opinion on this ruleset
Gergely CZUCZY
phoemix at harmless.hu
Thu Nov 30 09:40:55 PST 2006
On Sun, Nov 26, 2006 at 01:35:57PM -0000, Daniel wrote:
> I was wondering if I could get some opinions on this ruleset please -
>
> Basically, I have FreeBSD6.1, running an IRC server on ports 6697, 7000,
> 6659 thorough to 6671, 9999, 27888. I am also running a nameserver, so have
> opened TCP and UDP 53. I also want incoming on port 80 and 22.
>
> I have about 15 IP addresses assigned to my external interface... would it
> be better to make a table for these? Or is using the ext_if as a macro just
> as effective?
>
>
> ext_if="rl0"
>
> tcp_services="{ 22, 80, 53, 6633, 6697, 7000, 6659 >< 6671, 9999, 27888 }"
> udp_services="{ 53 }
> icmp_types="echoreq"
>
> set block-policy return
> set loginterface $ext_if
>
> set skip on lo
> scrub in
>
> block in
>
> pass out keep state
>
> antispoof quick for { lo $int_if }
>
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state
here i'd suggest using synproxy state
($ext_if) translates to an ip address of the interface,
and not to all addresses on the interface. so you might get
some unexpected behaviour from these rules, watch out.
as DNA had said, "expect the unexpected" ;)
> pass in on $ext_if inet proto udp from any to ($ext_if) \
> port $udp_services keep state
>
>
> pass in inet proto icmp all icmp-type $icmp_types keep state
wrong.
use this:
pass in on $ext_if proto icmp
if you wonder why, read the openbsd's FAQ on pf. or just google for it
Bye,
Gergely Czuczy
mailto: gergely.czuczy at harmless.hu
--
Weenies test. Geniuses solve problems that arise.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 1601 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20061130/56687d4f/attachment.pgp
More information about the freebsd-pf
mailing list