first firewall with pf

Eric Magutu emagutu at gmail.com
Tue Mar 24 09:09:26 PDT 2009 

Hi Mike,
I will make the changes, there is no internal interface though.
Yes I meant SMTP
Thanks for your input

On Tue, Mar 24, 2009 at 6:56 PM, Michael K. Smith - Adhost <
mksmith at adhost.com> wrote:

> Hello:
>
> <snip>
>
> > #############
> > #interfaces #
> > #############
> > ext_if="bce0"
> > ext_if2="bce1"
> >
> I would also define your inside interface(s), not just your outside.  Let's
> call it "bce2" for the example:
>
> int_if="bce2"
>
> <snip>
> >
> > #############################################
> > #allow all connections from and to loopback #
> > #############################################
> >
> > pass in quick on lo0 all keep state
> > pass out quick on lo0 all keep state
> >
> You might want to add anti-spoofing as well (can't come in on your IP's)
>
> antispoof quick for { lo $ext_if $ext_if2 } inet
>
> > ########################################################
> > #allow all connections out through external interfaces #
> > ########################################################
> >
> You can shorten these (as below)
>
> > pass out quick on $ext_if all keep state
> > pass out quick on $ext_if2 all keep state
> pass out quick on { $ext_if $ext_if2 $int_if }
>
> Also, add an inbound allow for your inside interface, unless you want to
> block things more granularly.
>
> pass in quick on $int_if
>
> <snip>
> >
> > ############################
> > #smtp connections allowed  #
> > ############################
> >
> Did you mean SSH?  If you meant SMTP you should change 22 to 25
>
> >#a.b.c.d is the server's ip
> > #Euro servers
> > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22
> keep
> > state
> >
> > #American servers
> > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22
> keep
> > state
> >
> > #from the old iptables???
> > pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22
> keep
> > state
> >
> >
> > ###################################
> > # pass traffic from allowed ports #
> > ###################################
> >
> >
> > #pass traffic from allowed tcp ports
> > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port
> > $good_port_tcp keep state
> >
> > #pass traffic from allowed udp ports
> > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port
> > $good_port_tcp keep state
> >
> > ##########################################
> > # allow connections from NMC and servers #
> > ##########################################
> >
>
> I would limit ICMP to echo-request from the outside.
>
> pass in quick on { $ext_if $ext_if2 } proto icmp from x.x.x.x/12 to a.b.c.d
> icmp-type { echoreq trace }
>
> > #x.x.x.x/12 are the internal ips NMC access with
> > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to
> > a.b.c.d keep state
> >
> > #x.x.x.x/24 are the ips for the other European servers
> > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to
> > a.b.c.d keep state
> >
> > #x.x.x.x/24 are the ips for the American servers
> > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to
> > a.b.c.d keep state
> >
> >
> > ##########################
> > #block all other traffic #
> > ##########################
> >
> > # should be last rule
> >
> > block in quick on $ext_if all
>
> Should be first as previously discussed.
>
> Regards,
>
> Mike
>



-- 
Regards,
Eric Magutu

More information about the freebsd-pf mailing list