Date: Fri, 18 Feb 2005 00:28:30 -0700 From: Pat Maddox <pergesu@gmail.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Configuring PF Message-ID: <810a540e0502172328508f54ff@mail.gmail.com> In-Reply-To: <19861fba0502171817512ee8bd@mail.gmail.com> References: <810a540e050214203221952797@mail.gmail.com> <64a8ad9805021420444eb3ccd2@mail.gmail.com> <810a540e05021420555412f1b0@mail.gmail.com> <42133BFD.1090004@ps102.de> <810a540e05021618183355fc82@mail.gmail.com> <19861fba0502171817512ee8bd@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Can you guys let me know if this looks like a good conf file? I've got web, mail, ftp, ssh, and DNS that I need to have open. # Macros ext_if="fxp0" SYN_ONLY="S/FSRA" tcp_services = "{ 21, 22, 25, 53, 80, 143 }" icmp_types = "echoreq" # Default deny block all ## Filtering rules # Default TCP policy block return-rst in log on $ext_if proto TCP all pass in log quick on $ext_if proto TCP from any to $ext_if port $tcp_services flags $SYN_ONLY keep state # Default UDP policy block in log on $ext_if proto udp all pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state # Default ICMP policy block in log on $ext_if proto icmp all pass in inet proto icmp all icmp-type echoreq keep state block out log on $ext_if all pass out log quick on $ext_if from $ext_if to any keep state # Allow the local interface to talk unrestricted pass in quick on lo0 all pass out quick on lo0 all On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <j65nko@gmail.com> wrote: > On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <pergesu@gmail.com> wrote: > > I've managed to come up with something that works so far. I am having > > two problems though. > > > > The first is that I can't authenticate for IMAP anymore. No clue why, > > it just keeps rejecting my password. maillog shows imapd: LOGIN > > FAILED, that's it. > > > > Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of > > block in log on $ext_if proto udp all > > > > So all UDP ports should be shown as closed. Doesn't really make any > > sense to me. Anyone care to help? > > > > Thanks for the help so far. > > > > Pat > > Start with a default policy to block and log all traffic > > # --- default policy > block log from any to any > > Now you only have to open ports to let traffic in. If you don't know > which port to open for a certain protocol, you can run "tcpdump -eni > pfl0g". tcpdump will show which rule blocked, and on which port > address combination. > > =Adriaan= > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?810a540e0502172328508f54ff>