Configuring PF
Pat Maddox
pergesu at gmail.com
Fri Feb 18 07:28:32 GMT 2005
Can you guys let me know if this looks like a good conf file? I've
got web, mail, ftp, ssh, and DNS that I need to have open.
# Macros
ext_if="fxp0"
SYN_ONLY="S/FSRA"
tcp_services = "{ 21, 22, 25, 53, 80, 143 }"
icmp_types = "echoreq"
# Default deny
block all
## Filtering rules
# Default TCP policy
block return-rst in log on $ext_if proto TCP all
pass in log quick on $ext_if proto TCP from any to $ext_if port
$tcp_services flags $SYN_ONLY keep state
# Default UDP policy
block in log on $ext_if proto udp all
pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state
# Default ICMP policy
block in log on $ext_if proto icmp all
pass in inet proto icmp all icmp-type echoreq keep state
block out log on $ext_if all
pass out log quick on $ext_if from $ext_if to any keep state
# Allow the local interface to talk unrestricted
pass in quick on lo0 all
pass out quick on lo0 all
On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <j65nko at gmail.com> wrote:
> On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <pergesu at gmail.com> wrote:
> > I've managed to come up with something that works so far. I am having
> > two problems though.
> >
> > The first is that I can't authenticate for IMAP anymore. No clue why,
> > it just keeps rejecting my password. maillog shows imapd: LOGIN
> > FAILED, that's it.
> >
> > Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of
> > block in log on $ext_if proto udp all
> >
> > So all UDP ports should be shown as closed. Doesn't really make any
> > sense to me. Anyone care to help?
> >
> > Thanks for the help so far.
> >
> > Pat
>
> Start with a default policy to block and log all traffic
>
> # --- default policy
> block log from any to any
>
> Now you only have to open ports to let traffic in. If you don't know
> which port to open for a certain protocol, you can run "tcpdump -eni
> pfl0g". tcpdump will show which rule blocked, and on which port
> address combination.
>
> =Adriaan=
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list