So, now we have some basis of a working system.
Time to think about protecting if, while the Internet is the place to be it’s also a kind of a bad place, moreover when you’re in the middle of a known hosting company.
So, we have to play with FreeBSD firewall solution: PF, as in Packet Filter.
So first thing is to setup a few rules in the /etc/pf.conf file:
pub="192.0.2.1" # Host public IPv4 address pub6="2001:db8:1::1" # Host public IPv6 address if="bge0" # Rules must be in order: options, normalization, queueing, translation, filtering # 1: options set block-policy return set skip on lo scrub in table <sshguard> persist # 2: Normalization # 3: Queueing # 4: Translation ? # 5 Filtering # default outbound pass out quick on $if from $pub to any pass out quick on $if from $pub6 to any # Filter brut-forcer block in quick proto tcp from <sshguard> block in log on $if # ICMP v4/v6 pass in quick on $if inet proto icmp from any to any pass in quick on $if inet6 proto ipv6-icmp from any to any # DHCPv6 pass in quick on $if inet6 proto udp from any to bge0 port 546 keep state # ssh/mosh on the host machine pass in quick on $if proto tcp from any to $pub port ssh pass in quick on $if proto udp from any to $pub port 60000:60100 pass in quick on $if proto tcp from any to $pub6 port ssh pass in quick on $if proto udp from any to $pub6 port 60000:60100
Then a few line in the /etc/rc.conf are needed to automatically activate the firewall on start:
pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES"
Then it’s just a matter of starting the service as usual.
Whenever you need to update the pf ruleset, you just have to edit the /etc/pf.conf file, and then test it:
And update it with:
Having a general firewall is good, it could be usefull to do some automated log analysis and defense. For that you can use the same mollyguard tool as under linux system, or you can use
sshguard who has an native
Next step is simply activating the service in rc.conf, manually or by using
And starting up the service:
You can then look for sshguard message in /var/log/message and inspect the deny table using:
NB setting up a few IPs addresses in /usr/local/etc/sshguard.whitelist might be a good idea.