Blame
| da4bd0 | Jason Tubnor | 2025-12-16 10:43:41 | 1 | # Server PF Boilerplate |
| 2 | ||||
| 3 | **Date:** 20251216 |
|||
| 4 | ||||
| 5 | **Scope:** |
|||
| 6 | ||||
| 7 | PF built into OpenBSD and FreeBSD can give protection to services running on a server. To avoid any performance penalties and where filtering is not required for specific services, this should deviate away from block all/allow to block known/restrict. In this configuration, users must be aware of the services they are running because accidentally exposed services will immediately be available on the wire. |
|||
| 8 | ||||
| 9 | **Instructions:** |
|||
| 10 | ||||
| 11 | On FreeBSD, enable pf and pflog (see below). PF on OpenBSD is on by default: |
|||
| 12 | ``` |
|||
| 13 | service pf enable && service pf start |
|||
| 14 | service pflog enable && service pflog start |
|||
| 15 | ``` |
|||
| 16 | Set up tables to include your management addresses. There should be no reason for adhoc connectivity to these hosts for management functions. Use tables instead of macros to reduce the rule set and speed up rule evaluation. While tables do use more memory, this is less of an issue these days, but the performance increase is noticeable on large rule sets: |
|||
| 17 | ``` |
|||
| 18 | table <mgmt_v6> persist { 2001:db8:dead:1::/64 } |
|||
| 19 | table <mgmt_v4> persist { 198.51.100.0/24 } |
|||
| 20 | ``` |
|||
| 21 | Not mandatory, but a lot of mirror maintainers have issues with not only AI bots but China Mobile. They will use mirrors or servers with large data sets outside of their network to shore up bandwidth ratios on their international transit providers. This is completely optional and depends on the audience you are trying to attract with the service: |
|||
| 22 | ``` |
|||
| 23 | table <china_mobile> persist { 111.0.0.0/10, 223.64.0.0/10, 2409:8000::/20 } # Problematic provider that uses your resources for ingress balance |
|||
| 24 | ``` |
|||
| 25 | Restrict IPv6 and IPv4 ICMP types to only what is necessary for the server to connect and provide health status: |
|||
| 26 | ``` |
|||
| 27 | icmp6_types="{ unreach, toobig, timex, paramprob, echoreq, echorep, routeradv, routersol, neighbradv, neighbrsol }" |
|||
| 28 | icmp4_types="{ unreach, timex, paramprob, echoreq }" |
|||
| 29 | ``` |
|||
| 30 | Loopback interfaces typically don't need protection or filtering. Set PF to skip this interface so it doesn't get included by any rule evaluation by accident: |
|||
| 31 | ``` |
|||
| 32 | set skip on lo |
|||
| 33 | ``` |
|||
| 34 | Block all known management services. Typically, set to *drop* for these services so they aren't visible and avoids detection in high-speed network scans. To reduce connection load and terminate connections if they don't match an evaluation rule, change rules from *drop* to *return*: |
|||
| 35 | ``` |
|||
| 36 | block drop in quick from <china_mobile> |
|||
| 37 | block drop in log proto tcp to port ssh |
|||
| 38 | block drop in log proto udp to port snmp |
|||
| 39 | block drop in proto icmp6 |
|||
| 40 | block drop in proto icmp |
|||
| 41 | ``` |
|||
| 42 | For the above management services, create rules for explicit access to these services: |
|||
| 43 | ``` |
|||
| 44 | ## ICMP |
|||
| 45 | pass inet6 proto icmp6 icmp6-type $icmp6_types |
|||
| 46 | pass inet proto icmp all icmp-type $icmp4_types |
|||
| 47 | ||||
| 48 | ## SSH |
|||
| 49 | pass in log inet6 proto tcp from <mgmt_v6> to port ssh |
|||
| 50 | pass in log proto tcp from <mgmt_v4> to port ssh |
|||
| 51 | ||||
| 52 | ## SNMP |
|||
| 53 | pass in log proto udp from <mgmt_v6> to port snmp |
|||
| 54 | ``` |
|||
| 55 | Once rule build is complete, validate the The changes: |
|||
| 56 | ``` |
|||
| 57 | pfctl -nf /etc/pf.conf |
|||
| 58 | ``` |
|||
| 59 | If there are no syntax errors, perform a load of the rules: |
|||
| 60 | ``` |
|||
| 61 | pfctl -f /etc/pf.conf |
|||
| 62 | ``` |
|||
| 63 | Build on the above rule set for service or site-specific requirements. Further details on traffic management can be found in the relevant in the [OpenBSD](https://man.openbsd.org/pf.conf) and [FreeBSD](https://man.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=FreeBSD+15.0-RELEASE+and+Ports&arch=default&format=html) pf.conf man pages. |
|||
| 64 | ||||
| 65 | Complete /etc/pf.conf rule set: |
|||
| 66 | ``` |
|||
| 67 | table <mgmt_v6> persist { 2001:db8:dead:1::/64 } |
|||
| 68 | table <mgmt_v4> persist { 198.51.100.0/24 } |
|||
| 69 | table <china_mobile> persist { 111.0.0.0/10, 223.64.0.0/10, 2409:8000::/20 } # Problematic provider that uses your resources for ingress balance |
|||
| 70 | icmp6_types="{ unreach, toobig, timex, paramprob, echoreq, echorep, routeradv, routersol, neighbradv, neighbrsol }" |
|||
| 71 | icmp4_types="{ unreach, timex, paramprob, echoreq }" |
|||
| 72 | ||||
| 73 | set skip on lo |
|||
| 74 | ||||
| 75 | block drop in quick from <china_mobile> |
|||
| 76 | block drop in log proto tcp to port ssh |
|||
| 77 | block drop in log proto udp to port snmp |
|||
| 78 | block drop in proto icmp6 |
|||
| 79 | block drop in proto icmp |
|||
| 80 | ||||
| 81 | ## ICMP |
|||
| 82 | pass inet6 proto icmp6 icmp6-type $icmp6_types |
|||
| 83 | pass inet proto icmp all icmp-type $icmp4_types |
|||
| 84 | ||||
| 85 | ## SSH |
|||
| 86 | pass in log inet6 proto tcp from <mgmt_v6> to port ssh |
|||
| 87 | pass in log proto tcp from <mgmt_v4> to port ssh |
|||
| 88 | ||||
| 89 | ## SNMP |
|||
| 90 | pass in log proto udp from <mgmt_v6> to port snmp |
|||
| 91 | ``` |
|||
| 92 | ||||
| 93 | ==End of Document== |