FreeBSD firewall configuration
freebsd at edvax.de
Mon Apr 10 19:37:58 UTC 2017
Re-including list, hope that's okay.
On Mon, 10 Apr 2017 09:34:16 +0200, Miha Smrekar wrote:
> OK, with that rule I have succesfully connected to my computer through
> PUTTY on SSH connection on 1024 port. I've done the same with ports 80 and
Excellent. It all follows the same idea.
> Will those 3 rules be enough to block all the traffic on other ports, or do
> I have to block all other ports?
Depending on the firewall's configuration - "default to accept"
or "default to deny", you're probably safe when you explicitely
block everything first, and then define what you intendedly want
pass in quick on $ext_if inet proto tcp from any to $ext_if port 1024 keep state
pass in quick on $ext_if inet proto tcp from any to $ext_if port 443 keep state
pass in quick on $ext_if inet proto tcp from any to $ext_if port 80 keep state
This is what your configuration probably will look like.
> Can you also help me with the rule to forward incoming trafic to other
You first need to put
into /etc/sysctl.conf and make this change active (read: reboot or
manually call "service sysctl restart".
Now you can do something like this in your pf.conf:
pass in on $ext_if from $ext_if:network to $int_if:network port 1024 keep state
pass out on $int_if from $ext_if:network to $int_if:network port 1024 keep state
This for example would forward port 1024 traffic from the external
interface to the internal one. It's easy to define which one is which
using variables like ext_if and int_if for the actual network inter-
faces (see "ifconfig -a" to check).
I also recommend this article for more inspiration:
This is where I constructed the example from. ;-)
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
More information about the freebsd-questions