On Mon, May 04, 2009 at 03:12:20PM -0300, Ricardo Augusto de Souza wrote:
> Thanks.
> I already know those documentation.
> I wish i could find a documentation about this on PF:
>
>
> #___________________________________________________________________________
> # Protecao do KERNEL
> #___________________________________________________________________________
> #Enable forwarding in kernel
> echo 1 > /proc/sys/net/ipv4/ip_forward
On OpenBSD:
sysctl -w net.inet.ip.forwarding=1
(or put "net.inet.ip.forwarding=1" in /etc/sysctl.conf and reboot)
> #Disabling IP Spoofing attacks.
> if [ $IPSEC = "sim" ]
> then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f
> done
> else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 > $f
> done
> fi
Equivalent would be a "block drop in quick from urpf-failed" rule in
pf.conf.
> #Don't respond to broadcast pings (Smurf-Amplifier-Protection)
> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
OpenBSD ignores these by default.
> #Block source routing
> echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
This rule claims to block source routing, but it actually enables it.
But assuming you actually want to disable source routing, there's
nothing to do, because OpenBSD ignores these by default too (as they
say, secure by default...)
> #Kill timestamps
> echo 0 > /proc/sys/net/ipv4/tcp_timestamps
Are you sure you want to do this? You could use a "scrub reassemble
tcp" rule in pf.conf, but I've had problems with even that. See the man
page for details.
> #Enable SYN Cookies
> #echo 1 > /proc/sys/net/ipv4/tcp_syncookies
That one's commented out for a reason. On the other hand, look up
"synproxy" in the pf.conf man page for an OpenBSD alternative that's
compatible with TCP window scaling.
> #Kill redirects
> echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
Another rule that claims to do one thing in the comment, but actually
does exactly the opposite. Assuming you *do* want to block redirects:
sysctl -w net.inet.ip.redirect=0
> #Enable bad error message protection
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
I don't know what this does.
> #Log martians (packets with impossible addresses)
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
There's no sysctl for this that I'm aware of, but you could add
something like the following to your pf.conf (however, the urpf-failed
rule should cover this already):
# TABLE SECTION #
table <martians> const { 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 \
10.0.0.0/8 169.254.0.0/16 192.0.2.0/24 0.0.0.0/8 }
# FILTER SECTION #
block drop in on $if_wan inet from <martians> to any
block return out on $if_wan inet from any to <martians>
> #Set out local port range
> echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
See the following sysctls:
net.inet.ip.portfirst
net.inet.ip.portlast
net.inet.ip.porthifirst
net.inet.ip.porthilast
> #Reduce DoS'ing ability by reducing timeouts
> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
> echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
> echo 0 > /proc/sys/net/ipv4/tcp_sack
See these sysctls:
net.inet.tcp.sack
net.inet.tcp.*
But as I said earlier, I wouldn't focus on precisely duplicating this
firewall's logic; it looks problematic. It would be better to just come
up with a fresh notion of what you want this firewall to achieve, and
with that in mind, start over from scratch in PF.
--
Mark Shroyer
http://markshroyer.com/contact/
