Date: Tue, 24 Mar 2009 19:09:18 +0300 From: Eric Magutu <emagutu@gmail.com> To: "Michael K. Smith - Adhost" <mksmith@adhost.com> Cc: freebsd-pf@freebsd.org Subject: Re: first firewall with pf Message-ID: <e9cb8190903240909kadc8bb1p25c260e524d6dc56@mail.gmail.com> In-Reply-To: <17838240D9A5544AAA5FF95F8D52031605B42800@ad-exh01.adhost.lan> References: <e9cb8190903240747k714e6d52p9bc8939189c18c14@mail.gmail.com> <17838240D9A5544AAA5FF95F8D52031605B42800@ad-exh01.adhost.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Mike,
I will make the changes, there is no internal interface though.
Yes I meant SMTP
Thanks for your input
On Tue, Mar 24, 2009 at 6:56 PM, Michael K. Smith - Adhost <
mksmith@adhost.com> wrote:
> Hello:
>
> <snip>
>
> > #############
> > #interfaces #
> > #############
> > ext_if="bce0"
> > ext_if2="bce1"
> >
> I would also define your inside interface(s), not just your outside. Let's
> call it "bce2" for the example:
>
> int_if="bce2"
>
> <snip>
> >
> > #############################################
> > #allow all connections from and to loopback #
> > #############################################
> >
> > pass in quick on lo0 all keep state
> > pass out quick on lo0 all keep state
> >
> You might want to add anti-spoofing as well (can't come in on your IP's)
>
> antispoof quick for { lo $ext_if $ext_if2 } inet
>
> > ########################################################
> > #allow all connections out through external interfaces #
> > ########################################################
> >
> You can shorten these (as below)
>
> > pass out quick on $ext_if all keep state
> > pass out quick on $ext_if2 all keep state
> pass out quick on { $ext_if $ext_if2 $int_if }
>
> Also, add an inbound allow for your inside interface, unless you want to
> block things more granularly.
>
> pass in quick on $int_if
>
> <snip>
> >
> > ############################
> > #smtp connections allowed #
> > ############################
> >
> Did you mean SSH? If you meant SMTP you should change 22 to 25
>
> >#a.b.c.d is the server's ip
> > #Euro servers
> > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22
> keep
> > state
> >
> > #American servers
> > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22
> keep
> > state
> >
> > #from the old iptables???
> > pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22
> keep
> > state
> >
> >
> > ###################################
> > # pass traffic from allowed ports #
> > ###################################
> >
> >
> > #pass traffic from allowed tcp ports
> > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port
> > $good_port_tcp keep state
> >
> > #pass traffic from allowed udp ports
> > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port
> > $good_port_tcp keep state
> >
> > ##########################################
> > # allow connections from NMC and servers #
> > ##########################################
> >
>
> I would limit ICMP to echo-request from the outside.
>
> pass in quick on { $ext_if $ext_if2 } proto icmp from x.x.x.x/12 to a.b.c.d
> icmp-type { echoreq trace }
>
> > #x.x.x.x/12 are the internal ips NMC access with
> > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to
> > a.b.c.d keep state
> >
> > #x.x.x.x/24 are the ips for the other European servers
> > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to
> > a.b.c.d keep state
> >
> > #x.x.x.x/24 are the ips for the American servers
> > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to
> > a.b.c.d keep state
> >
> >
> > ##########################
> > #block all other traffic #
> > ##########################
> >
> > # should be last rule
> >
> > block in quick on $ext_if all
>
> Should be first as previously discussed.
>
> Regards,
>
> Mike
>
--
Regards,
Eric Magutu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e9cb8190903240909kadc8bb1p25c260e524d6dc56>