new firewall config
Greg Hennessy
Greg.Hennessy at nviz.net
Wed Dec 16 11:50:20 UTC 2009
s/block all/block log all/
Or debug will come back and bite you.
Regards
Greg
-----Original Message-----
From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org] On Behalf Of David Mehler
Sent: 16 December 2009 12:59 AM
To: freebsd-pf at freebsd.org
Subject: new firewall config
Hello,
I'm writing a new firewall for an 8.0 machine. It's a gateway box, it
runs an ftp proxy, dhcp and dns services and ntp. It also routes.
Other than that it should block everything else. I've got the below
rules, and am wondering since it works if it's the most efficient it
can be or if there are any holes in it?
Comments appreciated.
Thanks.
Dave.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
ext_if="em0" # replace with actual external interface name i.e., dc0
int_if="em1" # replace with actual internal interface name i.e., dc1
internal_net="192.168.5.0/24"
tcp_services="{ ftp-data, ftp, ssh, domain, http, pop3, https, 1503,
1863, 3389, 5999, 7001, 8000, 8080 }"
udp_services="{ 9, domain, bootps, ntp, 7001 }"
icmp_types = "echoreq"
set optimization normal
set block-policy return
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
scrub in all
nat on $ext_if from $internal_net to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 \
port 8021
antispoof for $ext_if
antispoof for $int_if
block all
anchor "ftp-proxy/*"
pass out proto tcp from 127.0.0.1 to any port 21 keep state
pass quick inet proto tcp to any port $tcp_services flags S/SA keep state
pass quick inet proto { tcp, udp } to any port $udp_services keep state
pass inet proto icmp all icmp-type $icmp_types keep state
pass inet proto icmp all icmp-type unreach code needfrag keep state
# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass inet proto udp from any to any \
port 33433 >< 33626 keep state
_______________________________________________
freebsd-pf at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
More information about the freebsd-pf
mailing list