From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 15:16:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D0B31065686 for ; Tue, 24 Mar 2009 15:16:23 +0000 (UTC) (envelope-from emagutu@gmail.com) Received: from mail-ew0-f171.google.com (mail-ew0-f171.google.com [209.85.219.171]) by mx1.freebsd.org (Postfix) with ESMTP id 9C8088FC1A for ; Tue, 24 Mar 2009 15:16:22 +0000 (UTC) (envelope-from emagutu@gmail.com) Received: by ewy19 with SMTP id 19so1848305ewy.43 for ; Tue, 24 Mar 2009 08:16:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=MC1s0d5m89C8wQ5Bo+CP6TrOqaCe49NkD/Cj+kjE1+U=; b=JDBWM+9t3879ws1K7igmI7WEUJ/XJiWdUxebMG9M+eAOSVAYiB9xvFt8jQJGYpLl2I pRKG3Fo83xvuM/Dbjmhapo9g6anlJ/6pPNMvrD8NdgTfJE2XBWCptuA3MT/gF5NrL3LG aAf9pdIWZjtkGTE9HRqF6oADaA5xcAiR6nAb8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=vRG01nZnG/rElkq5swMclqSO/uaAc1kN+3tB9NIPvTZxiDFXr2baZJ4QIsaiWtFf7F 16asIAdS7Hfz4in2qGWpaajCwDnCXjSY94QLMWztNkFOCnBbeShkvsENIZmnr+DZIu+M XrnSyprnC1HYhGVsupvh0Ee2esQT/bwarLv0Q= MIME-Version: 1.0 Received: by 10.216.19.212 with SMTP id n62mr3145723wen.66.1237906056639; Tue, 24 Mar 2009 07:47:36 -0700 (PDT) Date: Tue, 24 Mar 2009 17:47:36 +0300 Message-ID: From: Eric Magutu To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: first firewall with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 15:16:25 -0000 Hi, I am converting some systems from Linux to freeBSD and I'm new to pf. I wanted to run this on a live system but I'm not sure if everything is correct. Can you please advise me if it would work and if there is anything I need to add or remove to make it work. I have written the following pf.conf: ######## #Tests # ######## #check syntax of rules # pfctl -vf /etc/pf.conf #interpret rules but don't load # pfctl -nf /etc/pf.conf ############# #interfaces # ############# ext_if="bce0" ext_if2="bce1" ##################### #ports to be opened # ##################### #tcp ports good_port_tcp="{ 22, 80, 110, 143, 161, 443, 873, 3306, 40555 }" #udp ports good_port_udp="{ 161, 873 }" ############################################# #allow all connections from and to loopback # ############################################# pass in quick on lo0 all keep state pass out quick on lo0 all keep state ######################################################## #allow all connections out through external interfaces # ######################################################## pass out quick on $ext_if all keep state pass out quick on $ext_if2 all keep state ############## #Blocked ips # ############## # 1.2.3.4 is the ip you want to block block in quick on $ext_if inet 1.2.3.4 # 1.2.3.4/24 is the ip range you want to block block in quick on $ext_if inet 1.2.3.4/24 ############################ #smtp connections allowed # ############################ #a.b.c.d is the server's ip #Euro servers pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep state #American servers pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep state #from the old iptables??? pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22 keep state ################################### # pass traffic from allowed ports # ################################### #pass traffic from allowed tcp ports pass in quick on $ext_if inet proto tcp from any to a.b.c.d port $good_port_tcp keep state #pass traffic from allowed udp ports pass in quick on $ext_if inet proto tcp from any to a.b.c.d port $good_port_tcp keep state ########################################## # allow connections from NMC and servers # ########################################## #x.x.x.x/12 are the internal ips NMC access with pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to a.b.c.d keep state #x.x.x.x/24 are the ips for the other European servers pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to a.b.c.d keep state #x.x.x.x/24 are the ips for the American servers pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to a.b.c.d keep state ########################## #block all other traffic # ########################## # should be last rule block in quick on $ext_if all ################################################## #for any questions contact Eric# ################################################## -- Regards, Eric Magutu