I have started to talk a bit more about PF in a broad sense. Over the course of my talks or general discussion it has been brought to my attention that people would like to see a sample pf.anchor. Well I have posted on my github a sample of pf.anchor.
Please not that when you place the file inside of pf.anchor you will do some following items in order for it to be successful
- Create a com.yourcompany within the pf.anchors folder
- Ensure the pf.conf file is set to read all the anchors within pf.anchors
- TEST
Here are the samples of both the pf.conf and pf.anchor files along with the link to Github. Happy Trails#
Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
scrub-anchor "com.jason"
nat-anchor "com.jason"
rdr-anchor "com.jason"
dummynet-anchor "com.jason"
anchor "com.jason"
load anchor "com.jason" from "/etc/pf.anchors/com.jason"
This is the beginning of the pf.anchor file, which is read by pf.conf
#Macros
tcp_services = "{ rfb }"
casper_ssh = "{ ssh }"
casper_filerep = "{ 443 }"
casper_comms = "{ 8443 }"
udp_services = "{ rfb }"
icmp_types = "{ echorep, echoreq, timex, unreach }"
#Tables
#list out hosts to allow for whitelisting of "our" services
#table <block_hosts> persist
#table <dont_log_block_host> persist
#table <private> const { 10/8 172.16/12 192.168/16 224/8 }
#table <martians> const { 127/8 10/8 172.16/12 192.168/16 169.254/16 240/4 0/8 192.2.0.2/24 }
#Cyber Security Scanners
#table <whitelist_host> persist { \
129.8.64.0/24 \
150.342.46.291/27 \
#}
#Your Services
#table <yourhosts> persist { 821.6.14.24 123.4.5.987 198.33.45.11 128.4.98.103 198.7.128.193 100.3.28.14}
# 821.6.14.24 \ #Casper Server
# 123.4.5.987 \ #Bigfix production service
# 198.33.45.11 \ #Test server for Casper infrastructure
# 128.4.98.103 \ #jFuture management server
# 198.7.128.193 \ #Casper Software Repo
# 100.3.28.141 \ #Future management server
#table <bigfix> persist { 123.4.5.987 }
#these are added in if we need to allow SSH via OTP on a client device.
#table <otp> const { 281.4.56.43 }
#ssh.server.corp = 113.56.78.987
#otp.example.corp = 281.4.56.43
#Rules Created by "You"
#disable all filtering on loopback, possible Vmware nets
set skip on {lo,vmnet}
#block all inbound traffic
block in log all
#allow out the tcp and udp traffic
#pass in log proto tcp from <yourhosts> to port $tcp_services
#pass in log proto udp from <yourhosts> to port $udp_services
#pass in log proto udp from <bigfix> to port $bigfix_udp
#pass in log quick proto tcp from <otp> to port $casper_ssh
#pass in log quick proto udp from <otp> to port $casper_ssh
#pass in log proto tcp from <yourhosts> to port $casper_ssh
#pass in log proto udp from <yourhosts> to port $casper_ssh
#pass in log proto tcp from any to port $casper_comms
#pass in log proto tcp from <yourhosts> to port $casper_filerep
#Allow whitelist hosts
#pass in log from <whitelist_host> to any
#Allow Your Service hosts
#pass in log from <yourhosts> to any
#Allow control traffic from LBL router
#pass in proto igmp from router_ip_here allow-opts
#ICMP traffic allowed to be passed in
pass in log inet proto icmp icmp-type $icmp_types
#We specified the address family 'inet' because it is required by pf when specifing icmp type
#Trust all outbound
pass out all keep state
#James has these in his pf.conf files to do not log these, but we can take them out if necessary
block in proto { tcp, udp } to port { 137:139, 17500 }
block in proto { tcp, udp } to port 631 #ipp - printers