Date: Fri, 22 Jan 2010 18:31:51 +0800 From: Fbsd1 <fbsd1@a1poweruser.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: pf rules Message-ID: <4B597E97.7060807@a1poweruser.com> In-Reply-To: <4B5973AD.8070603@locolomo.org> References: <4B594FC0.3010200@el.net> <4B5973AD.8070603@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Erik Norgaard wrote:
> kalin m wrote:
>> tcp_in = "{ www, https }"
>> ftp_in = "{ ftp }"
>> udp = "{ domain, ntp }"
>> ping = "echoreq"
>>
>> set skip on lo
>> scrub in
>>
>> antispoof for eth0 inet
>>
>> block in all
>> pass out all keep state
>> pass proto udp to any port $udp
>> pass inet proto icmp all icmp-type $ping keep state
>> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
>> pass proto tcp to any port ssh
>
> To debug pf rules:
>
> - always add direction to the rule, pass or block, add interface to all
> rules except default policy, keep state on all pass rules
> - group your rules per direction, then per interface
> - add log to all rules and watch pflog to see which rule blocks or
> passes traffic.
> - use keyword quick for any decisive rule
> - check the parsing of your ruleset, pfctl -sr
>
> then come back and ask for help.
>
> BR, Erik
>
>
See sample pf firewall rules in manual
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B597E97.7060807>