Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Feb 2005 00:28:30 -0700
From:      Pat Maddox <pergesu@gmail.com>
To:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: Configuring PF
Message-ID:  <810a540e0502172328508f54ff@mail.gmail.com>
In-Reply-To: <19861fba0502171817512ee8bd@mail.gmail.com>
References:  <810a540e050214203221952797@mail.gmail.com> <64a8ad9805021420444eb3ccd2@mail.gmail.com> <810a540e05021420555412f1b0@mail.gmail.com> <42133BFD.1090004@ps102.de> <810a540e05021618183355fc82@mail.gmail.com> <19861fba0502171817512ee8bd@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Can you guys let me know if this looks like a good conf file?  I've
got web, mail, ftp, ssh, and DNS that I need to have open.

# Macros 
ext_if="fxp0"
SYN_ONLY="S/FSRA"
tcp_services = "{ 21, 22, 25, 53, 80, 143 }"
icmp_types = "echoreq"

# Default deny
block all

## Filtering rules

# Default TCP policy
block return-rst in log on $ext_if proto TCP all
pass in log quick on $ext_if proto TCP from any to $ext_if port
$tcp_services flags $SYN_ONLY keep state

# Default UDP policy
block in log on $ext_if proto udp all
pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state

# Default ICMP policy
block in log on $ext_if proto icmp all
pass in inet proto icmp all icmp-type echoreq keep state

block out log on $ext_if all
pass out log quick on $ext_if from $ext_if to any keep state

# Allow the local interface to talk unrestricted
pass in quick on lo0 all
pass out quick on lo0 all



On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <j65nko@gmail.com> wrote:
> On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <pergesu@gmail.com> wrote:
> > I've managed to come up with something that works so far.  I am having
> > two problems though.
> >
> > The first is that I can't authenticate for IMAP anymore.  No clue why,
> > it just keeps rejecting my password.  maillog shows imapd: LOGIN
> > FAILED, that's it.
> >
> > Also, after enabling pf, all my UDP ports show as open.  I've got a ruleset of
> > block in log on $ext_if proto udp all
> >
> > So all UDP ports should be shown as closed.  Doesn't really make any
> > sense to me.  Anyone care to help?
> >
> > Thanks for the help so far.
> >
> > Pat
> 
> Start with a default policy to block and log all traffic
> 
> # --- default policy
> block log from any to any
> 
> Now you only have to open ports to let traffic in. If you don't know
> which port to open for a certain protocol, you can run "tcpdump -eni
> pfl0g". tcpdump will show which rule blocked, and on which port
> address combination.
> 
> =Adriaan=
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?810a540e0502172328508f54ff>