From owner-freebsd-questions@FreeBSD.ORG Fri Feb 18 07:28:31 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9CA016A4CE for ; Fri, 18 Feb 2005 07:28:31 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 686F943D31 for ; Fri, 18 Feb 2005 07:28:31 +0000 (GMT) (envelope-from pergesu@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so419150wri for ; Thu, 17 Feb 2005 23:28:30 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=oXXB9GJyNPTjyrPKqfaaFyR+30GFmHgB2kbxb4jdWsT8WxKfrnAwtJ8hSvM8hcPusU36TTw+Q1UBTUdFBAwI07XSKpDygL3YbFIxlFchDwA2lrv1Xf3KQ4omYgSXi1cUAMYCKeyy+qzhG2W6Hex8mnjTut6MeuRBweF+7zBzkXw= Received: by 10.54.49.21 with SMTP id w21mr12814wrw; Thu, 17 Feb 2005 23:28:30 -0800 (PST) Received: by 10.54.42.28 with HTTP; Thu, 17 Feb 2005 23:28:30 -0800 (PST) Message-ID: <810a540e0502172328508f54ff@mail.gmail.com> Date: Fri, 18 Feb 2005 00:28:30 -0700 From: Pat Maddox To: FreeBSD Questions In-Reply-To: <19861fba0502171817512ee8bd@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <810a540e050214203221952797@mail.gmail.com> <64a8ad9805021420444eb3ccd2@mail.gmail.com> <810a540e05021420555412f1b0@mail.gmail.com> <42133BFD.1090004@ps102.de> <810a540e05021618183355fc82@mail.gmail.com> <19861fba0502171817512ee8bd@mail.gmail.com> Subject: Re: Configuring PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Pat Maddox List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2005 07:28:32 -0000 Can you guys let me know if this looks like a good conf file? I've got web, mail, ftp, ssh, and DNS that I need to have open. # Macros ext_if="fxp0" SYN_ONLY="S/FSRA" tcp_services = "{ 21, 22, 25, 53, 80, 143 }" icmp_types = "echoreq" # Default deny block all ## Filtering rules # Default TCP policy block return-rst in log on $ext_if proto TCP all pass in log quick on $ext_if proto TCP from any to $ext_if port $tcp_services flags $SYN_ONLY keep state # Default UDP policy block in log on $ext_if proto udp all pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state # Default ICMP policy block in log on $ext_if proto icmp all pass in inet proto icmp all icmp-type echoreq keep state block out log on $ext_if all pass out log quick on $ext_if from $ext_if to any keep state # Allow the local interface to talk unrestricted pass in quick on lo0 all pass out quick on lo0 all On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD wrote: > On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox wrote: > > I've managed to come up with something that works so far. I am having > > two problems though. > > > > The first is that I can't authenticate for IMAP anymore. No clue why, > > it just keeps rejecting my password. maillog shows imapd: LOGIN > > FAILED, that's it. > > > > Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of > > block in log on $ext_if proto udp all > > > > So all UDP ports should be shown as closed. Doesn't really make any > > sense to me. Anyone care to help? > > > > Thanks for the help so far. > > > > Pat > > Start with a default policy to block and log all traffic > > # --- default policy > block log from any to any > > Now you only have to open ports to let traffic in. If you don't know > which port to open for a certain protocol, you can run "tcpdump -eni > pfl0g". tcpdump will show which rule blocked, and on which port > address combination. > > =Adriaan= > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >