freebsd 8

Patrick Goggins pgoggins at carrollu.edu
Fri Jan 8 01:58:45 UTC 2010 

I would not recommend allowing everyone under the sun ssh access to the box. Either restrict it by outside IP if possible and if that is not possible at least alter the port to prevent bots.

~Patrick


-----Original Message-----
From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org] On Behalf Of Kurt Turner
Sent: Thursday, January 07, 2010 4:27 PM
To: freebsd-pf at freebsd.org
Subject: freebsd 8

Hello all

In an effort not to create yet another insecure server on the www I'd like
to ensure my pf.conf file is good and secure - will someone please review
this configuration and let me know your thoughts?

I only want to allow www and ssh inbound and have limited access also
outbound - this is a remote web server I do not have access to at all. TIA

 #### First declare a couple of variables ####
# outgoing services
tcp_services = "{ ssh, smtp, domain, www, https, ntp, 43}"
udp_services = "{ domain, ntp }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
ext_if = "re0" # Internet

#### Normalization
scrub in all

#### Start filtering
# Drop incoming everything
block in all

# Default connection refused message to client
block return

# keep stats of outging connections
pass out keep state

# activate spoofing protection for all interfaces
block in quick from urpf-failed

# Antispoof is a common special case of filtering and blocking. This
mechanism protects against activity from spoofed or forged IP addresses
antispoof log for $ext_if

#Block RFC 1918 addresses
block drop in log (all)  quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians

# Allow outgoing via ssh, smtp, domain, www, https, whois etc
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services

# Allow outgoing Trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep
state

# Allow http traffic
pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy
modulate state
# SSH
pass in on $ext_if proto tcp from any to any port 22 flags S/SA synproxy
modulate state
_______________________________________________
freebsd-pf at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list