pf.anchor

I have started to talk a bit more about PF in a broad sense. Over the course of my talks or general discussion it has been brought to my attention that people would like to see a sample pf.anchor. Well I have posted on my github a sample of pf.anchor.

Please not that when you place the file inside of pf.anchor you will do some following items in order for it to be successful

  1. Create a com.yourcompany within the pf.anchors folder
  2. Ensure the pf.conf file is set to read all the anchors within pf.anchors
  3. TEST

Here are the samples of both the pf.conf and pf.anchor files along with the link to Github. Happy Trails
#Default PF configuration file.
#

# This file contains the main ruleset, which gets automatically loaded
# at startup.  PF will not be automatically enabled, however.  Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically 
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

scrub-anchor "com.jason"
nat-anchor "com.jason"
rdr-anchor "com.jason"
dummynet-anchor "com.jason"
anchor "com.jason"
load anchor "com.jason" from "/etc/pf.anchors/com.jason"

This is the beginning of the pf.anchor file, which is read by pf.conf

#Macros
tcp_services = "{ rfb }"
casper_ssh = "{ ssh }"
casper_filerep = "{ 443 }"
casper_comms = "{ 8443 }"
udp_services = "{ rfb }"
icmp_types = "{ echorep, echoreq, timex, unreach }"

#Tables
#list out hosts to allow for whitelisting of "our" services

#table <block_hosts> persist
#table <dont_log_block_host> persist
#table <private> const { 10/8 172.16/12 192.168/16 224/8 }
#table <martians> const { 127/8 10/8 172.16/12 192.168/16 169.254/16 240/4 0/8 192.2.0.2/24 }

#Cyber Security Scanners
#table <whitelist_host> persist { \
        129.8.64.0/24 \
        150.342.46.291/27 \
#}

#Your Services
#table <yourhosts> persist { 821.6.14.24 123.4.5.987 198.33.45.11 128.4.98.103 198.7.128.193 100.3.28.14}
#           821.6.14.24      \ #Casper Server
#        123.4.5.987      \ #Bigfix production service
#        198.33.45.11        \ #Test server for Casper infrastructure
#        128.4.98.103       \ #jFuture management server
#        198.7.128.193       \ #Casper Software Repo
#        100.3.28.141       \ #Future management server

#table <bigfix> persist { 123.4.5.987  }

#these are added in if we need to allow SSH via OTP on a client device. 
#table <otp> const { 281.4.56.43 }      

#ssh.server.corp = 113.56.78.987
#otp.example.corp = 281.4.56.43

#Rules Created by "You"

#disable all filtering on loopback, possible Vmware nets
set skip on {lo,vmnet}

#block all inbound traffic
block in log all

#allow out the tcp and udp traffic
#pass in log proto tcp from <yourhosts> to port $tcp_services 
#pass in log proto udp from <yourhosts> to port $udp_services
#pass in log proto udp from <bigfix> to port $bigfix_udp 
#pass in log quick proto tcp from <otp> to port $casper_ssh
#pass in log quick proto udp from <otp> to port $casper_ssh
#pass in log proto tcp from <yourhosts> to port $casper_ssh
#pass in log proto udp from <yourhosts> to port $casper_ssh
#pass in log proto tcp from any to port $casper_comms
#pass in log proto tcp from <yourhosts> to port $casper_filerep

#Allow whitelist hosts
#pass in log from <whitelist_host> to any

#Allow Your Service hosts
#pass in log from <yourhosts> to any

#Allow control traffic from LBL router
#pass in proto igmp from router_ip_here allow-opts

#ICMP traffic allowed to be passed in
pass in log inet proto icmp icmp-type $icmp_types
#We specified the address family 'inet' because it is required by pf when specifing icmp type

#Trust all outbound
pass out all keep state

#James has these in his pf.conf files to do not log these, but we can take them out if necessary     
block in proto { tcp, udp } to port { 137:139, 17500 }
block in proto { tcp, udp } to port 631 #ipp - printers