Firewall PF FreeBSD

Exemple de règle de parefeu simple

Les règles utilisées font partie de PF (Packet Filter) mais elles sont ici utilisées avec un OS sous FreeBSD *
La machine n'est pas dans une DMZ, elle est directement accéssible sur le WAN et utilise une seule interface.

/etc/pf.conf

# pf config - K.Andreev 20140604
# This is the external interface. I don't have an internal one. Get the name with ifconfig -a.
ext_if = "igb0"

# Personne de confiance
trust_man = "X.X.X.X/32"

# This command tells pf to do the logging on the external interface
set loginterface $ext_if

# Bypass any packet filtering on the localhost interface.
# If you skip this line, you won't be able to telnet localhost anyport
# Which means any web application that uses smtp/pop, sql, imap won't work
set skip on lo

# normalize all incoming traffic
scrub in on $ext_if all fragment reassemble

# This is how you create tables. In this case the name of the table is bruteforce.
table  persist

# These are the TCP ports that I will allow to be accessible from inside out and vice versa
# SSH (port 22) listen on port 78922
tcp_pass = "{ 25 80 443 587 993 995 123 78922 465 }"

# This is the UDP port for DNS that I will have to allow, otherwise name resolution won't work
udp_pass = "{ 123 53 }"
ftp_port_range=" XXXX:YYYY "
ssh_pass = "{ 78922 }"

# pf works from top to bottom. The last matching rule wins. 
# Here I will block everything and then poke holes. 
block all

# The quick command is an exception. It cancels any other rules for this packet 
# and causes an immediate action, regardless of the following rules. 
block quick from

# This line means to block any IP that makes more than 5 connections in 3 seconds
# It also limits the number of connections per IP to 15
# Any IP that violates this will be stored in the table 
pass quick proto { tcp, udp } from any to any port $ssh_pass \
    flags S/SA keep state \
    (max-src-conn 15, max-src-conn-rate 5/3, \
    overload  flush global)

# This line means to allow in and out all ports that were listed in the $tcp_pass varaible
# The log directive also means to log all the traffic
pass log on $ext_if proto tcp to any port $tcp_pass keep state
pass log on $ext_if proto tcp to any port 32400 keep state

# Serveur FTP
pass log on $ext_if proto tcp to any port ftp keep state
pass inet proto tcp from any to $ext_if port $ftp_port_range \
	flags S/SA keep state

# Autoriser les mises a jour via svn
pass log on $ext_if proto tcp to any port svn keep state

# This line means to pass only the UDP traffic on port 53 outside. Inside access to UDP port 53 is blocked.
pass out on $ext_if proto udp to any port $udp_pass keep state

# This means that we allow our IP to be pinged or tracerouted.
# If you remove this line, everything will work fine, but you can't ping your IP and you can't ping
# anything outside. It's a good way to hide your presence, but most port scans will find you anyway
### pass inet proto icmp from any to any

# On autorise les paquets icmp de type echo request pour
# les pings venant de l'extérieur, et echo reply/time
# exceeded/destination unreachable pour les réponses aux
# pings que l'on avait initié vers l'extérieur.
pass in inet proto icmp from $trust_man to $ext_if icmp-type \
    { echoreq, echorep, timex, unreach }
pass out on $ext_if inet proto icmp all keep state