Blame
Date:
Wed Feb 1 05:00:29 2023 UTC
Message:
Daily backup
01
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
02
2023-01-22
jrmu
agent=Mozilla/5.0 (X11; OpenBSD amd64; rv:82.0) Gecko/20100101 Firefox/82.0
03
2023-01-22
jrmu
author=jrmu
04
2023-01-22
jrmu
charset=UTF-8
05
2023-01-22
jrmu
csum=
06
2023-01-22
jrmu
ctime=1609294892
07
2023-01-22
jrmu
host=125.231.20.163
08
2023-01-22
jrmu
name=Openbsd.PFTesting
09
2023-01-22
jrmu
rev=6
10
2023-01-22
jrmu
targets=Openbsd.Netadmin,Ircnow.Stable,Ircnow.Testing,Openbsd.Ilines,Openbsd.Buyvm,Openbsd.Vmmusers,Openbsd.Tcpdump,Openbsd.SYNFlood,Openbsd.Ntpd,Openbsd.Nsd,Openbsd.Sshbackdoor,Openbsd.Iked,Openbsd.Pf,Openbsd.Ddos
11
2023-01-22
jrmu
text=(:title Sample PF for Testing:)%0a%0a!! NOT DONE DO NOT USE%0a%0a'''NOTE''': This guide is '''no''' substitute for reading the [[https://www.openbsd.org/faq/pf|Packet Filter Guide]]. In particular, you must read the Basic Configuration section and the [[openbsd/netadmin|NetAdmin Code]].%0a%0aHere's a sample /etc/pf.conf for [[ircnow/testing]] servers (do '''NOT''' use this for [[ircnow/stable|stable]], znc-only servers). See the Comments section below for a rule-by-rule explanation:%0a%0a[@%0aExtIf = "vio0"%0aIP4 = "10.0.0.1"%0aIntIP4 = "192.168.0.1"%0aIP6 = "2001:db8::/80"%0aFlushUDP = "max-pkt-rate 10000/10 keep state (max 1000, source-track rule, max-src-nodes 200, max-src-states 200)"%0aFlush = "keep state (max 1000, source-track rule, max-src-nodes 200, max-src-conn-rate 500/10 overload %3cbadhosts> flush global)"%0aFlushStrict = "keep state (max 100, source-track rule, max-src-nodes 20, max-src-conn-rate 50/10 overload %3cbadhosts> flush global)"%0a%0aset skip on lo0%0aset loginterface $ExtIf%0a#set ruleset-optimization profile%0aset syncookies adaptive (start 25%25, end 12%25)%0a%0atable %3cilines> persist file "/etc/pf/ilines"%0atable %3cbadhosts> persist file "/etc/pf/badhosts"%0a%0a# udp and icmp%0ablock in log quick from %3cbadhosts>%0apass in log quick proto udp to {$IP4 $IP6} port domain $FlushUDP%0apass in log quick proto udp to {$IntIP4 $IP6} port ntp $FlushUDP%0apass in log quick proto udp to {$IP4 $IP6} port {isakmp ipsec-nat-t} $FlushUDP%0ablock in log quick proto udp to {$IP4 $IP6}%0ablock in log quick from urpf-failed%0amatch in log all scrub (no-df random-id max-mss 1440)%0apass in log quick on $ExtIf inet proto icmp icmp-type 8 code 0 $FlushUDP # icmp packets%0apass in log quick on $ExtIf inet proto icmp icmp-type 3 code 4 $FlushUDP # icmp needfrag%0a (MTU)%0apass in log quick on $ExtIf proto ipv6-icmp $FlushUDP%0a# tcp%0apass in log quick proto tcp to {$IP4 $IP6} port domain $Flush%0apass in log quick proto tcp to {$IP4 $IP6} port auth $Flush%0apass in log quick proto tcp to {$IP4 $IP6} port {smtp submission smtps imap imaps pop3 pop3s} $Flush%0apass in log quick proto tcp to {$IP4 $IP6} port {gopher http https} $Flush%0apass in log quick proto tcp from %3cilines> to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16697 } #irc%0apass in log quick proto tcp to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16697 } $Flush #irc%0apass in log quick proto tcp to {$IP4 $IP6} port { 1314 13140 1337 31337 } $Flush #bnc%0apass in log quick proto tcp to {$IP4 $IP6} port 29173 $Flush #wraith%0apass in log quick proto tcp to {$IP4 $IntIP4 $IP6} port ssh $FlushStrict%0a%0a# road warrior vpn%0apass in log inet proto udp to {$IP4 $IP6} port {isakmp, ipsec-nat-t} tag IKED%0apass in log inet proto esp to {$IP4 $IP6} tag IKED%0apass log on enc0 inet tagged ROADW%0amatch out log on $ExtIf inet tagged ROADW nat-to $IP4%0amatch in log quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a%0ablock in log all%0ablock out log on $IntIP4%0apass out quick from {$IP4 $IP6} # allow non-spoofed packets%0apass out quick proto tcp from $IntIP4 to port ssh%0apass out quick proto udp from $IntIP4 to port ntp%0apass out quick proto {udp tcp} from $IntIP4 to port {domain}%0apass out quick inet proto icmp from $IntIP4 # allow ICMP%0a@]%0a%0aYou will then need to create a folder:%0a%0a[@%0a$ doas mkdir /etc/pf/%0a@]%0a%0aThen, add the list of [[openbsd/ilines|ilines]] to /etc/pf/ilines.%0a%0a[@%0a198.251.89.130%0a198.251.83.183%0a209.141.39.184%0a209.141.39.228%0a198.251.84.240%0a198.251.80.229%0a198.251.81.119%0a209.141.39.173%0a198.251.89.91%0a198.251.81.44%0a209.141.38.137%0a198.251.81.133%0a2605:6400:0030:f8de::/64%0a2605:6400:0010:071b::/64%0a2605:6400:0020:0434::/64%0a2605:6400:0020:00b4::/64%0a2605:6400:0010:05bf::/64%0a2605:6400:0030:fc15::/64%0a2605:6400:0020:1290::/64%0a2605:6400:0020:0bb8::/64%0a2605:6400:0030:faa1::/64%0a2605:6400:0010:069d::/64%0a2605:6400:0020:05cc::/64%0a2605:6400:0010:00fe::/64%0a@]%0a%0aAfterwards, any badhosts can be added to /etc/pf/badhosts.%0a%0aTo load the new configuration:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf%0a@]%0a%0a!! Troubleshooting%0a%0a'''WARNING''': When you apply new firewall rules, '''make sure''' to test that all services are working after the rules have been applied. If you do not test, you might break something for users and not notice it for days or weeks!%0a%0aTo test, connect to each and every one of the services you provide, both from your home IP address and another proxy (vpn, vps) that you have.%0a%0aPlease also set aside 24-48 hours to monitor any bug reports from users.%0a%0a!! Comments%0a%0a[@%0aExtIf = "vio0"%0aIP4 = "10.0.0.1"%0aIntIP4 = "192.168.0.1"%0aIP6 = "2001:db8::/80"%0a@]%0a%0aExtIf is the external interface (vio0 for [[openbsd/buyvm|BuyVM]] and [[openbsd/vmmusers|VMM]] users), IP4 is your DDoS-filtered IPv4 address, IntIP4 is your secret unfiltered IPv4 address, and IP6 is your IPv6 subnet range.%0a%0a[@%0aFlushUDP = "max-pkt-rate 10000/10 keep state (max 1000, source-track rule, max-src-nodes 200, max-src-states 200)"%0aFlush = "keep state (max 1000, source-track rule, max-src-nodes 200, max-src-conn-rate 500/10 overload %3cbadhosts> flush global)"%0aFlushStrict = "keep state (max 100, source-track rule, max-src-nodes 20, max-src-conn-rate 50/10 overload %3cbadhosts> flush global)"%0a@]%0a%0aThis defines 3 macros.%0a%0aFor FlushUDP, if the packet rate exceeds 10000 packets per 10 seconds, PF will refuse to process any further packets. It will keep track of state for ICMP and UDP packets; if there are more than 1000 state entries, it will stop accepting new packets. If there are more than 200 unique IPs in the state entry table, or if a single IP has more than 200 entries, it will stop accepting new connections.%0a%0aFor Flush, if there are 1000 state entries, it will stop accepting new connections. If there are more than 200 unique IPs in the state entry table, or if a single IP makes more than 500 connections in 10 seconds, it will disconnect all connections from this user and add them to the table '''badhosts'''.%0a%0aFlushStrict is the same but more strict. If there are 100 state entries, it will stop accepting new connections. If there are more than 20 unique IPs in the state entry table, or if a single IP makes more than 50 connections in 10 seconds, it will disconnect all connections from this user and add them to the table '''badhosts'''.%0a%0a[@%0aset skip on lo0%0aset loginterface $ExtIf%0a#set ruleset-optimization profile%0aset syncookies adaptive (start 25%25, end 12%25)%0a@]%0a%0aWe skip filtering on loopback (localhost). We are going to log all packets that pass through the external interface vio0. You can view these using [[openbsd/tcpdump|tcpdump]] in /var/log/pflog*. You can optionally optimize the ruleset based on the profile, but I have not yet tested to see if the optimization is intelligent, so I left it commented out. We will use syncookies to defend against [[openbsd/SYNFlood|synflood]] attacks.%0a%0a[@%0atable %3cilines> persist file "/etc/pf/ilines"%0atable %3cbadhosts> persist file "/etc/pf/badhosts"%0a@]%0a%0aWe load two tables, one with [[openbsd/ilines|ilines]] (with IRCNow-approved IPs), and another with a list of '''badhosts''' (known criminals and enemies).%0a%0a[@%0ablock in log quick from %3cbadhosts>%0apass in log quick proto udp to {$IP4 $IP6} port domain $FlushUDP%0apass in log quick proto udp to {$IntIP4 $IP6} port ntp $FlushUDP%0apass in log quick proto udp to {$IP4 $IP6} port {isakmp ipsec-nat-t} $FlushUDP%0ablock in log quick proto udp to {$IP4 $IP6}%0ablock in log quick from urpf-failed%0amatch in log all scrub (no-df random-id max-mss 1440)%0a@]%0a%0aWe immediately block all packets from '''badhosts'''. We pass in all DNS UDP packets on the DDoS-filtered IPv4 and IPv6 subnet (but not the secret unfiltered IPv4 address). We pass in all NTP UDP packets for the unfiltered IPv4 address and IPv6 subnet, but not the DDoS-filtered IPv4 address because NTP packets get mangled by DDoS-filtering.%0a%0a'''WARNING''': Please follow the [[openbsd/ntpd|ntpd guide]] to set it up properly -- if you do not, your system's time will be wrong, causing all sorts of hard to troubleshoot problems like issues with [[openbsd/nsd|nsd]].%0a%0a[@%0apass in log quick on $ExtIf inet proto icmp icmp-type 8 code 0 $FlushUDP # icmp packets%0apass in log quick on $ExtIf inet proto icmp icmp-type 3 code 4 $FlushUDP # icmp needfrag%0a (MTU)%0apass in log quick on $ExtIf proto ipv6-icmp $FlushUDP%0a@]%0a%0aWe allow in ICMP and ICMPv6 packets passing through our external interface. '''NOTE''': Do '''not''' block ICMP packets, or else strange and hard to diagnose problems can occur. For example, blocking ICMPv6 packets can interfere with proper IPv6 routing.%0a%0a[@%0apass in log quick proto tcp to {$IP4 $IP6} port domain $Flush%0apass in log quick proto tcp to {$IP4 $IP6} port auth $Flush%0apass in log quick proto tcp to {$IP4 $IP6} port {smtp submission smtps imap imaps pop3 pop3s} $Flush%0apass in log quick proto tcp to {$IP4 $IP6} port {gopher http https} $Flush%0apass in log quick proto tcp from %3cilines> to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16697 } #irc%0apass in log quick proto tcp to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16697 } $Flush #irc%0apass in log quick proto tcp to {$IP4 $IP6} port { 1314 13140 1337 31337 } $Flush #bnc%0apass in log quick proto tcp to {$IP4 $IP6} port 29173 $Flush #wraith%0apass in log quick proto tcp to {$IP4 $IntIP4 $IP6} port ssh $FlushStrict%0a@]%0a%0aWe immediately pass in all TCP packets for the public IPv4 address and IPv6 subnet if it's for DNS (domain), ident (auth), sending mail (smtp submission smtps), reading mail (imap imaps pop3 pop3s), gopher, the web (http https).%0a%0aIf the sender is present on our ilines, we pass in all IRC traffic without normal Flush limits. If not, we have normal Flush limits.%0a%0aWe immediately pass in all TCP packets for the public IPv4 address and IPv6 subnet if it's headed for the bouncer or wraith.%0a%0aFor ssh, we allow incoming packets to the secret, unfiltered IPv4 address and we apply more strict rules to prevent bruteforce attacks. The unfiltered IPv4 address will provide a [[openbsd/sshbackdoor|hidden backdoor]] to access the server in case of a DDoS attack.%0a%0a[@%0a# road warrior vpn%0apass in log inet proto udp to {$IP4 $IP6} port {isakmp, ipsec-nat-t} tag IKED%0apass in log inet proto esp to {$IP4 $IP6} tag IKED%0apass log on enc0 inet tagged ROADW%0amatch out log on $ExtIf inet tagged ROADW nat-to $IP4%0amatch in log quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a@]%0a%0aThis section is for IPSec VPNs using [[openbsd/iked|iked]].%0a%0a[@%0ablock in log all%0ablock out log on $IntIP4%0apass out quick from {$IP4 $IP6} # allow non-spoofed packets%0apass out quick proto tcp from $IntIP4 to port ssh%0apass out quick proto udp from $IntIP4 to port ntp%0apass out quick proto {udp tcp} from $IntIP4 to port {domain}%0apass out quick inet proto icmp from $IntIP4 # allow ICMP%0a@]%0a%0aWe block all incoming packets but '''not''' immediately. By default, if the '''quick''' keyword is missing, the last rule that matches applies to a packet. We then block all outgoing packets from the secret, unfiltered IPv4 address except whitelisted traffic for ssh, ntp, dns, and ICMP packets.%0a%0a!! See Also%0a%0a|| [[openbsd/pf|PF Guide]] || [[openbsd/ddos|DDoS Filtering Guide]] || [[openbsd/tcpdump|tcpdump]] ||
12
2023-01-22
jrmu
time=1611588489
13
2023-01-22
jrmu
title=Sample PF for Testing
14
2023-01-22
jrmu
author:1611588489=jrmu
15
2023-01-22
jrmu
diff:1611588489:1609332194:=2,3d1%0a%3c %0a%3c !! NOT DONE DO NOT USE%0a
16
2023-01-22
jrmu
host:1611588489=125.231.20.163
17
2023-01-22
jrmu
author:1609332194=jrmu
18
2023-01-22
jrmu
diff:1609332194:1609295962:=1,6c1,4%0a%3c (:title Sample PF for Testing:)%0a%3c %0a%3c '''NOTE''': This guide is '''no''' substitute for reading the [[https://www.openbsd.org/faq/pf|Packet Filter Guide]]. In particular, you must read the Basic Configuration section and the [[openbsd/netadmin|NetAdmin Code]].%0a%3c %0a%3c Here's a sample /etc/pf.conf for [[ircnow/testing]] servers (do '''NOT''' use this for [[ircnow/stable|stable]], znc-only servers). See the Comments section below for a rule-by-rule explanation:%0a%3c %0a---%0a> (:title Sample PF for Stable:)%0a> %0a> Here's a sample /etc/pf.conf for stable servers (do '''NOT''' use this for shell servers):%0a> %0a12,15c10,16%0a%3c FlushUDP = "max-pkt-rate 10000/10 keep state (max 1000, source-track rule, max-src-nodes 200, max-src-states 200)"%0a%3c Flush = "keep state (max 1000, source-track rule, max-src-nodes 200, max-src-conn-rate 500/10 overload %3cbadhosts> flush global)"%0a%3c FlushStrict = "keep state (max 100, source-track rule, max-src-nodes 20, max-src-conn-rate 50/10 overload %3cbadhosts> flush global)"%0a%3c %0a---%0a> FlushUDP = "max-pkt-rate 10000/10 keep state (max 1000, source-track rule, max-src-nodes%0a> 200, max-src-states 200)"%0a> Flush = "keep state (max 1000, source-track rule, max-src-nodes 200, max-src-conn-rate 5%0a> 00/10 overload %3cbadhosts> flush global)"%0a> FlushStrict = "keep state (max 100, source-track rule, max-src-nodes 20, max-src-conn-ra%0a> te 50/10 overload %3cbadhosts> flush global)"%0a> %0a39c40,41%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port {smtp submission smtps imap imaps pop3 pop3s} $Flush%0a---%0a> pass in log quick proto tcp to {$IP4 $IP6} port {smtp submission smtps imap imaps pop3 p%0a> op3s} $Flush%0a41,43c43,47%0a%3c pass in log quick proto tcp from %3cilines> to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16697 } #irc%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16697 } $Flush #irc%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port { 1314 13140 1337 31337 } $Flush #bnc%0a---%0a> pass in log quick proto tcp from %3cilines> to {$IP4 $IP6} port { 6660:6669 6697 6997 7000%0a> 9999 16667 16697 } #irc%0a> pass in log quick proto tcp to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16%0a> 697 } $Flush #irc%0a> pass in log quick proto tcp to {$IP4 $IP6} port { 1314 21314 1337 31337 } $Flush #bnc%0a58d61%0a%3c pass out quick proto udp from $IntIP4 to port ntp%0a106,115c109,112%0a%3c !! Troubleshooting%0a%3c %0a%3c '''WARNING''': When you apply new firewall rules, '''make sure''' to test that all services are working after the rules have been applied. If you do not test, you might break something for users and not notice it for days or weeks!%0a%3c %0a%3c To test, connect to each and every one of the services you provide, both from your home IP address and another proxy (vpn, vps) that you have.%0a%3c %0a%3c Please also set aside 24-48 hours to monitor any bug reports from users.%0a%3c %0a%3c !! Comments%0a%3c %0a---%0a> !! Maintenance%0a> %0a> You should check to see who is on the badhosts table:%0a> %0a117,120c114%0a%3c ExtIf = "vio0"%0a%3c IP4 = "10.0.0.1"%0a%3c IntIP4 = "192.168.0.1"%0a%3c IP6 = "2001:db8::/80"%0a---%0a> $ doas pfctl -t badhosts -T show%0a123,124c117,118%0a%3c ExtIf is the external interface (vio0 for [[openbsd/buyvm|BuyVM]] and [[openbsd/vmmusers|VMM]] users), IP4 is your DDoS-filtered IPv4 address, IntIP4 is your secret unfiltered IPv4 address, and IP6 is your IPv6 subnet range.%0a%3c %0a---%0a> Periodically, once a week perhaps, you should flush this table%0a> %0a126,128c120%0a%3c FlushUDP = "max-pkt-rate 10000/10 keep state (max 1000, source-track rule, max-src-nodes 200, max-src-states 200)"%0a%3c Flush = "keep state (max 1000, source-track rule, max-src-nodes 200, max-src-conn-rate 500/10 overload %3cbadhosts> flush global)"%0a%3c FlushStrict = "keep state (max 100, source-track rule, max-src-nodes 20, max-src-conn-rate 50/10 overload %3cbadhosts> flush global)"%0a---%0a> $ doas pfctl -t badhosts -T flush%0a130,219d121%0a%3c %0a%3c This defines 3 macros.%0a%3c %0a%3c For FlushUDP, if the packet rate exceeds 10000 packets per 10 seconds, PF will refuse to process any further packets. It will keep track of state for ICMP and UDP packets; if there are more than 1000 state entries, it will stop accepting new packets. If there are more than 200 unique IPs in the state entry table, or if a single IP has more than 200 entries, it will stop accepting new connections.%0a%3c %0a%3c For Flush, if there are 1000 state entries, it will stop accepting new connections. If there are more than 200 unique IPs in the state entry table, or if a single IP makes more than 500 connections in 10 seconds, it will disconnect all connections from this user and add them to the table '''badhosts'''.%0a%3c %0a%3c FlushStrict is the same but more strict. If there are 100 state entries, it will stop accepting new connections. If there are more than 20 unique IPs in the state entry table, or if a single IP makes more than 50 connections in 10 seconds, it will disconnect all connections from this user and add them to the table '''badhosts'''.%0a%3c %0a%3c [@%0a%3c set skip on lo0%0a%3c set loginterface $ExtIf%0a%3c #set ruleset-optimization profile%0a%3c set syncookies adaptive (start 25%25, end 12%25)%0a%3c @]%0a%3c %0a%3c We skip filtering on loopback (localhost). We are going to log all packets that pass through the external interface vio0. You can view these using [[openbsd/tcpdump|tcpdump]] in /var/log/pflog*. You can optionally optimize the ruleset based on the profile, but I have not yet tested to see if the optimization is intelligent, so I left it commented out. We will use syncookies to defend against [[openbsd/SYNFlood|synflood]] attacks.%0a%3c %0a%3c [@%0a%3c table %3cilines> persist file "/etc/pf/ilines"%0a%3c table %3cbadhosts> persist file "/etc/pf/badhosts"%0a%3c @]%0a%3c %0a%3c We load two tables, one with [[openbsd/ilines|ilines]] (with IRCNow-approved IPs), and another with a list of '''badhosts''' (known criminals and enemies).%0a%3c %0a%3c [@%0a%3c block in log quick from %3cbadhosts>%0a%3c pass in log quick proto udp to {$IP4 $IP6} port domain $FlushUDP%0a%3c pass in log quick proto udp to {$IntIP4 $IP6} port ntp $FlushUDP%0a%3c pass in log quick proto udp to {$IP4 $IP6} port {isakmp ipsec-nat-t} $FlushUDP%0a%3c block in log quick proto udp to {$IP4 $IP6}%0a%3c block in log quick from urpf-failed%0a%3c match in log all scrub (no-df random-id max-mss 1440)%0a%3c @]%0a%3c %0a%3c We immediately block all packets from '''badhosts'''. We pass in all DNS UDP packets on the DDoS-filtered IPv4 and IPv6 subnet (but not the secret unfiltered IPv4 address). We pass in all NTP UDP packets for the unfiltered IPv4 address and IPv6 subnet, but not the DDoS-filtered IPv4 address because NTP packets get mangled by DDoS-filtering.%0a%3c %0a%3c '''WARNING''': Please follow the [[openbsd/ntpd|ntpd guide]] to set it up properly -- if you do not, your system's time will be wrong, causing all sorts of hard to troubleshoot problems like issues with [[openbsd/nsd|nsd]].%0a%3c %0a%3c [@%0a%3c pass in log quick on $ExtIf inet proto icmp icmp-type 8 code 0 $FlushUDP # icmp packets%0a%3c pass in log quick on $ExtIf inet proto icmp icmp-type 3 code 4 $FlushUDP # icmp needfrag%0a%3c (MTU)%0a%3c pass in log quick on $ExtIf proto ipv6-icmp $FlushUDP%0a%3c @]%0a%3c %0a%3c We allow in ICMP and ICMPv6 packets passing through our external interface. '''NOTE''': Do '''not''' block ICMP packets, or else strange and hard to diagnose problems can occur. For example, blocking ICMPv6 packets can interfere with proper IPv6 routing.%0a%3c %0a%3c [@%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port domain $Flush%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port auth $Flush%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port {smtp submission smtps imap imaps pop3 pop3s} $Flush%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port {gopher http https} $Flush%0a%3c pass in log quick proto tcp from %3cilines> to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16697 } #irc%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16697 } $Flush #irc%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port { 1314 13140 1337 31337 } $Flush #bnc%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port 29173 $Flush #wraith%0a%3c pass in log quick proto tcp to {$IP4 $IntIP4 $IP6} port ssh $FlushStrict%0a%3c @]%0a%3c %0a%3c We immediately pass in all TCP packets for the public IPv4 address and IPv6 subnet if it's for DNS (domain), ident (auth), sending mail (smtp submission smtps), reading mail (imap imaps pop3 pop3s), gopher, the web (http https).%0a%3c %0a%3c If the sender is present on our ilines, we pass in all IRC traffic without normal Flush limits. If not, we have normal Flush limits.%0a%3c %0a%3c We immediately pass in all TCP packets for the public IPv4 address and IPv6 subnet if it's headed for the bouncer or wraith.%0a%3c %0a%3c For ssh, we allow incoming packets to the secret, unfiltered IPv4 address and we apply more strict rules to prevent bruteforce attacks. The unfiltered IPv4 address will provide a [[openbsd/sshbackdoor|hidden backdoor]] to access the server in case of a DDoS attack.%0a%3c %0a%3c [@%0a%3c # road warrior vpn%0a%3c pass in log inet proto udp to {$IP4 $IP6} port {isakmp, ipsec-nat-t} tag IKED%0a%3c pass in log inet proto esp to {$IP4 $IP6} tag IKED%0a%3c pass log on enc0 inet tagged ROADW%0a%3c match out log on $ExtIf inet tagged ROADW nat-to $IP4%0a%3c match in log quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a%3c @]%0a%3c %0a%3c This section is for IPSec VPNs using [[openbsd/iked|iked]].%0a%3c %0a%3c [@%0a%3c block in log all%0a%3c block out log on $IntIP4%0a%3c pass out quick from {$IP4 $IP6} # allow non-spoofed packets%0a%3c pass out quick proto tcp from $IntIP4 to port ssh%0a%3c pass out quick proto udp from $IntIP4 to port ntp%0a%3c pass out quick proto {udp tcp} from $IntIP4 to port {domain}%0a%3c pass out quick inet proto icmp from $IntIP4 # allow ICMP%0a%3c @]%0a%3c %0a%3c We block all incoming packets but '''not''' immediately. By default, if the '''quick''' keyword is missing, the last rule that matches applies to a packet. We then block all outgoing packets from the secret, unfiltered IPv4 address except whitelisted traffic for ssh, ntp, dns, and ICMP packets.%0a
19
2023-01-22
jrmu
host:1609332194=198.251.81.119
20
2023-01-22
jrmu
author:1609295962=jrmu
21
2023-01-22
jrmu
diff:1609295962:1609295341:=28c28%0a%3c pass in log quick proto udp to {$IntIP4 $IP6} port ntp $FlushUDP%0a---%0a> pass in log quick proto udp to {$IP4 $IP6} port ntp $FlushUDP%0a
22
2023-01-22
jrmu
host:1609295962=198.251.81.119
23
2023-01-22
jrmu
author:1609295341=jrmu
24
2023-01-22
jrmu
diff:1609295341:1609295194:=107,120d106%0a%3c @]%0a%3c %0a%3c !! Maintenance%0a%3c %0a%3c You should check to see who is on the badhosts table:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -t badhosts -T show%0a%3c @]%0a%3c %0a%3c Periodically, once a week perhaps, you should flush this table%0a%3c %0a%3c [@%0a%3c $ doas pfctl -t badhosts -T flush%0a
25
2023-01-22
jrmu
host:1609295341=198.251.81.119
26
2023-01-22
jrmu
author:1609295194=jrmu
27
2023-01-22
jrmu
diff:1609295194:1609294892:=19c19%0a%3c #set ruleset-optimization profile%0a---%0a> set ruleset-optimization profile%0a
28
2023-01-22
jrmu
host:1609295194=198.251.81.119
29
2023-01-22
jrmu
author:1609294892=jrmu
30
2023-01-22
jrmu
diff:1609294892:1609294892:=1,111d0%0a%3c (:title Sample PF for Stable:)%0a%3c %0a%3c Here's a sample /etc/pf.conf for stable servers (do '''NOT''' use this for shell servers):%0a%3c %0a%3c [@%0a%3c ExtIf = "vio0"%0a%3c IP4 = "10.0.0.1"%0a%3c IntIP4 = "192.168.0.1"%0a%3c IP6 = "2001:db8::/80"%0a%3c FlushUDP = "max-pkt-rate 10000/10 keep state (max 1000, source-track rule, max-src-nodes%0a%3c 200, max-src-states 200)"%0a%3c Flush = "keep state (max 1000, source-track rule, max-src-nodes 200, max-src-conn-rate 5%0a%3c 00/10 overload %3cbadhosts> flush global)"%0a%3c FlushStrict = "keep state (max 100, source-track rule, max-src-nodes 20, max-src-conn-ra%0a%3c te 50/10 overload %3cbadhosts> flush global)"%0a%3c %0a%3c set skip on lo0%0a%3c set loginterface $ExtIf%0a%3c set ruleset-optimization profile%0a%3c set syncookies adaptive (start 25%25, end 12%25)%0a%3c %0a%3c table %3cilines> persist file "/etc/pf/ilines"%0a%3c table %3cbadhosts> persist file "/etc/pf/badhosts"%0a%3c %0a%3c # udp and icmp%0a%3c block in log quick from %3cbadhosts>%0a%3c pass in log quick proto udp to {$IP4 $IP6} port domain $FlushUDP%0a%3c pass in log quick proto udp to {$IP4 $IP6} port ntp $FlushUDP%0a%3c pass in log quick proto udp to {$IP4 $IP6} port {isakmp ipsec-nat-t} $FlushUDP%0a%3c block in log quick proto udp to {$IP4 $IP6}%0a%3c block in log quick from urpf-failed%0a%3c match in log all scrub (no-df random-id max-mss 1440)%0a%3c pass in log quick on $ExtIf inet proto icmp icmp-type 8 code 0 $FlushUDP # icmp packets%0a%3c pass in log quick on $ExtIf inet proto icmp icmp-type 3 code 4 $FlushUDP # icmp needfrag%0a%3c (MTU)%0a%3c pass in log quick on $ExtIf proto ipv6-icmp $FlushUDP%0a%3c # tcp%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port domain $Flush%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port auth $Flush%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port {smtp submission smtps imap imaps pop3 p%0a%3c op3s} $Flush%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port {gopher http https} $Flush%0a%3c pass in log quick proto tcp from %3cilines> to {$IP4 $IP6} port { 6660:6669 6697 6997 7000%0a%3c 9999 16667 16697 } #irc%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16%0a%3c 697 } $Flush #irc%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port { 1314 21314 1337 31337 } $Flush #bnc%0a%3c pass in log quick proto tcp to {$IP4 $IP6} port 29173 $Flush #wraith%0a%3c pass in log quick proto tcp to {$IP4 $IntIP4 $IP6} port ssh $FlushStrict%0a%3c %0a%3c # road warrior vpn%0a%3c pass in log inet proto udp to {$IP4 $IP6} port {isakmp, ipsec-nat-t} tag IKED%0a%3c pass in log inet proto esp to {$IP4 $IP6} tag IKED%0a%3c pass log on enc0 inet tagged ROADW%0a%3c match out log on $ExtIf inet tagged ROADW nat-to $IP4%0a%3c match in log quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a%3c %0a%3c block in log all%0a%3c block out log on $IntIP4%0a%3c pass out quick from {$IP4 $IP6} # allow non-spoofed packets%0a%3c pass out quick proto tcp from $IntIP4 to port ssh%0a%3c pass out quick proto {udp tcp} from $IntIP4 to port {domain}%0a%3c pass out quick inet proto icmp from $IntIP4 # allow ICMP%0a%3c @]%0a%3c %0a%3c You will then need to create a folder:%0a%3c %0a%3c [@%0a%3c $ doas mkdir /etc/pf/%0a%3c @]%0a%3c %0a%3c Then, add the list of [[openbsd/ilines|ilines]] to /etc/pf/ilines.%0a%3c %0a%3c [@%0a%3c 198.251.89.130%0a%3c 198.251.83.183%0a%3c 209.141.39.184%0a%3c 209.141.39.228%0a%3c 198.251.84.240%0a%3c 198.251.80.229%0a%3c 198.251.81.119%0a%3c 209.141.39.173%0a%3c 198.251.89.91%0a%3c 198.251.81.44%0a%3c 209.141.38.137%0a%3c 198.251.81.133%0a%3c 2605:6400:0030:f8de::/64%0a%3c 2605:6400:0010:071b::/64%0a%3c 2605:6400:0020:0434::/64%0a%3c 2605:6400:0020:00b4::/64%0a%3c 2605:6400:0010:05bf::/64%0a%3c 2605:6400:0030:fc15::/64%0a%3c 2605:6400:0020:1290::/64%0a%3c 2605:6400:0020:0bb8::/64%0a%3c 2605:6400:0030:faa1::/64%0a%3c 2605:6400:0010:069d::/64%0a%3c 2605:6400:0020:05cc::/64%0a%3c 2605:6400:0010:00fe::/64%0a%3c @]%0a%3c %0a%3c Afterwards, any badhosts can be added to /etc/pf/badhosts.%0a%3c %0a%3c To load the new configuration:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c !! See Also%0a%3c %0a%3c || [[openbsd/pf|PF Guide]] || [[openbsd/ddos|DDoS Filtering Guide]] || [[openbsd/tcpdump|tcpdump]] ||%0a\ No newline at end of file%0a
31
2023-01-22
jrmu
host:1609294892=198.251.81.119
IRCNow