first firewall with pf

Eric Magutu emagutu at gmail.com
Thu Mar 26 07:46:24 PDT 2009


Hi everyone,
Thanks for all your input so far. I have tried to implement all you
suggestions but have gotten stuck. I set up a test machine in the office
with the ip 10.0.0.110  and encountered the following problems:

when I enables antispoofing the firewall didn't work

when I tried allowing the 10.0.0.0 subnet it worked ok but when i tried
connecting from machines on the 172.16 subnet I was unable to connect.

Can you please let me know what I'm doing wrong?


#############
#interfaces #
#############
ext_if="le0"
#ext_if2="bce1"

#####################
#ports to be opened #
#####################

#tcp ports
good_port_tcp="{ 80, 110, 143, 161, 443, 873 }"
#udp ports
good_port_udp="{ 161, 873  }"

##########################
#block all other traffic #
##########################

# should be the first rule

block in on $ext_if all

################
#anti-spoofing #
################

#traffic can't come in on your IP's
#antispoof quick for { lo0 $ext_if $ext_if2 } inet

#############################################
#allow all connections from and to loopback #
#############################################

pass in quick on lo0 all keep state
pass out quick on lo0 all keep state

########################################################
#allow all connections out through external interfaces #
########################################################

pass out quick on $ext_if  all keep state


##############
#Blocked ips #
##############
#put ips or ip blocks as below
badguys="{ 192.168.1.100, 192.160.1.2, 192.168.200.0/24 }"

block in quick on $ext_if from $badguys

############################
#smtp connections allowed  #
############################

#European servers
pass in quick on $ext_if proto tcp from x.x.x.0/26 to 10.0.0.110 port 25
keep state

#American
pass in quick on $ext_if proto tcp from x.x.x.0/26 to 10.0.0.110 port 25
keep state

#from the old iptables???
pass in quick on $ext_if proto tcp from x.x.x.0/27 to 10.0.0.110 port 25
keep state


###################################
# pass traffic from allowed ports #
###################################


#pass traffic from allowed tcp ports
pass in on $ext_if inet proto tcp from any to 10.0.0.110 port $good_port_tcp
keep state

#pass traffic from allowed udp ports
pass in on $ext_if inet proto tcp from any to 10.0.0.110 port $good_port_tcp
keep state

##########################################
# allow connections from NMC and servers #
##########################################

#my ip
pass in quick on $ext_if inet proto { tcp, udp, icmp } from 10.0.0.58 to
10.0.0.110 keep state

#172.16.0.0/12 are the ips NMC access with
pass in on $ext_if inet proto { tcp, udp, icmp } from 172.16.0.0/8 to
10.0.0.110 keep state


##################
# enable logging #
##################

block in log on $ext_if

# to view log run command below
#tcpdump -n -e -ttt -i pflog0

##################################################
#for any questions contact me#
##################################################



On Tue, Mar 24, 2009 at 8:00 PM, Michael K. Smith - Adhost <
mksmith at adhost.com> wrote:

> I also forgot to mention:
>
> You should probably log your block rule so that you can see what's going on
> if things don't work as expected.
>
> So:
>
> block in log on $ext_if
>
> Note the lack of "quick" as well, as previously mentioned.
>
> With logging enabled, provided you have pflog running (which you should),
> you can use the following to see what's being blocked.
>
> tcpdump -n -e -ttt -i pflog0  (provided pflog0 is your pflog interface).
>
> Regards,
>
> Mike
>



-- 
Regards,
Eric Magutu


More information about the freebsd-questions mailing list