first firewall with pf
Michael K. Smith - Adhost
mksmith at adhost.com
Tue Mar 24 09:14:19 PDT 2009
Hello:
<snip>
> #############
> #interfaces #
> #############
> ext_if="bce0"
> ext_if2="bce1"
>
I would also define your inside interface(s), not just your outside. Let's call it "bce2" for the example:
int_if="bce2"
<snip>
>
> #############################################
> #allow all connections from and to loopback #
> #############################################
>
> pass in quick on lo0 all keep state
> pass out quick on lo0 all keep state
>
You might want to add anti-spoofing as well (can't come in on your IP's)
antispoof quick for { lo $ext_if $ext_if2 } inet
> ########################################################
> #allow all connections out through external interfaces #
> ########################################################
>
You can shorten these (as below)
> pass out quick on $ext_if all keep state
> pass out quick on $ext_if2 all keep state
pass out quick on { $ext_if $ext_if2 $int_if }
Also, add an inbound allow for your inside interface, unless you want to block things more granularly.
pass in quick on $int_if
<snip>
>
> ############################
> #smtp connections allowed #
> ############################
>
Did you mean SSH? If you meant SMTP you should change 22 to 25
>#a.b.c.d is the server's ip
> #Euro servers
> pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep
> state
>
> #American servers
> pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep
> state
>
> #from the old iptables???
> pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22 keep
> state
>
>
> ###################################
> # pass traffic from allowed ports #
> ###################################
>
>
> #pass traffic from allowed tcp ports
> pass in quick on $ext_if inet proto tcp from any to a.b.c.d port
> $good_port_tcp keep state
>
> #pass traffic from allowed udp ports
> pass in quick on $ext_if inet proto tcp from any to a.b.c.d port
> $good_port_tcp keep state
>
> ##########################################
> # allow connections from NMC and servers #
> ##########################################
>
I would limit ICMP to echo-request from the outside.
pass in quick on { $ext_if $ext_if2 } proto icmp from x.x.x.x/12 to a.b.c.d icmp-type { echoreq trace }
> #x.x.x.x/12 are the internal ips NMC access with
> pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to
> a.b.c.d keep state
>
> #x.x.x.x/24 are the ips for the other European servers
> pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to
> a.b.c.d keep state
>
> #x.x.x.x/24 are the ips for the American servers
> pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to
> a.b.c.d keep state
>
>
> ##########################
> #block all other traffic #
> ##########################
>
> # should be last rule
>
> block in quick on $ext_if all
Should be first as previously discussed.
Regards,
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 474 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090324/ed0cdbe5/PGP.pgp
More information about the freebsd-pf
mailing list