Skip to content

Instantly share code, notes, and snippets.

@jas-
Last active March 1, 2022 12:57
Show Gist options
  • Save jas-/5b0e664ac7b26c78dee4 to your computer and use it in GitHub Desktop.
Save jas-/5b0e664ac7b26c78dee4 to your computer and use it in GitHub Desktop.
FreeBSD jail w/ services

myprint.scl.utah.edu

The myprint service handles wireless printing for the MLIB PC labs. FreeBSD is the operating system that was chosen for this service primarily for its security features.

Details on the current configuration of myprint.scl.utah.edu can be found below. 07/12/2013

Host OS configuration

This first section details the various configuration options applied to the kernel, NAT & traffic passing to jailed (non routable net) env, usage of IPFW service to filter incoming & outgoing traffic to specific subnets & or targets, OS, Jail & TCP stack hardening options using /etc/sysctl.conf etc.

Kernel

Most options & device drivers are disabled by default to provide optimal security through a minimalist approach to options available to an attacker in the event of a compromise

/usr/src/sys/i386/conf/CUSTOM

Details of the kernel configuration

# GENERIC -- Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the config(5) manual page,
# and/or the handbook section on Kernel Configuration Files:
#
#    http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: release/9.0.0/sys/i386/conf/GENERIC 227305 2011-11-07 13:40:54Z marius $

cpu             I486_CPU
cpu             I586_CPU
cpu             I686_CPU
ident           GENERIC

#makeoptions    DEBUG=-g                # Build kernel with gdb(1) debug symbols

options         SCHED_ULE               # ULE scheduler
options         PREEMPTION              # Enable kernel thread preemption
options         INET                    # InterNETworking
#options        INET6                   # IPv6 communications protocols
#options        SCTP                    # Stream Control Transmission Protocol
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         UFS_ACL                 # Support for access control lists
options         UFS_DIRHASH             # Improve performance on big directories
options         UFS_GJOURNAL            # Enable gjournal-based UFS journaling
options         MD_ROOT                 # MD is a potential root device
#options        NFSCL                   # New Network Filesystem Client
#options        NFSD                    # New Network Filesystem Server
#options        NFSLOCKD                # Network Lock Manager
#options        NFS_ROOT                # NFS usable as /, requires NFSCL
#options        MSDOSFS                 # MSDOS Filesystem
#options        CD9660                  # ISO 9660 Filesystem
options         PROCFS                  # Process filesystem (requires PSEUDOFS)
options         PSEUDOFS                # Pseudo-filesystem framework
options         GEOM_PART_GPT           # GUID Partition Tables.
options         GEOM_LABEL              # Provides labelization
#options        COMPAT_FREEBSD4         # Compatible with FreeBSD4
#options        COMPAT_FREEBSD5         # Compatible with FreeBSD5
#options        COMPAT_FREEBSD6         # Compatible with FreeBSD6
#options        COMPAT_FREEBSD7         # Compatible with FreeBSD7
options         SCSI_DELAY=5000         # Delay (in ms) before probing SCSI
#options        KTRACE                  # ktrace(1) support
#options        STACK                   # stack(9) support
options         SYSVSHM                 # SYSV-style shared memory
options         SYSVMSG                 # SYSV-style message queues
options         SYSVSEM                 # SYSV-style semaphores
options         _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options         PRINTF_BUFR_SIZE=128    # Prevent printf output being interspersed.
options         KBD_INSTALL_CDEV        # install a CDEV entry in /dev
options         HWPMC_HOOKS             # Necessary kernel hooks for hwpmc(4)
options         AUDIT                   # Security event auditing
options         MAC                     # TrustedBSD MAC Framework
#options        KDTRACE_HOOKS           # Kernel DTrace hooks
#options        INCLUDE_CONFIG_FILE     # Include this file in kernel
#options        KDB                     # Kernel debugger related code
#options        KDB_TRACE               # Print a stack trace for a panic

# To make an SMP kernel, the next two lines are needed
options         SMP                     # Symmetric MultiProcessor Kernel
device          apic                    # I/O APIC

# CPU frequency control
device          cpufreq

# Bus support.
device          acpi
device          eisa
device          pci

# Floppy drives
#device         fdc

# ATA controllers
device          ahci            # AHCI-compatible SATA controllers
device          ata             # Legacy ATA/SATA controllers
options         ATA_CAM         # Handle legacy controllers with CAM
options         ATA_STATIC_ID   # Static device numbering
device          mvs             # Marvell 88SX50XX/88SX60XX/88SX70XX/SoC SATA
device          siis            # SiliconImage SiI3124/SiI3132/SiI3531 SATA

# SCSI Controllers
device          ahb             # EISA AHA1742 family
device          ahc             # AHA2940 and onboard AIC7xxx devices
options         AHC_REG_PRETTY_PRINT    # Print register bitfields in debug
                                        # output.  Adds ~128k to driver.
device          ahd             # AHA39320/29320 and onboard AIC79xx devices
options         AHD_REG_PRETTY_PRINT    # Print register bitfields in debug
                                        # output.  Adds ~215k to driver.
device          esp             # AMD Am53C974 (Tekram DC-390(T))
device          hptiop          # Highpoint RocketRaid 3xxx series
device          isp             # Qlogic family
#device         ispfw           # Firmware for QLogic HBAs- normally a module
device          mpt             # LSI-Logic MPT-Fusion
#device         ncr             # NCR/Symbios Logic
device          sym             # NCR/Symbios Logic (newer chipsets + those of `ncr')
device          trm             # Tekram DC395U/UW/F DC315U adapters

device          adv             # Advansys SCSI adapters
device          adw             # Advansys wide SCSI adapters
device          aha             # Adaptec 154x SCSI adapters
device          aic             # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
device          bt              # Buslogic/Mylex MultiMaster SCSI adapters

device          ncv             # NCR 53C500
device          nsp             # Workbit Ninja SCSI-3
device          stg             # TMC 18C30/18C50

# ATA/SCSI peripherals
device          scbus           # SCSI bus (required for ATA/SCSI)
device          ch              # SCSI media changers
device          da              # Direct Access (disks)
device          sa              # Sequential Access (tape etc)
device          cd              # CD
device          pass            # Passthrough device (direct ATA/SCSI access)
device          ses             # SCSI Environmental Services (and SAF-TE)

# RAID controllers interfaced to the SCSI subsystem
device          amr             # AMI MegaRAID
device          arcmsr          # Areca SATA II RAID
device          asr             # DPT SmartRAID V, VI and Adaptec SCSI RAID
device          ciss            # Compaq Smart RAID 5*
device          dpt             # DPT Smartcache III, IV - See NOTES for options
device          hptmv           # Highpoint RocketRAID 182x
device          hptrr           # Highpoint RocketRAID 17xx, 22xx, 23xx, 25xx
device          iir             # Intel Integrated RAID
device          ips             # IBM (Adaptec) ServeRAID
device          mly             # Mylex AcceleRAID/eXtremeRAID
device          twa             # 3ware 9000 series PATA/SATA RAID
device          tws             # LSI 3ware 9750 SATA+SAS 6Gb/s RAID controller

# RAID controllers
device          aac             # Adaptec FSA RAID
device          aacp            # SCSI passthrough for aac (requires CAM)
device          ida             # Compaq Smart RAID
device          mfi             # LSI MegaRAID SAS
device          mlx             # Mylex DAC960 family
device          pst             # Promise Supertrak SX6000
device          twe             # 3ware ATA RAID

# atkbdc0 controls both the keyboard and the PS/2 mouse
device          atkbdc          # AT keyboard controller
device          atkbd           # AT keyboard
device          psm             # PS/2 mouse

device          kbdmux          # keyboard multiplexer

device          vga             # VGA video card driver

device          splash          # Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device          sc
options         SC_PIXEL_MODE   # add support for the raster text mode

device          agp             # support several AGP chipsets

# Power management support (see NOTES for more options)
#device         apm
# Add suspend/resume support for the i8254.
device          pmtimer

# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device         cbb             # cardbus (yenta) bridge
#device         pccard          # PC Card (16-bit) bus
#device         cardbus         # CardBus (32-bit) bus

# Serial (COM) ports
#device         uart            # Generic UART driver

# Parallel port
device          ppc
device          ppbus           # Parallel port bus (required)
device          lpt             # Printer
device          plip            # TCP/IP over parallel
device          ppi             # Parallel port interface device
#device         vpo             # Requires scbus and da

device          puc             # Multi I/O cards and multi-channel UARTs

# PCI Ethernet NICs.
device          bxe             # Broadcom BCM57710/BCM57711/BCM57711E 10Gb Ethernet
device          de              # DEC/Intel DC21x4x (``Tulip'')
device          em              # Intel PRO/1000 Gigabit Ethernet Family
device          igb             # Intel PRO/1000 PCIE Server Gigabit Family
device          ixgb            # Intel PRO/10GbE Ethernet Card
device          le              # AMD Am7900 LANCE and Am79C9xx PCnet
device          ti              # Alteon Networks Tigon I/II gigabit Ethernet
device          txp             # 3Com 3cR990 (``Typhoon'')
device          vx              # 3Com 3c590, 3c595 (``Vortex'')

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device          miibus          # MII bus support
device          ae              # Attansic/Atheros L2 FastEthernet
device          age             # Attansic/Atheros L1 Gigabit Ethernet
device          alc             # Atheros AR8131/AR8132 Ethernet
device          ale             # Atheros AR8121/AR8113/AR8114 Ethernet
device          bce             # Broadcom BCM5706/BCM5708 Gigabit Ethernet
device          bfe             # Broadcom BCM440x 10/100 Ethernet
device          bge             # Broadcom BCM570xx Gigabit Ethernet
device          dc              # DEC/Intel 21143 and various workalikes
device          et              # Agere ET1310 10/100/Gigabit Ethernet
device          fxp             # Intel EtherExpress PRO/100B (82557, 82558)
device          jme             # JMicron JMC250 Gigabit/JMC260 Fast Ethernet
device          lge             # Level 1 LXT1001 gigabit Ethernet
device          msk             # Marvell/SysKonnect Yukon II Gigabit Ethernet
device          nfe             # nVidia nForce MCP on-board Ethernet
device          nge             # NatSemi DP83820 gigabit Ethernet
#device         nve             # nVidia nForce MCP on-board Ethernet Networking
device          pcn             # AMD Am79C97x PCI 10/100 (precedence over 'le')
device          re              # RealTek 8139C+/8169/8169S/8110S
device          rl              # RealTek 8129/8139
device          sf              # Adaptec AIC-6915 (``Starfire'')
device          sge             # Silicon Integrated Systems SiS190/191
device          sis             # Silicon Integrated Systems SiS 900/SiS 7016
device          sk              # SysKonnect SK-984x & SK-982x gigabit Ethernet
device          ste             # Sundance ST201 (D-Link DFE-550TX)
device          stge            # Sundance/Tamarack TC9021 gigabit Ethernet
device          tl              # Texas Instruments ThunderLAN
device          tx              # SMC EtherPower II (83c170 ``EPIC'')
device          vge             # VIA VT612x gigabit Ethernet
device          vr              # VIA Rhine, Rhine II
device          vte             # DM&P Vortex86 RDC R6040 Fast Ethernet
device          wb              # Winbond W89C840F
device          xl              # 3Com 3c90x (``Boomerang'', ``Cyclone'')

# ISA Ethernet NICs.  pccard NICs included.
#device         cs              # Crystal Semiconductor CS89x0 NIC
# 'device ed' requires 'device miibus'
#device         ed              # NE[12]000, SMC Ultra, 3c503, DS8390 cards
#device         ex              # Intel EtherExpress Pro/10 and Pro/10+
#device         ep              # Etherlink III based cards
#device         fe              # Fujitsu MB8696x based cards
#device         ie              # EtherExpress 8/16, 3C507, StarLAN 10 etc.
#device         sn              # SMC's 9000 series of Ethernet chips
#device         xe              # Xircom pccard Ethernet

# Wireless NIC cards
#device         wlan            # 802.11 support
#options        IEEE80211_DEBUG # enable debug msgs
#options        IEEE80211_AMPDU_AGE # age frames in AMPDU reorder q's
#options        IEEE80211_SUPPORT_MESH  # enable 802.11s draft support
#device         wlan_wep        # 802.11 WEP support
#device         wlan_ccmp       # 802.11 CCMP support
#device         wlan_tkip       # 802.11 TKIP support
#device         wlan_amrr       # AMRR transmit rate control algorithm
#device         an              # Aironet 4500/4800 802.11 wireless NICs.
#device         ath             # Atheros NIC's
#device         ath_pci         # Atheros pci/cardbus glue
#device         ath_hal         # pci/cardbus chip support
#options        AH_SUPPORT_AR5416       # enable AR5416 tx/rx descriptors
#device         ath_rate_sample # SampleRate tx rate control for ath
#device         bwi             # Broadcom BCM430x/BCM431x wireless NICs.
#device         bwn             # Broadcom BCM43xx wireless NICs.
#device         ipw             # Intel 2100 wireless NICs.
#device         iwi             # Intel 2200BG/2225BG/2915ABG wireless NICs.
#device         iwn             # Intel 4965/1000/5000/6000 wireless NICs.
#device         malo            # Marvell Libertas wireless NICs.
#device         mwl             # Marvell 88W8363 802.11n wireless NICs.
#device         ral             # Ralink Technology RT2500 wireless NICs.
#device         wi              # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
#device         wl              # Older non 802.11 Wavelan wireless NIC.
#device         wpi             # Intel 3945ABG wireless NICs.

# Pseudo devices.
device          loop            # Network loopback
device          random          # Entropy device
device          ether           # Ethernet support
device          vlan            # 802.1Q VLAN support
device          tun             # Packet tunnel.
device          pty             # BSD-style compatibility pseudo ttys
device          md              # Memory "disks"
#device         gif             # IPv6 and IPv4 tunneling
#device         faith           # IPv6-to-IPv4 relaying (translation)
device          firmware        # firmware assist module

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device          bpf             # Berkeley packet filter

# USB support
options         USB_DEBUG       # enable debug msgs
device          uhci            # UHCI PCI->USB interface
device          ohci            # OHCI PCI->USB interface
device          ehci            # EHCI PCI->USB interface (USB 2.0)
device          xhci            # XHCI PCI->USB interface (USB 3.0)
device          usb             # USB Bus (required)
#device         udbp            # USB Double Bulk Pipe devices (needs netgraph)
device          uhid            # "Human Interface Devices"
device          ukbd            # Keyboard
device          ulpt            # Printer
device          umass           # Disks/Mass storage - Requires scbus and da
device          ums             # Mouse
#device         urio            # Diamond Rio 500 MP3 player
# USB Serial devices
#device         u3g             # USB-based 3G modems (Option, Huawei, Sierra)
#device         uark            # Technologies ARK3116 based serial adapters
#device         ubsa            # Belkin F5U103 and compatible serial adapters
#device         uftdi           # For FTDI usb serial adapters
#device         uipaq           # Some WinCE based devices
#device         uplcom          # Prolific PL-2303 serial adapters
#device         uslcom          # SI Labs CP2101/CP2102 serial adapters
#device         uvisor          # Visor and Palm devices
#device         uvscom          # USB serial support for DDI pocket's PHS
# USB Ethernet, requires miibus
#device         aue             # ADMtek USB Ethernet
#device         axe             # ASIX Electronics USB Ethernet
#device         cdce            # Generic USB over Ethernet
#device         cue             # CATC USB Ethernet
#device         kue             # Kawasaki LSI USB Ethernet
#device         rue             # RealTek RTL8150 USB Ethernet
#device         udav            # Davicom DM9601E USB
# USB Wireless
#device         rum             # Ralink Technology RT2501USB wireless NICs
#device         run             # Ralink Technology RT2700/RT2800/RT3000 NICs.
#device         uath            # Atheros AR5523 wireless NICs
#device         upgt            # Conexant/Intersil PrismGT wireless NICs.
#device         ural            # Ralink Technology RT2500USB wireless NICs
#device         urtw            # Realtek RTL8187B/L wireless NICs
#device         zyd             # ZyDAS zd1211/zd1211b wireless NICs

# FireWire support
#device         firewire        # FireWire bus code
# sbp(4) works for some systems but causes boot failure on others
#device         sbp             # SCSI over FireWire (Requires scbus and da)
#device         fwe             # Ethernet over FireWire (non-standard!)
#device         fwip            # IP over FireWire (RFC 2734,3146)
#device         dcons           # Dumb console driver
#device         dcons_crom      # Configuration ROM for dcons

# Sound support
#device         sound           # Generic sound driver (required)
#device         snd_es137x      # Ensoniq AudioPCI ES137x
#device         snd_hda         # Intel High Definition Audio
#device         snd_ich         # Intel, NVidia and other ICH AC'97 Audio
#device         snd_uaudio      # USB Audio
#device         snd_via8233     # VIA VT8233x Audio

Hard disk

Details for the hard disk configuration are as follows:

gpart

/dev/ada1 is the unmounted source of the /usr/ports folder for use in package & OS upgrades

=>      34  16777149  ada0  GPT  (8.0G)
        34       128     1  freebsd-boot  (64k)
       162  14336000     2  freebsd-ufs  (6.9G)
  14336162   1599360     4  freebsd-ufs  (781M)
  15935522    837632     3  freebsd-swap  (409M)
  16773154      4029        - free -  (2M)

=>     34  8388541  ada1  GPT  (4.0G)
       34      128     1  freebsd-boot  (64k)
      162  7761920     2  freebsd-ufs  (3.7G)
  7762082   204672     4  freebsd-ufs  (100M)
  7966754   417792     3  freebsd-swap  (204M)
  8384546     4029        - free -  (2M)</pre>

/etc/fstab

The /tmp folder is mounted with limited options in the event of a jail break due to vulnerabilities within the httpd service, the PHP interpreter or the cupsd service.

# Device        Mountpoint      FStype  Options Dump    Pass#
/dev/ada0p3     none            swap    sw      0       0
/dev/ada0p2     /               ufs     rw      1       1
/dev/ada0p4     /tmp            ufs     rw,nosuid,noexec        2       2

OS hardening

Several configuration options making use of various security features have been implemented. Below is a detailed list of the files & options selected.

/etc/sysctl.conf

Isolation of the CUPSD & HTTPD services through the use of a BSD Jail was implemented & hardening of the TCP stack against can be seen below

# Kernel sysctl configuration file
=======
# $FreeBSD: release/9.1.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# NAT forwarding for jail
net.inet.ip.forwarding=1

# Additional params for jail
security.jail.param.cpuset.id=0
security.jail.param.host.hostid=0
security.jail.param.host.hostuuid=64
security.jail.param.host.domainname=256
security.jail.param.host.hostname=256
security.jail.param.children.max=0
security.jail.param.children.cur=0
security.jail.param.enforce_statfs=0
security.jail.param.securelevel=3
security.jail.param.path=1024
security.jail.param.name=256
security.jail.param.parent=0
security.jail.param.jid=0
security.jail.enforce_statfs=2
security.jail.mount_allowed=1
security.jail.chflags_allowed=0
security.jail.allow_raw_sockets=0
security.jail.socket_unixiproute_only=1
security.jail.set_hostname_allowed=0
security.jail.jailed=0

# Various network tuning params
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

net.inet.ip.random_id=1

net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2

net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1

net.inet.tcp.always_keepalive=1

kern.ipc.maxsockets=163840
kern.ipc.maxsockbuf=2097152

# Tune IPFW
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5

# For suricata
net.bpf.zerocopy_enable=1</pre>

/etc/pf.conf

In order to forward traffic to the jail listening on a NAT address block /etc/pf.conf configuration was necessary

ext_if = "em0"

ext_ip = "xxx.xxx.xxx.xxx"
int_ip = "192.168.1.10"

tcp_sv = "{ 80, 443 }" 

nat pass on $ext_if from $int_ip to any -> $ext_ip

rdr pass on $ext_if proto tcp from any to $ext_ip port $tcp_sv -> $int_ip

#block all

/etc/ipfw.conf

Protection against unwanted network traffic was also implemented to provide both incoming and outgoing security (outgoing is filtered in the event of of a compromise the attacker would be limited)

#!/bin/sh

# Default options
ipfw="/sbin/ipfw "
adp="em0"

# Current IPv4
me="xxx.xxx.xxx.xxx"

# IPv4 of jail
jail="192.168.1.10"

# Allowed DNS servers
dns1="xxx.xxx.xxx.xxx"
dns2="xxx.xxx.xxx.xxx"

# Allowed ICMP in
icmp_in1="xxx.xxx.xxx.xxx"

# Allowed SSH CIDR
ssh1="xxx.xxx.xxx.xxx/24"
ssh2="xxx.xxx.xxx.xxx"

# Allowed outgoing print servers
print_srv1="dc1-mmc.scl.utah.edu"
print_srv2="dc5-staff.scl.utah.edu"

# Allowed FTP mirrors
update_mirror0="ftp.FreeBSD.org"
update_mirror1="ftp1.us.FreeBSD.org"
update_mirror2="ftp2.us.FreeBSD.org"

# Flush current rules
$ipfw -f flush

# Bypass if previous state ok
$ipfw add 00010 check-state

#### ALL OUTBOUND RULES ####

# DNS allowed rules
$ipfw add 00500 allow tcp from $me to $dns1 53 out via $adp setup keep-state
$ipfw add 00510 allow udp from $me to $dns1 53 out via $adp keep-state
#$ipfw add 00520 allow tcp from $me to $dns2 53 out via $adp setup keep-state
#$ipfw add 00530 allow udp from $me to $dns2 53 out via $adp keep-state

# Allow ping out
$ipfw add 00600 allow icmp from $me to any out via $adp keep-state

# Allow whois out
$ipfw add 00610 allow tcp from $me to any 43 out via $adp setup keep-state

# Allow smtp out
#$ipfw add 00620 allow tcp from $me to $mailout out via $adp setup keep-state

# Allow sshd out
$ipfw add 00700 allow tcp from $me to any 22 out via $adp setup keep-state

# Allow http/https out
$ipfw add 00701 allow tcp from $me to any 80,443 out via $adp setup keep-state

# Allow LPR printing to specified print servers
$ipfw add 00710 allow tcp from $me to $print_srv1 out via $adp setup keep-state
$ipfw add 00720 allow tcp from $me to $print_srv2 out via $adp setup keep-state

# Allow FTP out to FreeBSD servers
$ipfw add 00730 allow tcp from $me to $update_mirror0 out via $adp setup keep-state
$ipfw add 00740 allow tcp from $me to $update_mirror1 out via $adp setup keep-state
$ipfw add 00750 allow tcp from $me to $update_mirror2 out via $adp setup keep-state

# Log all other attempts out
$ipfw add 00800 deny log all from any to any out via $adp

#### ALL INBOUND RULES ####

# Deny all inbound from non-routeable address blocks
$ipfw add 00900 deny from 192.169.0.0/16 to any in via $adp
$ipfw add 00910 deny from 172.16.0.0/12 to any in via $adp
$ipfw add 00920 deny from 10.0.0.0/8 to any in via $adp
$ipfw add 00930 deny from 127.0.0.0/8 to any in via $adp
$ipfw add 00940 deny from 0.0.0.0/8 to any in via $adp
$ipfw add 00950 deny from 169.254.0.0/16 to any in via $adp
$ipfw add 00960 deny from 192.0.2.0/24 to any in via $adp
$ipfw add 00970 deny from 204.152.64.0/23 to any in via $adp
$ipfw add 00980 deny from 224.0.0.0/3 to any in via $adp

# Allow pings from specified hosts/cidr's
$ipfw add 00990 allow icmp from $icmp_in1 to $me in via $adp

# Deny public pings
$ipfw add 01000 deny icmp from any to $me in via $adp

# Deny ident(s)
$ipfw add 01100 deny tcp from any to $me 113 in via $adp

# Drop netbios packets
$ipfw add 01200 deny tcp from any to $me 137 in via $adp
$ipfw add 01210 deny tcp from any to $me 138 in via $adp
$ipfw add 01220 deny tcp from any to $me 139 in via $adp
$ipfw add 01230 deny tcp from any to $me 81 in via $adp

# Drop late arrivals
$ipfw add 01300 deny from any to $me frag in via $adp

# Deny ACK packets no matching the dynamic rule table
$ipfw add 01400 deny tcp from any to $me established in via $adp

# Allow configured host(s) to use SSH
$ipfw add 01500 allow tcp from $ssh1 to $me 22 in via $adp keep-state
$ipfw add 01520 allow tcp from $ssh2 to $me 22 in via $adp keep-state

# Allow http/https from any
$ipfw add 01510 allow tcp from any to $me 80,443 in via $adp keep-state

# Reject & log all others
$ipfw add 01600 deny from any to any in via $adp
$ipfw add 01700 deny from any to any

/etc/hosts.allow

Making use of the /etc/hosts.allow also affords some protection in the event the IPFW service is bypassed.

#
# hosts.allow access control file for "tcp wrapped" applications.
# $FreeBSD: release/9.1.0/etc/hosts.allow 161710 2006-08-29 09:20:48Z ru $
#

# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
#ALL : ALL : allow
sshd : xxx.xxx.xxx.xxx/255.255.255.0

# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny

# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny

# Allow anything from localhost.  Note that an IP address (not a host
# name) *MUST* be specified for rpcbind(8).
#ALL : localhost 127.0.0.1 : allow
# Comment out next line if you build libwrap without IPv6 support.
#ALL : [::1] : allow
#ALL : my.machine.example.com 192.0.2.35 : allow

# To use IPv6 addresses you must enclose them in []'s
#ALL : [fe80::%fxp0]/10 : allow
#ALL : [fe80::]/10 : deny
#ALL : [2001:db8:2:1:2:3:4:3fe1] : deny
#ALL : [2001:db8:2:1::]/64 : allow

# Sendmail can help protect you against spammers and relay-rapers
#sendmail : localhost : allow
#sendmail : .nice.guy.example.com : allow
#sendmail : .evil.cracker.example.com : deny
#sendmail : ALL : allow

# Exim is an alternative to sendmail, available in the ports tree
#exim : localhost : allow
#exim : .nice.guy.example.com : allow
#exim : .evil.cracker.example.com : deny
#exim : ALL : allow

# Rpcbind is used for all RPC services; protect your NFS!
# (IP addresses rather than hostnames *MUST* be used here)
#rpcbind : 192.0.2.32/255.255.255.224 : allow
#rpcbind : 192.0.2.96/255.255.255.224 : allow
#rpcbind : ALL : deny

# NIS master server. Only local nets should have access
# (Since this is an RPC service, rpcbind needs to be considered)
#ypserv : localhost : allow
#ypserv : .unsafe.my.net.example.com : deny
#ypserv : .my.net.example.com : allow
#ypserv : ALL : deny

# Provide a small amount of protection for ftpd
#ftpd : localhost : allow
#ftpd : .nice.guy.example.com : allow
#ftpd : .evil.cracker.example.com : deny
#ftpd : ALL : allow

# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
#fingerd : ALL \
#       : spawn (echo Finger. | \
#        /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
#       : deny

# The rest of the daemons are protected.
ALL: ALL : severity auth.info : twist /bin/echo RECVLOG: `/bin/date` [%a](%c): %d => %p Trace started... : deny
ALL: ALL : severity auth.info : spawn /bin/echo `/bin/date` [%a](%c): %d => %p >>/var/log/access.log : deny

/etc/rc.conf

Here is the primary configuration for the remainder of the OS. This includes network configuration options, jail configuration options, OS security options & network service params

hostname="example"

ifconfig_em0="inet xxx.xxx.xxx.xxx netmask 255.255.255.0 broadcast xxx.xxx.xxx.xxx"
defaultrouter="xxx.xxx.xxx.xxx"

# Enabled services
sshd_enable="YES"
syslogd_flags="-ss"
#jail_mount_enable="YES"

# NAT routing for jail & alias interface
ifconfig_em0_alias0="inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.68.1.255"
static_routes="internal"
route_internal="-net 192.168.1.0/24 xxx.xxx.xxx.xxx"

# Enable PF for NAT forwards
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pf/pf.log"

# Disabled services
sendmail_enable="NONE"
portmap_enable="NO"
inetd_enable="NO"

# Disable ipv6
ip6addrctl_enable="NO"
ip6addrctl_policy="ipv4_prefer"
ipv6_network_interfaces="NONE"
ipv6_activate_all_interfaces="NO"

# Security level
kern_securelevel_enable="YES"
kern_securelevel=3

# Clear /tmp on boot
clear_tmp_enable="YES"

# Network hardening
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
log_in_vain="YES"
tcp_drop_synfin="YES"

# Firewall settings
firewall_enable="YES"
firewall_script="/etc/ipfw.conf"
firewall_type="client"
firewall_quiet="NO"
firewall_logging="YES"

# Jail settings
jail_enable="YES"
jail_list="myprint"

jail_myprint_rootdir="/opt/jail/myprint"
jail_myprint_hostname="printing.dev"
jail_myprint_ip="192.168.1.10"
jail_myprint_devfs_enable="YES"
#jail_myprint_mount_enable="YES"

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"

Jail

Because the myprint service utilizes file uploads & current web browsers lie about the actual MIME type of files being sent several precautions were taken not only in the host configuration, but also of the jail configuration options severely crippling any attacker that bypasses the programming logic designed to filter both heuristically as well as signature based attacks from exploiting the PHP interpreter's file handling.

Jail details

The jail resides in the /opt/jail/myprint folder

Jail services

The jail implemented handles two services; the cupsd & httpd services for printing & web access. Below are the current configurations for both services:

/usr/local/etc/cups/printers.conf

Currently the myprint service handles wireless printing for students in the Marriott Library knowledge commons (2nd floor), public areas (on first & second floors), the digital arts & scholarly labs, the Union lab, the benchmark lab as well as the sage point labs.

# Printer configuration file for CUPS v1.5.4
# Written by cupsd on 2012-12-12 03:13
# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
<Printer ben-1>
UUID urn:uuid:80952f06-ce59-3f2c-6fb5-9c04f6ed39b5
Info Bench bw
Location Benchmark
MakeModel HP LaserJet 9000 Series  Postscript (recommended)
DeviceURI lpd://example.com/ben-1
State Idle
StateTime 1335375685
Type 8433876
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer bencolor>
UUID urn:uuid:760568ce-0be5-36b2-6af8-0457f5282dfd
Info Benchmark Color
Location Benchmark
MakeModel HP Color LaserJet 4700 Postscript (recommended)
DeviceURI lpd://example.com/bencolor
State Idle
StateTime 1328584369
Type 8425692
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer fa-1>
UUID urn:uuid:4befc80e-6c06-37cc-4abf-b91adea05822
Info Fine Arts
Location Fine Arts Library
MakeModel HP Color LaserJet 4600 v3010.107 Postscript (recommended)
DeviceURI lpd://example.com/Fa-1
State Idle
StateTime 1329424038
Type 8425676
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer gr-1>
UUID urn:uuid:fbaae222-0eba-37a9-411f-185ddaaec592
Info General reference printer
Location Level 2 public
MakeModel HP LaserJet 9000 Series  Postscript (recommended)
DeviceURI lpd://example.com/gr-1
State Idle
StateTime 1329099047
Type 8433876
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer kc-1>
UUID urn:uuid:cd485ec4-4bc6-3ea9-47ff-a78373f7f8ab
Info Knowledge commons black & white
MakeModel HP LaserJet 9000 Series  Postscript (recommended)
DeviceURI lpd://example.com/kc-1
State Idle
StateTime 1351025856
Type 8433876
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer Kc-color>
UUID urn:uuid:7800e1ec-6683-3495-63ce-e438496c146c
Info KC Color Printer
Location Knowledge Commons
MakeModel HP Color LaserJet 4730mfp Postscript (recommended)
DeviceURI lpd://example.com/kc-color
State Idle
StateTime 1338401866
Type 8425692
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer PCGroup>
UUID urn:uuid:4a9d5409-ba72-3e52-4578-21515a38432c
Info PCGroup printer
Location PCGroup
MakeModel HP LaserJet 8150 Series Postscript (recommended)
DeviceURI lpd://example.com/CMS-5
State Idle
StateTime 1314385627
Type 8433860
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>
<Printer pub-1>
UUID urn:uuid:e330781b-88d8-312d-5366-fd7373a23536
Info Level 1 public printer
Location Level 1 public
MakeModel HP LaserJet 8150 Series Postscript (recommended)
DeviceURI lpd://example.com/pub-1
State Idle
StateTime 1335204039
Type 8433876
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer pub-2>
UUID urn:uuid:c1b17dbd-65d7-3637-7d8f-81df10adc13c
Info Level 2 public printer
Location Level 2 public
MakeModel HP LaserJet 9050 Postscript (recommended)
DeviceURI lpd://example.com/pub-2
State Idle
StateTime 1335370443
Type 8433876
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer sage-1>
UUID urn:uuid:41e6c0d9-21e5-3526-642f-1fdbad070d5a
Info Sage BW Printer
Location Sage Point Lab
MakeModel HP LaserJet 9000 Series  Postscript (recommended)
DeviceURI lpd://example.com/sage-1
State Idle
StateTime 1335225820
Type 8433860
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer sr-1>
UUID urn:uuid:9ae9c091-d887-3fba-7ba9-8538cccc2dcc
Info SR-1
Location 1st Floor Reference
MakeModel HP LaserJet 9000 Series  Postscript (recommended)
DeviceURI lpd://example.com/sr-1
State Idle
StateTime 1329084679
Type 8433860
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer st-1>
UUID urn:uuid:c63a0094-acc0-37e0-51a6-b2162e103f03
Info Studio BW Printer
Location Digital Scholarship Lab
MakeModel HP LaserJet 9000 Series  Postscript (recommended)
DeviceURI lpd://example.com/st-1
State Idle
StateTime 1328133904
Type 8433860
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer un-1>
UUID urn:uuid:35881893-fa63-344e-523a-e1ca5b891324
Info Union Black & White
Location Union
MakeModel HP LaserJet 9000 MFP  Postscript (recommended)
DeviceURI lpd://example.com/un-1
State Idle
StateTime 1335376330
Type 8433876
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer un-color>
UUID urn:uuid:f109f5ec-9df4-37be-6e67-f421cd91e432
Info Union color
MakeModel HP Color LaserJet 4730mfp Postscript (recommended)
DeviceURI lpd://example.com/un-color
State Idle
StateTime 1335383752
Type 8425692
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
@shivno
Copy link

shivno commented Jun 29, 2017

isnt it bad practise to mix pf and ipfw?

@jas-
Copy link
Author

jas- commented Jan 25, 2019

@shivno, yes. I could have done all of it in one or the other

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment