Skip to content
This repository has been archived by the owner on Oct 10, 2022. It is now read-only.
/ ansible-role-pf Public archive

Ansible role for hardening configuration of pf firewall

License

MIT license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

drew1kun/ansible-role-pf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
defaults
defaults
 
 
handlers
handlers
 
 
imgs
imgs
 
 
meta
meta
 
 
tasks
tasks
 
 
templates
templates
 
 
vars
vars
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Ansible role: pf

MIT licensed Galaxy Role

DEPRECATION NOTICE

This role is being deprecated in favor of ansible-collection-mac.

Collection on Galaxy: drew1kun.mac

Description

Description

Ansible role for hardening configuration of pf firewall for MacOS.

Tutorial used

PF Anchors

The role will create the following pf anchors:

  • sshd anchor (<prefix>.sshd.rules) with bruteforce protection table and rules
  • emerging-treats open ruleset anchor (<prefix>.eto.rules) with table of known attackers' IPs and rules for blocking them
  • custom anchors <prefix>.rdr.rules and <prefix>.rdr.rules with rules specified in defaults/main.yml

Those anchors will be loaded in custom /etc/pf.<prefix>.conf configuration file.

NOTE: The system default /etc/pf.conf on MacOS can be overwritten during system updates, therefore custom /etc/pf.<prefix>.conf will be created and /etc/pf.conf may be included in that custom config.

Launchd jobs

On MacOS the following Launchd jobs will be created:

  • job for Enabling pf on boot. This is done by creating custom Library/LaunchDaemon/<>.pf.plist running /usr/local/bin/firewall.sh script for correct pf enabling on MacOS, therefore no SIP disabling is required
  • job for clearing the ssh_bruteforce table once a day at 10:00pm.
  • job for automated download of ETOpen ruleset once a day at 10:05pm.

Requirements

Reminder: Ansible uses ssh so make sure the pf configuration does not block ssh For example:

pass in log proto tcp to any port ssh flags S/SA keep state

Otherwise you may end up having ssh connection blocked

Role Variables

OS-Agnostic:

Variables Description Default
pf_ssh_bruteforce_protect Enable ssh bruteforce protection yes
pf_emerging_threats_protect Enable ETOpen Ruleset configuration yes
pf_macros Macros variables for pf configuration see defaults/main.yml
pf_tables pf configuration tables see defaults/main.yml
pf_options pf configuration options see defaults/main.yml
pf_normalization pf configuration normalization rules see defaults/main.yml
pf_queueing pf configuration queueing see defaults/main.yml
pf_translation Redirect rules for port forwarding and NAT see defaults/main.yml
pf_filtering Stateful and stateless filtering for rule-based packet blocking or passing see defaults/main.yml

OS-Specific:

Variables Description Default
pf_conf path to main pf configuration file
  • Darwin: /etc/pf.prefix.conf
  • Others (BSD): /etc/pf.conf
pf_prefix just a prefix for customizing the configuration. Will be added to all the filenames, generated by this role "{{ ansible_user_id }}"

NOTE: that because of the default value for pf_prefix var the role requires Fact Gathering. If you override this variable with some static value, the Fact Gathering will not be necessary.

Dependencies

None

Example Playbook

- hosts: dev_clients_macos
  gather_facts: yes
  roles:
  - drew1kun.pf

Checking Results (OPTIONAL)

See if pf is Enabled:

sudo pfctl -s info | grep Status

No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:20:41           Debug: Urgent

Show the eto and other pf rules loaded:

sudo pfctl -s all

Show the launchd jobs loaded:

watch -n1 -d 'launchctl list | grep <pf_prefix>'

SSH Bruteforce Table

Start the ssh bruteforce attack from kali machine (192.168.68.113):

hydra

hydra -l root -P /usr/share/wordlists/fasttrack.txt 192.168.68.104 ssh

medusa

medusa -u root -P /usr/share/wordlists/fasttrack.txt -h 192.168.68.104 -M ssh

ncrack (most efficient):

ncrack -U users.txt -P /usr/share/wordlists/fasttrack.txt 192.168.68.104:22

At some point, you may to check to see if you have attackers in your attackers table. To do that, use this command:

watch -n1 -d 'sudo pfctl -a drew.sshd -t ssh_bruteforce -T show'

This command lists the IPs in the attackers table for the sshd anchor.

On MacOS result will look like this:

No ALTQ support in kernel
ALTQ related functions disabled
   192.168.68.113

See screenshot:

If you accidentally (or during testing) get a legitimate IP in the attackers table, you can remove it with this command (replace a.b.c.d with your IP):

sudo pfctl -a drew.sshd -t ssh_bruteforce -Tdelete a.b.c.d

You can also save the existing attackers table and reload it later. This can be useful for saving the table through a system restart. Use the following commands to save the table:

sudo pfctl -a drew.sshd -t ssh_bruteforce -Tshow > /etc/pf.attackers-table.txt

To load the table later, use this command:

sudo pfctl -a drew.sshd -t ssh_bruteforce -Tload -f /etc/pf.attackers-table.txt

License

MIT

Author Information

Andrew Shagayev | e-mail

About

Ansible role for hardening configuration of pf firewall

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages