add it to my routine.


----------



## marius (Dec 6, 2008)

Another option is subscribing to freebsd-security-notifications, and you'll only get the security notifications.

If you're using cvsup you should consider changing to csup, which is now part of the base system in FreeBSD. Csup can use the same config files as cvsup.

Another alternative to csup that works very well together with portupgrade is portsnap, which you can also be found in the base system of FreeBSD.

I do the same thing as anomie. Portaudit runs automaticly every night and I only update the ports reported by this application. To be honest I never read /usr/ports/UPDATING but I sure do read /usr/src/UPDATING when I'm about to update my operating system.

You could also take a look at freebsd-update. That's a nice way of updating the system with binary patches, at least if you're using the GENERIC kernel.


----------



## Fatman (Dec 6, 2008)

thanks, unfortunetly i cannot use freebsd-update since i have a custom kernel. I will definetly start using csup and join to that mailing-list.

Sincerely,

Fatman


----------



## Maurovale (Jan 11, 2009)

Hi for updating your ports sources you can also use :

portmaster and potsnap is as easy as :

portsnap fetch
portsnap update
portmaster -dB port path (portmaster -dB /usr/ports/x11-wm/kde35)

You can also use -a (to check all ports) but I don't recomend updating all ports in one pass 


In pf instead of using the badblocks directly in pf you can load with dinamycally from a file like that :

table <mytable> persist file "/root/file"

Then you can use like that

#allow ssh
pass in quick on {$net_card} proto tcp from <mytable> to {$oip} port 22

The file "/root/file" shoul have an ip per line.

Also I recomend in a Web server using :

Block in all

And then explicity allow everything you want open and nothing more.

MV


----------



## lbl (Jan 13, 2009)

*cron jobs.*

I can recommend using these cron jobs.


```
0       2       *       *       *       root    /usr/sbin/portsnap cron update >> /var/log/portsnap 2>&1 && /usr/local/sbin/portmaster -L | /usr/bin/grep "New version available" && /usr/local/sbin/portmaster -L | /usr/bin/mail -s "Upgradeable ports on [atom0]" lbl@unoc.dk

0       3       *       *       *       root    /usr/local/sbin/portaudit -Fa || /usr/local/sbin/portaudit -a | mail -s "Security vulnerability on [atom0]" lbl@unoc.dk

0       4       *       *       *       root    /usr/sbin/freebsd-update -t lbl@unoc.dk cron
```

On top of that you can use the /etc/periodic.conf (man periodic.conf) for more information.

"portupgrade" is a big horse to navigate, it keeps is own database of installed ports and stuff, i can recommend using "portmaster" instead, its a shellscript so there is no dependencies.

/lbl


----------

