[Tor-BSD] OpenBSD pf rules...

George Rosamond george at ceetonetechnology.com
Wed Nov 26 16:28:42 EST 2014


Libertas:
> I'm very new to packet filters and firewalls, but I'm wondering how
> much security this really offers. I feel like allowing a large,
> dynamically updated list of outgoing ports probably doesn't do much as
> compared to just allowing everything. Can anyone give an example case
> in which this would help?

Some people think that's a "stupid question", but I think host-based
firewalls are something to consider the costs/benefits of.

The reality is that if a port isn't listening, then no one can connect
to it.  And if something is listening, it probably is serving something.

The starting point should always be, IMHO, to netstat or sockstat the
box.  Should every port that listening or maintaining connections be
doing it?

There's a bunch of things that apply to pf and firewalls in general.
Here's a start...

1.  blocking what shouldn't be listening, assuming "block" is high up in
your ruleset.  I have a box that localhost was at 127.0.0... other than
.1.  Therefore, a hidden service wasn't hidden.

2.  effectively dropping traffic to listening ports you don't want, such
as bad synfin packets or say, netblocks/IPs you don't want to connect.

3.  rate limiting connections, most commonly on SSHD, which also deals
with light-weight denial of service attacks (conscious or not)

4.  fancy stuff like opening a dynamic port like obfsproxy requires with
macros :)

I could continue, but that's a decent start.

g


More information about the Tor-BSD mailing list