Freebsd PF 방화벽 (Packet filter)

feebsd 문서:https://www.freebsd.org/doc/handbook/firewalls-pf.html

참고페이지: https://www.cyberciti.biz/faq/how-to-set-up-a-firewall-with-pf-on-freebsd-to-protect-a-web-server/

 

방화벽 테스트를 위하여 pure-ftpd 와 sshd_config 의 port 변경이 필요 합니다.

pure-ftpd 설치는 아래 링크를 참고하시면 됩니다.

[ftp-server] FreeBSD pure-ftpd 설치

 

/etc/rc.conf 수정

root@bsd11:~ # vi /etc/rc.conf

#PF setting
pf_enable="YES"
pflog_enable="YES"
pf_rules="/etc/pf.conf"
pflog_logfile="/var/log/pflog"


 

/etc/pf.conf 파일 생성

root@bsd11:~ # vi /etc/pf.conf
ext_if="em0"

set limit { states 80000, frags 5000 }

set block-policy drop

set skip on vnet1

set skip on lo0

scrub in all

antispoof for $ext_if

block in all

block out all

table <bruteforce> persist

table <sshbruteforce> persist

table <ftp> persist

block in quick log proto tcp from <bruteforce> to port 80

block in quick log proto tcp from <sshbruteforce> to port 2424

block in quick log proto tcp from <ftp> to port 21

pass in log proto tcp from any to port 21 keep state

pass in log proto tcp from any to port 30000:50000 keep state

pass in log proto tcp from any to port 2424 keep state

pass in on $ext_if proto tcp from any to $ext_if port 2424 \
            flags S/SA keep state \
            (max-src-conn-rate 10/30, overload <sshbruteforce> flush global)

pass in on $ext_if proto tcp from any to $ext_if port 80 \
        flags S/SA synproxy state

pass in on $ext_if proto tcp from any to $ext_if port 80 \
        flags S/SA keep state \
        (max-src-conn 100, max-src-conn-rate 300/10, \
        overload <bruteforce> flush global)

 

sshd_config 설정변경

root@bsd11:~ # vi /etc/ssh/sshd_config
#Port 22
Port 2424

 

 

pure-ftpd.conf 설정변경

PassivePortRange 주석을 제거 하여 설정값을 활성하 시키고 사용할 포트 Range 를 지정합니다.

root@bsd11:~ # vi /usr/local/etc/pure-ftpd.conf

PassivePortRange             30000 50000

 

시스템 리부팅

root@bsd11:~ # init 6

 

pf commands

pf config check 

root@bsd11:~ # service pf check
Checking pf rules.

 

pf status 확인

root@bsd11:~ # service pf status
Status: Enabled for 0 days 00:01:01           Debug: Urgent

State Table                          Total             Rate
  current entries                        0
  searches                             227            3.7/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                                227            3.7/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s
root@bsd11:~ #

 

 

 

pf.conf 설정내용 설명

— 차후 작성

 

 

Freebsd rename nic device

KVM 에서 운영하는 freebsd nic name 이 vtnet0 입니다.

일반적인 환경에서는 문제가 없지만 PF 등을 설정할때 다른 가상 Device 와 착각? 을 할것으로 보입니다. 🙂

vtnet0 -> em0 로 바꾸는 방법을 간단히 소개 할려고 합니다.

 

변경전 

root@bsd11:~ # ifconfig
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 52:54:00:c1:cb:84
        hwaddr 52:54:00:c1:cb:84
        inet 192.168.0.40 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
root@bsd11:~ #

 

/etc/rc.conf 수정 및 시스템 리부팅

root@bsd11:~ # cat /etc/rc.conf
hostname="bsd11"
keymap="us.iso.kbd"
ifconfig_vtnet0_name="em0"
ifconfig_em0="inet 192.168.0.40 netmask 255.255.255.0"
root@bsd11:~ # init 6

ifconfig_vtnet0_name=”em0″  // vtnet0 의 Device name 을 em0 로 변경 합니다.
ifconfig_em0=”inet 192.168.0.40 netmask 255.255.255.0″  // 기존 vtnet0 를 em0 로 변경 합니다.

 

변경후 

root@bsd11:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 52:54:00:c1:cb:84
        hwaddr 52:54:00:c1:cb:84
        inet 192.168.0.40 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
root@bsd11:~ #