tarballed
September 2nd, 2003, 17:25
Hey everyone!

Back in the pf forum again. :)

I was flipping through the PF FAQ today, getting ready to build my rules for my mail gateway on our DMZ. (Not in the DMZ yet, but will be.)

One thing I was curious about, but cant seem to find a straight answer is, do I need to setup NAT for this particular setup?

Reason I ask is, for the most part, im just going to setup PF to allow port 25 in (obviously), but that is about all I really need to allow in. The server has two interfaces, so I have some ideas on how to set up the server to be more secure...

For instance, I can setup one interface to only accept inbound email and then configure the second interface to only allow SSH connections from our intranet, correct?

Just thinking of ideas for my rules and how I can lock down this box. :)

Any suggestions? Im reading the FAQ and solarfluxs web page as I write this...

Former Member
September 2nd, 2003, 17:50
the last section of the pf guide addresses a scenario for a home/small office network, might be useful :)

For instance, I can setup one interface to only accept inbound email and then configure the second interface to only allow SSH connections from our intranet, correct?
I'm sure you can do this :)

If you have NAT on the machine connecting your DMZ to the network then no, if you have NAT enabled more than once in the network, then it begins to open security holes (im pretty sure about this but only 70%)

I'm not to sure about any other features you could add to lock the box down but id be interested to hear them

tarballed
September 2nd, 2003, 18:21
As it is now, i've setup two rules with our current firewall:

First is a SMTP proxy rule that will forward any email coming into the firewall to our DMZ mail gateway.

The second rule is a smtp filter rule that will forward all email from our DMZ mail gateway to our internal mail server.

This is the way it has to be done with this particular firewall. I cannot get around it at all...

Tarballed

tarballed
September 2nd, 2003, 19:15
Tentative firewall rules for my Mail gateway...any suggestions?

[code:1:5094a2e28c]# Define useful variables
ExtIF="fxp0" # External Interface
IntIf="fxp1"
Loop="lo0" # loopback rules
table <NoRouteIPs> { 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
sshHost="192.168.1.90, 192.168.1.11"

# Clean up fragmented and abnormal packets
scrub in all

#loopback rules
pass in quick on $Loop


# don't allow anyone to spoof non-routeable addresses
block in log quick on $ExtIF from <NoRouteIPs> to any
block out log quick on $ExtIF from any to <NoRouteIPs>

# block NMAP stuff
block in log quick on $ExtIF inet proto tcp from any to any flags FUP/FUP
block in log quick on $ExtIF inet proto tcp from any to any flags SF/SFRA
block in log quick on $ExtIF inet proto tcp from any to any flags /SFRA
block in log quick on $ExtIF inet proto tcp from any to any flags F/SFRA
block in log quick on $ExtIF inet proto tcp from any to any flags U/SFRAU
block in log quick on $ExtIF inet proto tcp from any to any flags P
block in log on $ExtIF all

#allow SSH from intranet
pass in on $IntIF inet proto tcp from $sshHost to any port = 22 keep state

# Allow mail
pass in log quick on $ExtIF proto tcp from any to any port = 25 keep state

# and let out-going traffic out and maintain state on established connections
block out on $ExtIF all
pass out on $ExtIF inet proto tcp all flags S/SA keep state
pass out on $ExtIF inet proto udp all keep state[/code:1:5094a2e28c]

Like I said: Just need to allow port 25 in for mail, everything else is not necessary. Im thinking of adding more stuff now, but how does this look?

Any tweaks any sees that I need?

Tarballed

Not sure I need the NMAP stuff since the firewall should block it at the front.

Tarballed

Former Member
September 2nd, 2003, 19:43
I'm just getting used to this pf syntax so apologies if I'm incorrect. Shouldn't you always block all and only explicitly allow what u wish.

Would be easier to update if you made a macro for tcp ports?

gotta go for a while, ill have another read in a while :)

tarballed
September 2nd, 2003, 19:47
Updated rules: Still working on them:

[code:1:b97565a213]# Define useful variables
ExtIF="fxp0" # External Interface
IntIf="fxp1"
Loop="lo0" # loopback rules
sshHost = "192.168.1.90, 192.168.1.11"
services = 22

table <NoRouteIPs> { 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

# Clean up fragmented and abnormal packets
scrub in all

#loopback rules
pass in quick on $Loop

# don't allow anyone to spoof non-routeable addresses
block in log quick on $ExtIF from <NoRouteIPs> to any
block out log quick on $ExtIF from any to <NoRouteIPs>

# block NMAP stuff
block in log quick on $ExtIF inet proto tcp from any to any flags FUP/FUP
block in log quick on $ExtIF inet proto tcp from any to any flags SF/SFRA
block in log quick on $ExtIF inet proto tcp from any to any flags /SFRA
block in log quick on $ExtIF inet proto tcp from any to any flags F/SFRA
block in log quick on $ExtIF inet proto tcp from any to any flags U/SFRAU
block in log on $ExtIF all

# only allow our machines to connect via ssh
#pass in on $IntIF inet proto tcp from $sshHost to ($IntIf) port $services flags S/SA keep state

# Allow mail
pass in log quick on $ExtIF proto tcp from any to any port = 25 keep state

# and let out-going traffic out and maintain state on established connections
block out on $ExtIF all
pass out on $ExtIF inet proto tcp all flags S/SA keep state
pass out on $ExtIF inet proto udp all keep state
pass out on $ExtIF inet proto icmp all keep state
[/code:1:b97565a213]

What im trying to do is specify a rule that will allow me to SSH to the box on the second interface (fxp1)...but since fxp1 is undefined, it will not allow it.

I guess, what you do is specify a specific IP address on that interface correct?

How does the SMTP rule look btw? Look alright?

Tarballed

bsdjunkie
September 2nd, 2003, 19:55
may have messed up, just whipped it up quick...

[code:1:3f3f47766c]ext_if = "fxp0"
int_if = "fxp1"
tcp_services = "{ 25 }"
tcp_int_services = "{ 22 }"

table <noroute> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8 }

#options
set optimization aggressive
set loginterface $ext_if

scrub in all fragment reassemble

#default Deny all
block log all

#allow loopback traffic
pass quick on lo0 all

block in quick on $ext_if from <noroute> to any
block out quick on $ext_if from any to <noroute>

pass in on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SAFR keep state
pass in on $int_if inet proto tcp from $int_if:network port $tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state[/code:1:3f3f47766c]

tarballed
September 2nd, 2003, 19:56
I'm having a bugger of a time working with this SSH rule...

First, is this possible:

Server has two interfaces. Dont want SSH connections trying to connect to the external interface, only the internal interface. Basically, only accept connections from my intranet.

I keep getting an error on the syntax...

[code:1:488a09b609]pass in on $IntIF inet proto tcp from $sshHost to any port = 22 keep stat[/code:1:488a09b609]

That's the rule im attempting...not working...

Is this even possible?
Maybe i dont even need it?

Tarballed

bsdjunkie
September 2nd, 2003, 19:59
It should be "keep state", not keep stat. though im not sure if thats just a typo here on boards.

tarballed
September 2nd, 2003, 19:59
Uh, I dont even think I need an SSH rule if im only going to be accessing it from my intranet:

Just fired up my rules:

[code:1:34c35bb66b]scrub in all fragment reassemble
pass in quick on lo0 all
block drop in log quick on fxp0 from <NoRouteIPs> to any
block drop out log quick on fxp0 from any to <NoRouteIPs>
block drop in log quick on fxp0 inet proto tcp all flags FPU/FPU
block drop in log quick on fxp0 inet proto tcp all flags FS/FSRA
block drop in log quick on fxp0 inet proto tcp all flags /FSRA
block drop in log quick on fxp0 inet proto tcp all flags F/FSRA
block drop in log quick on fxp0 inet proto tcp all flags U/FSRAU
block drop in log on fxp0 all
pass in log quick on fxp0 proto tcp from any to any port = smtp keep state
block drop out on fxp0 all
pass out on fxp0 inet proto tcp all flags S/SA keep state
pass out on fxp0 inet proto udp all keep state
pass out on fxp0 inet proto icmp all keep state
[/code:1:34c35bb66b]

And I can SSH to the box. :)

Have I missed anything? Been awhile since i've tweaked with PF rules. hehehe

bsdjunkie
September 2nd, 2003, 20:01
you dont have a default drop all, especially incoming.

tarballed
September 2nd, 2003, 20:04
you dont have a default drop all, especially incoming.

thats bad....i sure missed that one :oops:

Give me a minute..post the new rulez :)

tarballed
September 2nd, 2003, 20:17
Updated:

[code:1:13b5fcffde]scrub in all fragment reassemble
block drop log all
pass in quick on lo0 all
block drop in log quick on fxp0 from <NoRouteIPs> to any
block drop out log quick on fxp0 from any to <NoRouteIPs>
block drop in log on fxp0 all
pass in on fxp0 inet proto tcp from any to (fxp0) port = smtp flags S/FSRA keep state
pass in on fxp1 inet proto tcp from 192.168.1.0/24 port = ssh to any flags S/FSRA keep state
pass in on fxp1 inet from 192.168.1.0/24 to any keep state
pass out on fxp1 inet from any to 192.168.1.0/24 keep state
pass out on fxp0 proto tcp all flags S/FSRA modulate state
pass out on fxp0 proto udp all keep state
pass out on fxp0 proto icmp all keep stat[/code:1:13b5fcffde]

Thanks bsdjunkie...will play with these some more. I am going to lock down who an SSH from where on my intranet...

Seems to do the trick!

Tarballed

tarballed
September 9th, 2003, 17:09
Just something I wanted to ask. I was having problems getting email to be relayed when I turned on the PF rules...from logging at the logs as well as running a tcpdump, it appears that my default block rule was the culprit...

Log output:

Sep 9 13:09:20 blowfish postfix/smtpd[6149]: connect from corpmail.courtesy.com[192.168.1.166]
Sep 9 13:09:34 blowfish postfix/smtpd[6149]: 33957A6856: client=corpmail.courtesy.com[192.168.1.166]
Sep 9 13:09:51 blowfish postfix/cleanup[4156]: 33957A6856: message-id=<20030909200934.33957A6856@blowfish.courtesy.co m>
Sep 9 13:09:51 blowfish postfix/qmgr[19289]: 33957A6856: from=<vangogh@san.rr.com>, size=448, nrcpt=1 (queue active)
Sep 9 13:09:51 blowfish postfix/smtp[16095]: connect to 192.168.1.165[192.168.1.165]: No route to host (port 25)
Sep 9 13:09:51 blowfish postfix/smtp[16095]: 33957A6856: to=<jwilliams@courtesy.com>, relay=none, delay=17, status=deferred (connect to 192.168.1.165[192.168.1.165]: No route to host)
Sep 9 13:09:53 blowfish postfix/smtpd[6149]: disconnect from corpmail.courtesy.com[192.168.1.166][/code:1:aefacace27]


After doing some reading around, a suggestion was to put my pass in rule for smtp above my default block rule like so:

[code:1:aefacace27]scrub in all fragment reassemble
pass in on fxp0 inet proto tcp from any to (fxp0) port = smtp flags S/FSRA keep state
block drop log all
pass in quick on lo0 all
block drop in log quick on fxp0 from <NoRouteIPs> to any
block drop out log quick on fxp0 from any to <NoRouteIPs>
block drop in log quick on fxp0 inet proto tcp all flags FPU/FPU
block drop in log quick on fxp0 inet proto tcp all flags FS/FSRA
block drop in log quick on fxp0 inet proto tcp all flags /FSRA
block drop in log quick on fxp0 inet proto tcp all flags F/FSRA
block drop in log quick on fxp0 inet proto tcp all flags U/FSRAU
block drop in log on fxp0 all
pass in on fxp1 inet proto tcp from 192.168.1.0/24 port = ssh to any flags S/FSRA keep state
pass in on fxp1 inet from 192.168.1.0/24 to any keep state
pass out on fxp1 inet from any to 192.168.1.0/24 keep state
pass out on fxp0 proto tcp all flags S/FSRA modulate state
pass out on fxp0 proto udp all keep state
pass out on fxp0 proto icmp all keep state
[/code:1:aefacace27]

My question is, does this pose a security risk?
The problem i think im going to run into is the default spoof block is going to interfer with my internal network. I could be wrong, but watching the tcpdump as well as looking at the logs, PF was blocking the relays to my internal mail server...

Anyone have suggestions?

Tarballed

tarballed
September 30th, 2003, 19:55
Just thought i'd post my latest rules for pf. I kicked this around for awhile and finally got it to do what I wanted...working great right now.

[code:1:51218d13d4]# Define useful variables
ext_if="fxp0" # External Interface
int_if="fxp1"
int_net="192.168.1.0/24"
tcp_services = "{ 25 }"
tcp_int_services = "{ 22 }"

#Tables
table <NoRouteIPs> { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16, !192.168.0.0/24 }
table <trusted> persist file "/etc/tables/trusted"

# Clean up fragmented and abnormal packets
scrub in all

#default Deny all
block in log on $ext_if all

#loopback rules
pass in quick on lo0 all

# don't allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from <NoRouteIPs> to any
block out log quick on $ext_if from any to <NoRouteIPs>

#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state

# pass trusted for SSH
pass in log quick on $int_if inet proto tcp from <trusted> to $int_if port 22 keep state

# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
[/code:1:51218d13d4]

So far, its working like a charm. Im happy. :D

Tarballed