Baseline pf.conf
To make PF start during system boot we need to modify /etc/rc.conf and
change:
pf=NO
# Packet filter / NAT
to
pf=YES
# Packet filter / NAT
You will want to modify your /etc/pf.conf file. The capabilities of this file are way
out of the scope of this tutorial. However there are a lot of online resources and
recently a book was published titled "The Book of PF" by Peter Hansteen. A great
resource to have on hand. Also a great introduction to PF can be found at:
http://www.openbsd.org/faq/pf/
For this setup. Here is a snippet of a baseline /etc/pf.conf file. This should help you
understand how we are treating the two bridges (with Snort) and running PF on the
network interface labeled dc1 (your network card's manufacturer may have a
different label for the interface).
Nicholas Pappas
60
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
--start of snip--
#
# Simple pf.conf file
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
## MACROS
# inboard_int: The internal side of the external bridge
# Will be doing most of the filtering on this interface
inboard_int = dc1
# mgt_int: The NIC used for managing.
# Need to restrict as much as possible on this one.
mgt_int = sis0
# Other interfaces:
other_int = "{ dc0, dc2, dc3 }"
# Trusted IP's
trusted = "{ 192.168.1.0/24, 192.168.0.3 }"
notrust = "192.168.0.1/24"
# The internal trusted zone
internal_lan = "192.168.1.0/24"
# Outside the trusted zone && notrust zone
external_wan = "!192.168.0.0/23"
client_out = "{ ftp, ssh, 25, domain, pop3, auth, nntp, http, https, cvspserver, 993,\ 2628,
5999, 8000, 8080 }
#################################################################
# TABLES
#################################################################
table persist
#################################################################
# Other
#################################################################
## Only filter on specific interfaces
set skip on $other_int
#################################################################
Nicholas Pappas
61
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
# FILTER RULES
#################################################################
# Default deny policy
block all
block quick from
#################################################################
# Rules for the management interface
#################################################################
pass quick on $mgt_int inet proto { tcp, udp } from $trusted to any port \
{ ssh, domain, http, https } keep state (max-src-conn 20, max-src-conn-rate 10/5, \
overload flush global)
|
