Need someone to review my pf.conf
Niklaas Baudet von Gersdorff
stdin at niklaas.eu
Tue Jun 7 06:28:59 UTC 2016
Goran Tepšić [2016-06-06 22:18 +0200] :
> Hi, I would like someone more skilled than me to glance over my pf.conf I
> compiled and possibly let me know if it can be secured/tightened further.
> Here's the conf: http://sprunge.us/fCLH
I'm not a professional, so take the following comments with a grain of
salt. Maybe they spur further discussions that will be helpful.
1. You can think about using security/sshguard-pf for further
protection.
2. You can think about using anchors for rules related to your jails.
This way you can add/remove rules when jails start/stop. See
http://www.openbsd.org/faq/pf/anchors.html, especially "Manipulating
Anchors".
3. It seems you have a mail server running. Take a look at mail/spamd.
I had issues using the grey listing feature for senders that use
multiple SMTP servers (Google, Amazon, etc.); so I decided to only
use spamd for blocking only. Although there is some documentation in
the FreeBSD handbook, you should read the man pages because the
former doc seems old.
4. In general, it's not a good idea to pass out everything. Restrict it
to what you really need. In case one of your jails gets hijacked it
will be more difficult to use it for e.g., a botnet.
5. You disable IPv6, right?
6. It seems you rdr additional ports for SSH to your jails. I'm not sure
whether that is really necessary (depends on you). You can simply
administer the jails from your jail host with jexec(8).
Niklaas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20160607/f6ee9e3d/attachment.sig>
More information about the freebsd-pf
mailing list