Dear bugs@openbsd,
I have been exploring OpenBSD as a replacement for some linux servers
in my current work. So far, the journey has been very instructive and
pleasant for someone especially concerned with security. In the docs
and FAQs it is usually recommended to copy the sample config files at
/etc/examples and, most of the times, the default values are perfect!
I have to strongly disagree though with the example file for the
firewall service (/etc/examples/pf.conf) The relevant line is number
20:
pass # establish keep-state
As I experienced on my server, line 20 allows all incoming traffic!
I found this out after setting up a test web server, which I did not
want to be initially public, so I added the following to my
/etc/pf.conf file:
pass in on $ext proto tcp from $home to any port 80 # Where $ext is
the public IP, and $home my home IP address.
I then started the web server, tested it from a location other than my
home, and found out it was ALSO accessible!
Anyway, I propose to change the example file to something more secure
by default like:
block return # block stateless traffic
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
# Allow ssh from any
pass in proto tcp from any to any port 22
Thank you for all your work, kind regards,
Pedro Bezunartea López.
