What is your favourite/best firewall on FreeBSD and why?
Lucius Rizzo
Lucius.Rizzo at the.ie
Sat May 24 05:57:55 UTC 2014
* David Noel <david.i.noel at gmail.com> [2014-05-24 00:31]:
> On 5/23/14, David Noel <david.i.noel at gmail.com> wrote:
> > On 5/20/14, Lucius Rizzo <Lucius.Rizzo at the.ie> wrote:
> >> If you use any of the firewalls, and have interesting
> >> or even optimized rule sets, I would really like to see them :)
> >
> > I'll post them shortly.
> >
>
> Let me know if I missed anything.
Thank you! This actually helps. I have a set of IPFilter rules that I
plunk on my FreeBSD servers running on cloud. I use IPFilter with
ssguard-ipfilter. (See Attached)
Seems like consesus is that pf is perhaps the best choice moving forward.
--
| _o _ |_)o_ _ _
|_|_|(_||_|_> | \|/_/_(_) - Lucius.Tel
--------------------------------------
++ Your digestive system is your body's Fun House, whereby food goes on a long, ++
++ dark, scary ride, taking all kinds of unexpected twists and turns, being ++
++ attacked by vicious secretions along the way, and not knowing until the last ++
++ minute whether it will be turned into a useful body part or ejected into the ++
++ Dark Hole by Mister Sphincter. We Americans live in a nation where the ++
++ medical-care system is second to none in the world, unless you count maybe ++
++ 25 or 30 little scuzzball countries like Scotland that we could vaporize in ++
++ seconds if we felt like it. ++
++ -- Dave Barry, "Stay Fit & Healthy Until You're Dead" ++
-------------- next part --------------
#
pass out quick from any to any
pass in from any to any
#
block in log quick on vtnet0 proto icmp from any to any icmp-type redir
block in log quick on vtnet0 proto tcp/udp all with short
block in log quick on vtnet0 from any to any with ipopts
#
block in log quick on vtnet0 from 192.168.4.0/24 to any
block in log quick on vtnet0 from localhost to any
block in log quick on vtnet0 from 0.0.0.0/32 to any
block in log quick on vtnet0 from 255.255.255.255/32 to any
#
#
block in on vtnet0 proto udp from any to any
block in log on vtnet0 proto udp from any to any port = sunrpc
block in log on vtnet0 proto udp from any to any port = 2049
pass in on vtnet0 proto udp from any to any port = domain
pass in on vtnet0 proto udp from any to any port = talk
pass in on vtnet0 proto udp from any to any port = ntalk
#
#
block return-rst in log on vtnet0 proto tcp from any to any flags S/SA
block return-rst in on vtnet0 proto tcp from any to any port = auth flags S/SA
#
pass in on vtnet0 proto tcp from any to any port 1024 >< 5000
pass in on vtnet0 proto tcp from any port = ftp-data to any port 1024 >< 5000
#
pass in quick from any to any port = smtp
pass in quick from any to any port = www
pass in quick from any to any port = ssh
pass in quick from any to any port = 443
##sshguard-begin##
block in quick proto tcp from 61.19.247.185 to any
block in quick proto tcp from 220.177.198.62 to any
block in quick proto tcp from 211.234.100.203 to any
block in quick proto tcp from 112.220.198.102 to any
block in quick proto tcp from 61.174.49.104 to any
block in quick proto tcp from 112.206.228.98 to any
block in quick proto tcp from 220.177.198.51 to any
##sshguard-end##
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20140523/0571d187/attachment.sig>
More information about the freebsd-stable
mailing list