User Tools

Site Tools

Trace:
wiki:openbsd:pf

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
wiki:openbsd:pf [2023/05/08 08:17] michelwiki:openbsd:pf [2023/05/08 08:39] (current) michel
Line 1: Line 1:
-=====PF=====+=====PF Openbsd Firewall =====
 <file bash pf.conf> <file bash pf.conf>
 ################################################################################################## ##################################################################################################
Line 96: Line 96:
 ################################################################################################## ##################################################################################################
 include "/etc/pf/icmp.conf" include "/etc/pf/icmp.conf"
-include "/etc/pf/ssh.conf" 
-include "/etc/pf/relay.conf" 
 include "/etc/pf/routing.conf" include "/etc/pf/routing.conf"
 +##################################################################################################
 +# Redirect
 +##################################################################################################
 +pass in on ISP inet  proto {tcp} os Openbsd to port {2222} divert-to 127.0.0.1 port 2222 label "Redirect on $if Port:$dstport to HAproxy"
 +pass in on ISP inet proto {tcp,udp} to port 53 rdr-to 10.192.20.6       label "Redirect on $if Port:$dstport to nsd-a"
 ################################################################################################## ##################################################################################################
 # PASS # PASS
 ################################################################################################## ##################################################################################################
 +pass proto tcp os Openbsd to <firewall> port ssh keep state (max-src-conn 20, max-src-conn-rate 8/30, overload <attacker>) label "Pass SSH from OPENBSD to $dstport"
 pass from { <NSAS-INT> <ADMIN> } keep state set prio (2, 5)             label "Pass from $srcaddr" pass from { <NSAS-INT> <ADMIN> } keep state set prio (2, 5)             label "Pass from $srcaddr"
 pass on CORE                                                            label "Pass on $if" pass on CORE                                                            label "Pass on $if"
Line 117: Line 121:
 </file> </file>
  
 +==== Test befor starting rules ==== 
 +<code>pfctl -n -f /etc/pf.conf && pfctl -f /etc/pf.conf</code>
 ==== Kill a session ==== ==== Kill a session ====
 <code>pfctl -k ${IP}</code> <code>pfctl -k ${IP}</code>
Line 133: Line 138:
 =====pfsync===== =====pfsync=====
 FW-A FW-A
-<file /etc/hostname.pfsync0>+<file bash /etc/hostname.pfsync0>
 up syncdev "HAINTERFACE" syncpeer "IP OF BACKUPFW" defer up syncdev "HAINTERFACE" syncpeer "IP OF BACKUPFW" defer
 </file> </file>
  
 FW-B FW-B
-<file /etc/hostname.pfsync0>+<file bash /etc/hostname.pfsync0>
 up syncdev "HAINTERFACE" syncpeer "IP OF PRIMARYFW" defer up syncdev "HAINTERFACE" syncpeer "IP OF PRIMARYFW" defer
 </file> </file>
  
-Veryfi that the sync works+Veryfi that the sync works, the count should be even on both firewalls 
 <code>pfctl -s state | wc -l</code> <code>pfctl -s state | wc -l</code>
 +
 +===== Hardening =====
 +==== Block ransomeware ====
 +<file bash block_ransom.sh>
 +#/bin/sh
 +curl -s https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt >/tmp/ransom
 +curl -s https://feodotracker.abuse.ch/downloads/ipblocklist.txt >>/tmp/ransom
 +grep -v \# /tmp/ransom | uniq > /etc/pf_tables/pf.ransom
 +rm /tmp/ransom
 +</file>
 +
 +<file bash crontab>
 +~ * * * * /bin/sh /root/bin/block_ransom.sh ; /sbin/pfctl -t ransom -T replace -f /etc/pf_tables/pf.ransom >/dev/null 2>&1
 +</file>
 +
 +==== Block country ====
 +<file bash block_country.sh>
 +#!/bin/sh
 +for c in cn il ua ru ro hk by vn il mu
 +do
 + curl -s http://www.ipdeny.com/ipblocks/data/aggregated/${c}-aggregated.zone
 +done | egrep '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' | uniq | sort -n > /etc/pf_tables/pf.country
 +</file>
 +
 +<file bash crontab>
 +~ * * * * /bin/sh /root/bin/block_country.sh ; /sbin/pfctl -t country -T replace -f /etc/pf_tables/pf.country >/dev/null 2>&1
 +</file>
 +
 +==== Block TOR ====
 +<file bash block_tor.sh>
 +#/bin/sh
 +curl -s https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst | uniq > /etc/pf_tables/pf.tor
 +</file>
 +
 +<file bash crontab>
 +~ * * * * /bin/sh /root/bin/block_tor.sh ; /sbin/pfctl -t tor -T replace -f /etc/pf_tables/pf.tor >/dev/null 2>&1
 +</file>
/dokuwiki/data/attic/wiki/openbsd/pf.1683533832.txt.gz · Last modified: 2023/05/08 08:17 by michel

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Valid HTML5 Valid CSS Driven by DokuWiki