Configuring PF
J65nko BSD
j65nko at gmail.com
Fri Feb 18 12:39:16 GMT 2005
On Fri, 18 Feb 2005 00:28:30 -0700, Pat Maddox <pergesu at gmail.com> wrote:
> Can you guys let me know if this looks like a good conf file? I've
> got web, mail, ftp, ssh, and DNS that I need to have open.
>
> # Macros
> ext_if="fxp0"
> SYN_ONLY="S/FSRA"
> tcp_services = "{ 21, 22, 25, 53, 80, 143 }"
> icmp_types = "echoreq"
>
> # Default deny
> block all
>
> ## Filtering rules
>
> # Default TCP policy
> block return-rst in log on $ext_if proto TCP all
This block rule is not needed, You alreadt have a "default deny policy"
> pass in log quick on $ext_if proto TCP from any to $ext_if port
> $tcp_services flags $SYN_ONLY keep state
>
> # Default UDP policy
> block in log on $ext_if proto udp all
This block rule is not needed, You alreadt have a "default deny policy"
> pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state
>
> # Default ICMP policy
> block in log on $ext_if proto icmp all
This block rule is not needed, You already have a "default deny policy"
> pass in inet proto icmp all icmp-type echoreq keep state
>
> block out log on $ext_if all
This block rule is not needed, You alreadt have a "default deny policy"
> pass out log quick on $ext_if from $ext_if to any keep state
>
> # Allow the local interface to talk unrestricted
> pass in quick on lo0 all
> pass out quick on lo0 all
>
>
> On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <j65nko at gmail.com> wrote:
> > On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <pergesu at gmail.com> wrote:
> > > I've managed to come up with something that works so far. I am having
> > > two problems though.
> > >
> > > The first is that I can't authenticate for IMAP anymore. No clue why,
> > > it just keeps rejecting my password. maillog shows imapd: LOGIN
> > > FAILED, that's it.
> > >
> > > Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of
> > > block in log on $ext_if proto udp all
> > >
> > > So all UDP ports should be shown as closed. Doesn't really make any
> > > sense to me. Anyone care to help?
> > >
> > > Thanks for the help so far.
> > >
> > > Pat
> >
> > Start with a default policy to block and log all traffic
> >
> > # --- default policy
> > block log from any to any
> >
> > Now you only have to open ports to let traffic in. If you don't know
> > which port to open for a certain protocol, you can run "tcpdump -eni
> > pfl0g". tcpdump will show which rule blocked, and on which port
> > address combination.
> >
> >
How about this?
# ------- pf.conf skeleton for server
# j65nko freebsdforums.org
#
# --------------- MACRO Section -----------------
EXT_IF="fxp0"
PING = "echoreq"
# --- allowed incoming services initiated by clients
TCP_IN = "{ ssh, smtp, pop3, imap, http, https }"
#UDP_IN = "{ domain }"
# --- allowed services initiated by server
TCP_OUT = "{ smtp }"
UDP_OUT = "{ domain }"
# ------------------ TABLE Section --------------
# ------------------ OPTIONS Section
set loginterface $EXT_IF
# --------- TRAFFIC NORMALIZATION ----------------
scrub in all
# ---------- TRANSLATION Section (NAT/RDR)
# ---------- FILTER section
# --- DEFAULT POLICY
block log all
# --- LOOPBACK
pass quick on lo0 all
# ======================= INCOMING ================
# ----------- EXTERNAL INTERFACE
# --- TCP
pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
$TCP_IN flags S/SA keep state
# --- UDP
#pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
$UDP_IN keep state
# --- ICMP
#pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF
icmp-type $PING keep state
# ======================= OUTGOING ================
# ----------- EXTERNAL INTERFACE
# --- TCP
pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
$TCP_OUT flags S/SA keep state
# --- UDP
pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
$UDP_OUT keep state
# --- ICMP
pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
icmp-type $PING keep state
# ----------------- end of pr.conf
=Adriaan=
More information about the freebsd-questions
mailing list