Stumped with pf.conf

Odhiambo Washington wash at wananchi.com
Tue Feb 22 12:50:02 GMT 2005 

I am a newbie to PF, running on FreeBSD 5.3-STABLE.
I would like some critique of the following pf.conf, which I am using,
but which appears to have a loophole! Some folk is accessing my port
8080, which I am thinking I have only opened to 62.8.64.0/19.

I must be missing something critical!

<quote pf.conf>
#freebsd nat/firewall box

ext_if="vr0" # replace with actual external interface name i.e., dc0
int_if="fxp0" # replace with actual internal interface name i.e., dc1

tcp_services = "{ 21, 22, 25, 53, 80, 110, 443, 465, 995, 8020, 8180 }"
icmp_types = "{ 8, 11 }"

internal_net="192.168.50.0/24"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

## OPTIONS - network settings
# use 'return' instead of 'drop' if you wish to return responses to connection
# attempts, 'drop' is the same as the 'blackhole' sysctl option
set timeout { frag 15, interval 5 }
set limit { frags 2500, states 5000 }
set optimization aggressive
set block-policy return
set loginterface $ext_if
scrub in all

#rdr

# nat
nat on $ext_if from $internal_net to any -> ($ext_if)

# Filtering: The good stuff.
block in on $ext_if all

# stuff to block but not log because it's irritating
block in quick on $ext_if proto {tcp, udp} from any to any port {67, 68}
block in quick on $ext_if proto {tcp, udp} from any port {67, 68} to any

# because these should never appear on a public internet interface
block in quick on $ext_if from $priv_nets to any
block out quick on $ext_if from any to $priv_nets

block in log quick on $ext_if inet proto tcp from any to any flags S/SAFR

# loopback stuff is good!
pass in quick on lo0 all

# allow our services
pass in on $ext_if inet proto tcp from any to any port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from 62.8.64.0/19 to any flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $internal_net to any keep state
pass out on $int_if from any to $internal_net keep state

#pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

</end quote>





-Wash

http://www.netmeister.org/news/learn2quote.html

--
+======================================================================+
    |\      _,,,---,,_     | Odhiambo Washington    <wash at wananchi.com>
Zzz /,`.-'`'    -.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_)     | GSM: +254 722 743223   +254 733 744121
+======================================================================+
Arbitrary systems, pl.n.:
	Systems about which nothing general can be said, save "nothing
general can be said."

More information about the freebsd-pf mailing list