Port 0 Extra Precautions
-
Hello Fellow Netgate Community Members, what are your thoughts on adding more port zero blocks to the rules manually by way of a reboot script and a cron job??
Scrip:
#!/bin/sh /sbin/pfctl -a "custom/block_port0" -v -f - <<EOF # Block TCP/UDP packets with source or destination port 0 (IPv4) block drop quick inet proto { tcp udp } from any port = 0 to any label "Block from port 0 IPv4" block drop quick inet proto { tcp udp } from any to any port = 0 label "Block to port 0 IPv4" # Block TCP/UDP packets with source or destination port 0 (IPv6) block drop quick inet6 proto { tcp udp } from any port = 0 to any label "Block from port 0 IPv6" block drop quick inet6 proto { tcp udp } from any to any port = 0 label "Block to port 0 IPv6" # Block some spoofed IPv4 addresses block drop quick inet from 127.0.0.0/8 to any label "Block IPv4 loopback source" block drop quick inet from 0.0.0.0/8 to any label "Block IPv4 zero network" block drop quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local source" block drop quick inet from 224.0.0.0/4 to any label "Block IPv4 multicast source" block drop quick inet from 240.0.0.0/5 to any label "Block IPv4 reserved source" # Block some spoofed IPv6 addresses block drop quick inet6 from ::1 to any label "Block IPv6 loopback source" block drop quick inet6 from ::/128 to any label "Block IPv6 unspecified source" block drop quick inet6 from fe80::/10 to any label "Block IPv6 link-local source" block drop quick inet6 from ff00::/8 to any label "Block IPv6 multicast source" EOFCron:
sleep 60&&/usr/local/etc/rc.d/block_porto.sh -
@JonathanLee said in Port 0 Extra Precautions:
port = 0
didn't you bring this up before - those are already blocked
# We use the mighty pf, we cannot be fooled. block quick inet proto { tcp, udp } from any port = 0 to any ridentifier 1000000114 label "Block traffic from port 0" block quick inet proto { tcp, udp } from any to any port = 0 ridentifier 1000000115 label "Block traffic to port 0" block quick inet6 proto { tcp, udp } from any port = 0 to any ridentifier 1000000116 label "Block traffic from port 0" block quick inet6 proto { tcp, udp } from any to any port = 0 ridentifier 1000000117 label "Block traffic to port 0"Pretty sure those others are also blocked - I know 0.0.0.0/8 is in the bogon table, I know 224.0.0.0/4 and 240.0.0.0/4 also in bogon. 127.0.0.0/8 also in bogon. ::/10 is in bogonv6
Blocking fe80::/10, and ff00::/8 prob going to cause you problems like that if your trying to run ipv6. I know some stuff in those ranges are required for stuff like ns,na and RA ane echoreq and rep.. The required stuff is specifically allowed already in the rules but loading your own rules like that where are they going to end up in the rules order?
169.254 also already blocked
block in quick from 169.254.0.0/16 to any ridentifier 1000000101 label "Block IPv4 link-local" block in quick from any to 169.254.0.0/16 ridentifier 1000000102 label "Block IPv4 link-local"I see nothing you have presented that isn't already blocked, or could cause issues.
If you want to add extra rules - put them in floating or specific interfaces. Then your sure the rules pfsense puts in you will not be overridden.
-
@johnpoz thanks for the reply. I was getting wedged on reboots until I removed that script. It seemed to fix the issues. I don’t know if that was related or not. My main issue was that also dhcpv6 leases for managed addresses on the one side of the network. Some of them would stay active, even though the device is completely turned off for a couple days they would still have a lease active it was that was another weird one. Yeah it is related to DHCPv6 in router advertisement sections
-
@JonathanLee said in Port 0 Extra Precautions:
Some of them would stay active, even though the device is completely turned off for a couple days ...
What DHCPv6 server ? ISC ? Kea ?
Default lease duration ?
What do ou mean by 'active' ? Even with the device turned off, the IPv6 address still replies to a (example) ping ?@JonathanLee said in Port 0 Extra Precautions:
My main issue was that also dhcpv6 leases for managed addresses on the one side of the network
?
That one side is called the DHCPv6 server. You might call that "one side". How is that a problem ?The DHCPv6 protocol isn't using the "zero port".
edit :
I presume @reboot means : during the boot, this line gets executed.
Look at your logs, you'll find :
Afaik : the /tmp/rules.debug is regenerated very often. This file is used to "repopulate" all the firewall rules and settings.
I don't think the rules you put in place with the @reboot will survive this.Also, files with the .sh extension and execute bit set, place in the /usr/local/etc/rc.d/ folder are executed at boot. There are already a couple of .sh file there :
[25.07.1-RELEASE][root@pfSense.bhf.tld]/usr/local/etc/rc.d: ll *.sh -rwxr-xr-x 1 root wheel 327 Nov 5 08:41 avahi-daemon.sh* lrwxr-xr-x 1 root wheel 10 Dec 6 2023 munin-node.sh@ -> munin-node -rwxr-xr-x 1 root wheel 660 Oct 17 03:57 nut.sh* -rwxr-xr-x 1 root wheel 1784 Oct 1 08:28 pfb_dnsbl.sh* -rwxr-xr-x 1 root wheel 2385 Oct 1 08:28 pfb_filter.sh* -rwxr-xr-x 1 root wheel 1421 Aug 20 07:34 radiusd.sh* -rwxr-xr-x 1 root wheel 120 Oct 17 03:57 shutdown.nut.sh*and I know these are executed during system boot.
Then why adding a cron task ? Doesn't that means you rules get added twice ?No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@JonathanLee if you feel the default rules of pfsense are not hard enough - I would put in a feature request so that they can be adjusted by the developers.
But again I am going to stress, rules you want to add should be done in the gui.
Direct manipulation of the rules that get loaded by default, is a fantastic way of shooting yourself in the foot.
-
Open /etc/inc/filter.inc.
Locate function filter_rules_generate()
This function make the /tmp/rules.debug file, the file that gets loaded into pf.
Start reading ...
Right at the start you find$ipfrules .= discover_pkg_rules("pfearly");Locate this function "function discover_pkg_rules($ruletype)"
Read it - and discover that if you create a file on the correct place with the correct content, it will get include in the main firewall rule set, "no questions asked".As @johnpoz said : this is fantastic. Keep us posted, make photos !
-
@Gertjan said in Port 0 Extra Precautions:
That one side is called the DHCPv6 server. You might call that "one side". How is that a problem ?
I have two subnets I have a guest area and a secure side for openVPN use with my private cloud. The side I am talking about is the secure side. So my WLAN interface
What DHCPv6 server ? ISC ? Kea ?
Default lease duration ?
What do ou mean by 'active' ? Even with the device turned off, the IPv6 address still replies to a (example) ping ?What DHCPv6 server ? ISC ? Kea ?
I am using ISC on plus 23.05.01 still I can't upgrade util the Squid status page issue is resolved the bug report is still open in Redline after Squid did there updates for the security issues the status page is not working.
Default lease duration ?
7200 seconds.
Max lease time 86400 seconds.What do you mean by 'active' ? Even with the device turned off, the IPv6 address still replies to a (example) ping ?
By active I mean if I have it set to RA mode managed if I go to status/DHCPv6 Leases some devices even when turned off show Online in green for days on end until a reboot at that point the system says wedged reset its weird like it hangs with the dhcpv6 lease I have not attempted to ping it I will next time, but the ipv4 lease for that device is gone when this occurs.
This area..
On shutdown it does try to stop the script you can see the script name also so it is running at times. I have removed the cron, based on the recommendations I am thinking I will delete the file I just wanted port 0 to be disabled on ipv6 also but it appears to break something when it is running.
-
@JonathanLee said in Port 0 Extra Precautions:
I am using ISC on plus 23.05.01
dude.. Run squid on something else if you want the latest and greatest version, etc. Posting stuff about adjusting rules on a 2 year old version is a waste of time.
As to port 0 on ipv6 - what are you not getting that those are already blocked??
rules.debug
block quick inet6 proto { tcp, udp } from any port = 0 to any ridentifier 1000000116 label "Block traffic from port 0" block quick inet6 proto { tcp, udp } from any to any port = 0 ridentifier 1000000117 label "Block traffic to port 0"An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1 -
@johnpoz On a side note thanks for info on cron I removed that and the wedged errors are gone and it does run automatically. You can see it running when it reboots.
How would I run squid on something else? Would I just redirect all traffic with pfsense to it, after it redirect it back to pfsense? I do have an external wpad that functions great.
-
@johnpoz said in Port 0 Extra Precautions:
rules.debug
Yes they are there .. there was something that wasn't working originally that was why I had this script I can't remember what it was right now I have to find that old post. The website will not let me view historical posts right now for some reason it only lists the last couple or so now
-
Re: Port 0 and IPv4 Great... but hey what about IPv6 or inet6?
This it wasn't loading the ipv6 port zero rules for me originally a while ago. Maybe I can delete my script now
-
@johnpoz John thanks for the conversation on this.
Deleting the cron job fixed the reboot firewall wedged errors I assume that was because of the duplicates as it was already in rc folder
I also deleted the script as the blocks are now included and no longer missing.
-
@johnpoz Does Netgate have a cook book recipe for configuring Squid externally, like the old one for internally? If I had this it would make it easy, I just wonder how to do this as it has to go into squid and back up to the internet etc, makes my brain hurt I only have done it inside pfsense
