Configuring PF

Pat Maddox pergesu at
Fri Feb 18 07:28:32 GMT 2005

Can you guys let me know if this looks like a good conf file?  I've
got web, mail, ftp, ssh, and DNS that I need to have open.

# Macros 
tcp_services = "{ 21, 22, 25, 53, 80, 143 }"
icmp_types = "echoreq"

# Default deny
block all

## Filtering rules

# Default TCP policy
block return-rst in log on $ext_if proto TCP all
pass in log quick on $ext_if proto TCP from any to $ext_if port
$tcp_services flags $SYN_ONLY keep state

# Default UDP policy
block in log on $ext_if proto udp all
pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state

# Default ICMP policy
block in log on $ext_if proto icmp all
pass in inet proto icmp all icmp-type echoreq keep state

block out log on $ext_if all
pass out log quick on $ext_if from $ext_if to any keep state

# Allow the local interface to talk unrestricted
pass in quick on lo0 all
pass out quick on lo0 all

On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <j65nko at> wrote:
> On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <pergesu at> wrote:
> > I've managed to come up with something that works so far.  I am having
> > two problems though.
> >
> > The first is that I can't authenticate for IMAP anymore.  No clue why,
> > it just keeps rejecting my password.  maillog shows imapd: LOGIN
> > FAILED, that's it.
> >
> > Also, after enabling pf, all my UDP ports show as open.  I've got a ruleset of
> > block in log on $ext_if proto udp all
> >
> > So all UDP ports should be shown as closed.  Doesn't really make any
> > sense to me.  Anyone care to help?
> >
> > Thanks for the help so far.
> >
> > Pat
> Start with a default policy to block and log all traffic
> # --- default policy
> block log from any to any
> Now you only have to open ports to let traffic in. If you don't know
> which port to open for a certain protocol, you can run "tcpdump -eni
> pfl0g". tcpdump will show which rule blocked, and on which port
> address combination.
> =Adriaan=
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list