pf rules
Erik Norgaard
norgaard at locolomo.org
Fri Jan 22 09:45:20 UTC 2010
kalin m wrote:
> tcp_in = "{ www, https }"
> ftp_in = "{ ftp }"
> udp = "{ domain, ntp }"
> ping = "echoreq"
>
> set skip on lo
> scrub in
>
> antispoof for eth0 inet
>
> block in all
> pass out all keep state
> pass proto udp to any port $udp
> pass inet proto icmp all icmp-type $ping keep state
> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
> pass proto tcp to any port ssh
To debug pf rules:
- always add direction to the rule, pass or block, add interface to all
rules except default policy, keep state on all pass rules
- group your rules per direction, then per interface
- add log to all rules and watch pflog to see which rule blocks or
passes traffic.
- use keyword quick for any decisive rule
- check the parsing of your ruleset, pfctl -sr
then come back and ask for help.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
More information about the freebsd-questions
mailing list