From owner-freebsd-questions@FreeBSD.ORG  Fri Feb 18 12:39:16 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7810716A4CE
	for <freebsd-questions@freebsd.org>;
	Fri, 18 Feb 2005 12:39:16 +0000 (GMT)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E5A2C43D49
	for <freebsd-questions@freebsd.org>;
	Fri, 18 Feb 2005 12:39:15 +0000 (GMT)
	(envelope-from j65nko@gmail.com)
Received: by wproxy.gmail.com with SMTP id 69so429872wra
	for <freebsd-questions@freebsd.org>;
	Fri, 18 Feb 2005 04:39:15 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references;
	b=WtqjoiIUFYT+VK+t8c6vMhxykiMeQTE6mrPfUBxyAVxgALatGFa3saFzYeNxsaf7o9K0xg87lPTa2J7XmkUUNDkAJ2X1/VnbhdYUbUpofvIqwpqZiFd21x4yufFrnCjtPQYSsRABeWx3WxVhggLC9jycvWcczxolc2cAsePjwn0=
Received: by 10.54.26.45 with SMTP id 45mr142990wrz;
        Fri, 18 Feb 2005 04:39:14 -0800 (PST)
Received: by 10.54.37.16 with HTTP; Fri, 18 Feb 2005 04:39:14 -0800 (PST)
Message-ID: <19861fba050218043979cfcf38@mail.gmail.com>
Date: Fri, 18 Feb 2005 13:39:14 +0100
From: J65nko BSD <j65nko@gmail.com>
To: FreeBSD Questions <freebsd-questions@freebsd.org>
In-Reply-To: <810a540e0502172328508f54ff@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
References: <810a540e050214203221952797@mail.gmail.com>
	 <64a8ad9805021420444eb3ccd2@mail.gmail.com>
	 <810a540e05021420555412f1b0@mail.gmail.com>
	 <42133BFD.1090004@ps102.de>
	 <810a540e05021618183355fc82@mail.gmail.com>
	 <19861fba0502171817512ee8bd@mail.gmail.com>
	 <810a540e0502172328508f54ff@mail.gmail.com>
Subject: Re: Configuring PF
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: J65nko BSD <j65nko@gmail.com>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Feb 2005 12:39:16 -0000

On Fri, 18 Feb 2005 00:28:30 -0700, Pat Maddox <pergesu@gmail.com> wrote:
> Can you guys let me know if this looks like a good conf file?  I've
> got web, mail, ftp, ssh, and DNS that I need to have open.
> 
> # Macros
> ext_if="fxp0"
> SYN_ONLY="S/FSRA"
> tcp_services = "{ 21, 22, 25, 53, 80, 143 }"
> icmp_types = "echoreq"
> 
> # Default deny
> block all
> 
> ## Filtering rules
> 
> # Default TCP policy
> block return-rst in log on $ext_if proto TCP all

This block rule is not needed, You alreadt have a "default deny policy"

> pass in log quick on $ext_if proto TCP from any to $ext_if port
> $tcp_services flags $SYN_ONLY keep state
> 
> # Default UDP policy
> block in log on $ext_if proto udp all

This block rule is not needed, You alreadt have a "default deny policy"

> pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state
> 
> # Default ICMP policy
> block in log on $ext_if proto icmp all

This block rule is not needed, You already have a "default deny policy"

> pass in inet proto icmp all icmp-type echoreq keep state
> 
> block out log on $ext_if all

This block rule is not needed, You alreadt have a "default deny policy"

> pass out log quick on $ext_if from $ext_if to any keep state
> 
> # Allow the local interface to talk unrestricted
> pass in quick on lo0 all
> pass out quick on lo0 all
> 
> 
> On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <j65nko@gmail.com> wrote:
> > On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <pergesu@gmail.com> wrote:
> > > I've managed to come up with something that works so far.  I am having
> > > two problems though.
> > >
> > > The first is that I can't authenticate for IMAP anymore.  No clue why,
> > > it just keeps rejecting my password.  maillog shows imapd: LOGIN
> > > FAILED, that's it.
> > >
> > > Also, after enabling pf, all my UDP ports show as open.  I've got a ruleset of
> > > block in log on $ext_if proto udp all
> > >
> > > So all UDP ports should be shown as closed.  Doesn't really make any
> > > sense to me.  Anyone care to help?
> > >
> > > Thanks for the help so far.
> > >
> > > Pat
> >
> > Start with a default policy to block and log all traffic
> >
> > # --- default policy
> > block log from any to any
> >
> > Now you only have to open ports to let traffic in. If you don't know
> > which port to open for a certain protocol, you can run "tcpdump -eni
> > pfl0g". tcpdump will show which rule blocked, and on which port
> > address combination.
> >
> >
How about this?
# ------- pf.conf skeleton for server
# j65nko freebsdforums.org
#
# --------------- MACRO Section  -----------------

EXT_IF="fxp0"

PING = "echoreq"

# --- allowed incoming services initiated by clients 

TCP_IN = "{ ssh, smtp, pop3, imap, http, https }"
#UDP_IN = "{ domain }"

# --- allowed services initiated by server            

TCP_OUT = "{ smtp }"
UDP_OUT = "{ domain }"

# ------------------ TABLE Section -------------- 

# ------------------ OPTIONS Section
set loginterface $EXT_IF

# --------- TRAFFIC NORMALIZATION ----------------
scrub in all
# ---------- TRANSLATION Section (NAT/RDR)

# ---------- FILTER section

# --- DEFAULT POLICY
block log all

# --- LOOPBACK
pass quick on lo0 all

# ======================= INCOMING ================
# ----------- EXTERNAL INTERFACE 

# --- TCP 
pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
$TCP_IN flags S/SA keep state

# --- UDP
#pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
$UDP_IN keep state

# --- ICMP 
#pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF
icmp-type $PING keep state


# ======================= OUTGOING ================
# ----------- EXTERNAL INTERFACE 

# --- TCP 
pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
$TCP_OUT flags S/SA  keep state

# --- UDP
pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
$UDP_OUT keep state

# --- ICMP 
pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
icmp-type $PING keep state

# ----------------- end of pr.conf

 =Adriaan=