Firewall PF FreeBSD

Exemple de règle de parefeu simple

Les règles utilisées font partie de PF (Packet Filter) mais elles sont ici utilisées avec un OS sous FreeBSD *
La machine n'est pas dans une DMZ, elle est directement accéssible sur le WAN et utilise une seule interface.

# pf config - K.Andreev 20140604 # This is the external interface. I don't have an internal one. Get the name with ifconfig -a. ext_if = "igb0" # Personne de confiance trust_man = "X.X.X.X/32" # This command tells pf to do the logging on the external interface set loginterface $ext_if # Bypass any packet filtering on the localhost interface. # If you skip this line, you won't be able to telnet localhost anyport # Which means any web application that uses smtp/pop, sql, imap won't work set skip on lo # normalize all incoming traffic scrub in on $ext_if all fragment reassemble # This is how you create tables. In this case the name of the table is bruteforce. table persist # These are the TCP ports that I will allow to be accessible from inside out and vice versa # SSH (port 22) listen on port 78922 tcp_pass = "{ 25 80 443 587 993 995 123 78922 465 }" # This is the UDP port for DNS that I will have to allow, otherwise name resolution won't work udp_pass = "{ 123 53 }" ftp_port_range=" XXXX:YYYY " ssh_pass = "{ 78922 }" # pf works from top to bottom. The last matching rule wins. # Here I will block everything and then poke holes. block all # The quick command is an exception. It cancels any other rules for this packet # and causes an immediate action, regardless of the following rules. block quick from # This line means to block any IP that makes more than 5 connections in 3 seconds # It also limits the number of connections per IP to 15 # Any IP that violates this will be stored in the table pass quick proto { tcp, udp } from any to any port $ssh_pass \ flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 5/3, \ overload flush global) # This line means to allow in and out all ports that were listed in the $tcp_pass varaible # The log directive also means to log all the traffic pass log on $ext_if proto tcp to any port $tcp_pass keep state pass log on $ext_if proto tcp to any port 32400 keep state # Serveur FTP pass log on $ext_if proto tcp to any port ftp keep state pass inet proto tcp from any to $ext_if port $ftp_port_range \ flags S/SA keep state # Autoriser les mises a jour via svn pass log on $ext_if proto tcp to any port svn keep state # This line means to pass only the UDP traffic on port 53 outside. Inside access to UDP port 53 is blocked. pass out on $ext_if proto udp to any port $udp_pass keep state # This means that we allow our IP to be pinged or tracerouted. # If you remove this line, everything will work fine, but you can't ping your IP and you can't ping # anything outside. It's a good way to hide your presence, but most port scans will find you anyway ### pass inet proto icmp from any to any # On autorise les paquets icmp de type echo request pour # les pings venant de l'extérieur, et echo reply/time # exceeded/destination unreachable pour les réponses aux # pings que l'on avait initié vers l'extérieur. pass in inet proto icmp from $trust_man to $ext_if icmp-type \ { echoreq, echorep, timex, unreach } pass out on $ext_if inet proto icmp all keep state