Analysis and Review

Best freeBSD Firewall for a Web Server, PF Configuration and Testing

by

freeBSD 8 firewall for web server
freeBSD 8 firewall for web server

You’ll see many articles discussing various firewalls for BSD. freeBSD comes with three firewalls but I’ll lay out what I believe is the best freebsd firewall for a web server, pf.

I need firewall that will help negate DDoS attacks, spoofing and fingerprinting. Allows port 80 and 443 as well as ssh and is simple to test and configure.

Well PF handles all that and comes built into the freeBSD kernel so it’s pretty easy and quick to set up and test.

do a ifconfig to figure out what your interface is named
[bash]#ifconfig
bigkill# ifconfig
re0: flags=8843 metric 0 IC>
ether 00:2c:c1:f9:5s:d3
inet 224.210.155.13 netmask 0xfffffff8 broadcast 224.210.155.253
media: Ethernet autoselect (100baseTX )
status: active
lo0: flags=8049 metric 0
inet 127.0.0.1 netmask 0xff000000
[/bash]
As you can see here the interface name is re0

so just replace re0 in the below configuration and apply it to /etc/pf.conf
[bash] ### macro name for external interface.
ext_if = "re0"

### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $ext_if all fragment reassemble

### set a default deny everything policy.
block all

### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, to prevent services utilizing the
### local loop from being blocked accidentally.
set skip on lo0
antispoof for $ext_if inet

### block anything coming from sources that we have no back routes for.
block in from no-route to any

### block packets that fail a reverse path check. we look up the routing
### table, check to make sure that the outbound is the same as the source
### it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any

### drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255

### block packets claiming to come from reserved internal address blocks, as
### they are obviously forged and cannot be contacted from the outside world.
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### block probes that can possibly determine our operating system by disallowing
### certain combinations that are commonly used by nmap, queso and xprobe2, who
### are attempting to fingerprint the server.
### * F : FIN – Finish; end of session
### * S : SYN – Synchronize; indicates request to start session
### * R : RST – Reset; drop a connection
### * P : PUSH – Push; packet is sent immediately
### * A : ACK – Acknowledgement
### * U : URG – Urgent
### * E : ECE – Explicit Congestion Notification Echo
### * W : CWR – Congestion Window Reduced
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

### keep state on any outbound tcp, udp or icmp traffic. modulate the isn of
### outgoing packets. (initial sequence number) broken operating systems
### sometimes don’t randomize this number, making it guessable.
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### normally, a client connects to the server and we handshake with them, then
### proceed to exchange data. by telling pf to handshake proxy between the client
### and our server, tcp syn flood attacts from ddos become uneffective because
### a spoofed client cannot complete a handshake.

### set a rule that allows inbound ssh traffic with synproxy handshaking. yes I changed the ssh port
pass in on $ext_if proto tcp from any to any port 1229 flags S/SA synproxy state
### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port 443 flags S/SA synproxy state
[/bash]
If you want to allow any other port simple copy the last line and replace the port number.

Now issue a reboot command to restart the system in 5 minutes to test your pf configuration.
[bash] shutdown -r +5
[/bash]
Okay not start PF and test it
[bash] /etc/rc.d/pf onestart
[/bash]
Now “test” the current configuration to see what you got
[bash] pfctl -s all" ### list all the current rules that are in effect and shows current connections
[/bash]
If you’re happy with your PF firewall configuration for freebsd 8 you’ll need to apply it at boot time by adding the following to your /etc/rc.conf
[bash] pf_enable="YES"
pf_rules="/etc/pf.conf"
[/bash]

Comments

  1. Shouldn’t you add a step to cancel the reboot if the PF config is ok and they haven’t locked themselves out?