[nycbug-talk] Help for pf on FreeBSD running Snort

Kevin Reiter tux at penguinnetwerx.net
Fri Jun 29 11:06:23 EDT 2007

Hey all,

I'm hoping someone on the list can help with this.  I have a box running
FreeBSD 6.2-Release, which I'm using as a Snort sensor/database.  I have 2
NICs on the box, bge0 for sniffing traffic, and fxp0 for management
access.  Both cards on are different subnets/vlans.

What I need to do is allow bge0 to listen to everything ("sniff"), and
only allow traffic to 22,80, and 443 on fxp0.  The catch is a MySQL
database running locally, so I don't want 3306 exposed on bge0.  Does this
make sense?

Does anyone know how I could configure pf.conf for this?  I'm currently
reading through "Building Firewalls with OpenBSD and PF" 2nd ed. by Jack
Artymiak, and it's been extremely helpful to date, but this isn't a
typical scenario, and I'm pretty much lost.

Here's what ifconfig shows (notice nothing is in promisc mode - bge0
should be):

root at snort01 [~]# ifconfig
        inet netmask 0xffffff00 broadcast
        ether 00:10:18:27:fe:12
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        inet netmask 0xffffff00 broadcast
        ether 00:0e:0c:59:e7:44
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet netmask 0xff000000
pflog0: flags=0<> mtu 33208

Here's my somewhat sanitized pf.conf I'm currently using:

# $FreeBSD: /etc/pf.conf,v 1.2 2007/01/16 10:31:20 kreiter Exp $

# Just put this in this morning, haven't done anything with it yet..
#mgmt_if="fxp0"  # replace with actual internal interface name i.e., dc1

# Define some tables
table <admins> const {list of admin subnets and IPs}
table <ssh> const {list of admin subnets and IPs}

# Normalization: reassemble fragments and resolve or reduce traffic
scrub in all

# Allow everything on the local loopback:
set skip on lo0

# Filtering: the implicit first two rules are
block log all
pass out keep state

# Allow the Snort interface to listen to everything:
pass in all on bge0 # <- I have to rewrite this, since it's wrong

# Admins have all the phun:
pass in proto tcp from <admins> to any keep state

# Only allow people on the admin subnet to connect via SSH/SCP/sFTP:
pass in proto tcp from <ssh> to port 22 keep state

# Allow SSH and rsync from admins (might be redundant, but...):
pass in proto tcp from <admins> to any port { 22,80,443 } keep state

# Block access to MySQL on everything:
# (this should work, haven't tested it yet)
# Since I want to allow everything inbound on bge0, I
# don't want anything sneaking in..
deny in proto tcp from any to port 3306

# Allow ICMP echo requests:
pass out inet proto icmp all icmp-type 8 code 0 keep state
pass in inet proto icmp all icmp-type 8 code 0 keep state


More information about the talk mailing list