Configuring PF

[J65nko BSD]

On Fri, 18 Feb 2005 00:28:30 -0700, Pat Maddox <pergesu at gmail.com> wrote:
> Can you guys let me know if this looks like a good conf file?  I've
> got web, mail, ftp, ssh, and DNS that I need to have open.
> 
> # Macros
> ext_if="fxp0"
> SYN_ONLY="S/FSRA"
> tcp_services = "{ 21, 22, 25, 53, 80, 143 }"
> icmp_types = "echoreq"
> 
> # Default deny
> block all
> 
> ## Filtering rules
> 
> # Default TCP policy
> block return-rst in log on $ext_if proto TCP all

This block rule is not needed, You alreadt have a "default deny policy"

> pass in log quick on $ext_if proto TCP from any to $ext_if port
> $tcp_services flags $SYN_ONLY keep state
> 
> # Default UDP policy
> block in log on $ext_if proto udp all

This block rule is not needed, You alreadt have a "default deny policy"

> pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state
> 
> # Default ICMP policy
> block in log on $ext_if proto icmp all

This block rule is not needed, You already have a "default deny policy"

> pass in inet proto icmp all icmp-type echoreq keep state
> 
> block out log on $ext_if all

This block rule is not needed, You alreadt have a "default deny policy"

> pass out log quick on $ext_if from $ext_if to any keep state
> 
> # Allow the local interface to talk unrestricted
> pass in quick on lo0 all
> pass out quick on lo0 all
> 
> 
> On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <j65nko at gmail.com> wrote:
> > On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <pergesu at gmail.com> wrote:
> > > I've managed to come up with something that works so far.  I am having
> > > two problems though.
> > >
> > > The first is that I can't authenticate for IMAP anymore.  No clue why,
> > > it just keeps rejecting my password.  maillog shows imapd: LOGIN
> > > FAILED, that's it.
> > >
> > > Also, after enabling pf, all my UDP ports show as open.  I've got a ruleset of
> > > block in log on $ext_if proto udp all
> > >
> > > So all UDP ports should be shown as closed.  Doesn't really make any
> > > sense to me.  Anyone care to help?
> > >
> > > Thanks for the help so far.
> > >
> > > Pat
> >
> > Start with a default policy to block and log all traffic
> >
> > # --- default policy
> > block log from any to any
> >
> > Now you only have to open ports to let traffic in. If you don't know
> > which port to open for a certain protocol, you can run "tcpdump -eni
> > pfl0g". tcpdump will show which rule blocked, and on which port
> > address combination.
> >
> >
How about this?
# ------- pf.conf skeleton for server
# j65nko freebsdforums.org
#
# --------------- MACRO Section  -----------------

EXT_IF="fxp0"

PING = "echoreq"

# --- allowed incoming services initiated by clients 

TCP_IN = "{ ssh, smtp, pop3, imap, http, https }"
#UDP_IN = "{ domain }"

# --- allowed services initiated by server            

TCP_OUT = "{ smtp }"
UDP_OUT = "{ domain }"

# ------------------ TABLE Section -------------- 

# ------------------ OPTIONS Section
set loginterface $EXT_IF

# --------- TRAFFIC NORMALIZATION ----------------
scrub in all
# ---------- TRANSLATION Section (NAT/RDR)

# ---------- FILTER section

# --- DEFAULT POLICY
block log all

# --- LOOPBACK
pass quick on lo0 all

# ======================= INCOMING ================
# ----------- EXTERNAL INTERFACE 

# --- TCP 
pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
$TCP_IN flags S/SA keep state

# --- UDP
#pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
$UDP_IN keep state

# --- ICMP 
#pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF
icmp-type $PING keep state


# ======================= OUTGOING ================
# ----------- EXTERNAL INTERFACE 

# --- TCP 
pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
$TCP_OUT flags S/SA  keep state

# --- UDP
pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
$UDP_OUT keep state

# --- ICMP 
pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
icmp-type $PING keep state

# ----------------- end of pr.conf

 =Adriaan=