Date: Fri, 18 Feb 2005 13:39:14 +0100 From: J65nko BSD <j65nko@gmail.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Configuring PF Message-ID: <19861fba050218043979cfcf38@mail.gmail.com> In-Reply-To: <810a540e0502172328508f54ff@mail.gmail.com> References: <810a540e050214203221952797@mail.gmail.com> <64a8ad9805021420444eb3ccd2@mail.gmail.com> <810a540e05021420555412f1b0@mail.gmail.com> <42133BFD.1090004@ps102.de> <810a540e05021618183355fc82@mail.gmail.com> <19861fba0502171817512ee8bd@mail.gmail.com> <810a540e0502172328508f54ff@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 18 Feb 2005 00:28:30 -0700, Pat Maddox <pergesu@gmail.com> wrote: > Can you guys let me know if this looks like a good conf file? I've > got web, mail, ftp, ssh, and DNS that I need to have open. > > # Macros > ext_if="fxp0" > SYN_ONLY="S/FSRA" > tcp_services = "{ 21, 22, 25, 53, 80, 143 }" > icmp_types = "echoreq" > > # Default deny > block all > > ## Filtering rules > > # Default TCP policy > block return-rst in log on $ext_if proto TCP all This block rule is not needed, You alreadt have a "default deny policy" > pass in log quick on $ext_if proto TCP from any to $ext_if port > $tcp_services flags $SYN_ONLY keep state > > # Default UDP policy > block in log on $ext_if proto udp all This block rule is not needed, You alreadt have a "default deny policy" > pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state > > # Default ICMP policy > block in log on $ext_if proto icmp all This block rule is not needed, You already have a "default deny policy" > pass in inet proto icmp all icmp-type echoreq keep state > > block out log on $ext_if all This block rule is not needed, You alreadt have a "default deny policy" > pass out log quick on $ext_if from $ext_if to any keep state > > # Allow the local interface to talk unrestricted > pass in quick on lo0 all > pass out quick on lo0 all > > > On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <j65nko@gmail.com> wrote: > > On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <pergesu@gmail.com> wrote: > > > I've managed to come up with something that works so far. I am having > > > two problems though. > > > > > > The first is that I can't authenticate for IMAP anymore. No clue why, > > > it just keeps rejecting my password. maillog shows imapd: LOGIN > > > FAILED, that's it. > > > > > > Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of > > > block in log on $ext_if proto udp all > > > > > > So all UDP ports should be shown as closed. Doesn't really make any > > > sense to me. Anyone care to help? > > > > > > Thanks for the help so far. > > > > > > Pat > > > > Start with a default policy to block and log all traffic > > > > # --- default policy > > block log from any to any > > > > Now you only have to open ports to let traffic in. If you don't know > > which port to open for a certain protocol, you can run "tcpdump -eni > > pfl0g". tcpdump will show which rule blocked, and on which port > > address combination. > > > > How about this? # ------- pf.conf skeleton for server # j65nko freebsdforums.org # # --------------- MACRO Section ----------------- EXT_IF="fxp0" PING = "echoreq" # --- allowed incoming services initiated by clients TCP_IN = "{ ssh, smtp, pop3, imap, http, https }" #UDP_IN = "{ domain }" # --- allowed services initiated by server TCP_OUT = "{ smtp }" UDP_OUT = "{ domain }" # ------------------ TABLE Section -------------- # ------------------ OPTIONS Section set loginterface $EXT_IF # --------- TRAFFIC NORMALIZATION ---------------- scrub in all # ---------- TRANSLATION Section (NAT/RDR) # ---------- FILTER section # --- DEFAULT POLICY block log all # --- LOOPBACK pass quick on lo0 all # ======================= INCOMING ================ # ----------- EXTERNAL INTERFACE # --- TCP pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port $TCP_IN flags S/SA keep state # --- UDP #pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port $UDP_IN keep state # --- ICMP #pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type $PING keep state # ======================= OUTGOING ================ # ----------- EXTERNAL INTERFACE # --- TCP pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port $TCP_OUT flags S/SA keep state # --- UDP pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port $UDP_OUT keep state # --- ICMP pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any icmp-type $PING keep state # ----------------- end of pr.conf =Adriaan=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19861fba050218043979cfcf38>