From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 16:09:20 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F6DF10658DB for ; Tue, 24 Mar 2009 16:09:20 +0000 (UTC) (envelope-from emagutu@gmail.com) Received: from mail-ew0-f171.google.com (mail-ew0-f171.google.com [209.85.219.171]) by mx1.freebsd.org (Postfix) with ESMTP id D317D8FC1A for ; Tue, 24 Mar 2009 16:09:19 +0000 (UTC) (envelope-from emagutu@gmail.com) Received: by ewy19 with SMTP id 19so1875117ewy.43 for ; Tue, 24 Mar 2009 09:09:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=2M3eQmJVzY+z+mFdMy4+dUPmvZYKYqNIanlNUJOas8g=; b=kS8rVkAxJzuXuryQaUpoK5wIm0Z20GWAVMAfXS0VwtLxmLxCPaqt+K8GnhMnwO8NG7 12xEVblpZeTNZcVE+Y37wIWFkpTHSp0hM1mPZgnzYXMyu6TR4FF+1ug8eUKjvzxMcjhF XrfmJWJUOY1wkGbP5bmecfk8Gv1/bwljFbKpE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=K1dF255CWGynXI9CwldYvf9r03k+UcReu4IGmPOjVkNcxYTdx+eqZ24sE329g9xGa8 xZBX9MJc21YDDERK/QygInDIy4jho3YKoYJSiGBEEcWMcg06GMiBflkBrDeNtGktAZaW 6bDXapEJo4OkDJ7rkkOQwm0jS3zlgYmYCUtVE= MIME-Version: 1.0 Received: by 10.216.74.78 with SMTP id w56mr3183537wed.105.1237910958616; Tue, 24 Mar 2009 09:09:18 -0700 (PDT) In-Reply-To: <17838240D9A5544AAA5FF95F8D52031605B42800@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D52031605B42800@ad-exh01.adhost.lan> Date: Tue, 24 Mar 2009 19:09:18 +0300 Message-ID: From: Eric Magutu To: "Michael K. Smith - Adhost" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: first firewall with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 16:09:26 -0000 Hi Mike, I will make the changes, there is no internal interface though. Yes I meant SMTP Thanks for your input On Tue, Mar 24, 2009 at 6:56 PM, Michael K. Smith - Adhost < mksmith@adhost.com> wrote: > Hello: > > > > > ############# > > #interfaces # > > ############# > > ext_if="bce0" > > ext_if2="bce1" > > > I would also define your inside interface(s), not just your outside. Let's > call it "bce2" for the example: > > int_if="bce2" > > > > > > ############################################# > > #allow all connections from and to loopback # > > ############################################# > > > > pass in quick on lo0 all keep state > > pass out quick on lo0 all keep state > > > You might want to add anti-spoofing as well (can't come in on your IP's) > > antispoof quick for { lo $ext_if $ext_if2 } inet > > > ######################################################## > > #allow all connections out through external interfaces # > > ######################################################## > > > You can shorten these (as below) > > > pass out quick on $ext_if all keep state > > pass out quick on $ext_if2 all keep state > pass out quick on { $ext_if $ext_if2 $int_if } > > Also, add an inbound allow for your inside interface, unless you want to > block things more granularly. > > pass in quick on $int_if > > > > > > ############################ > > #smtp connections allowed # > > ############################ > > > Did you mean SSH? If you meant SMTP you should change 22 to 25 > > >#a.b.c.d is the server's ip > > #Euro servers > > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 > keep > > state > > > > #American servers > > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 > keep > > state > > > > #from the old iptables??? > > pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22 > keep > > state > > > > > > ################################### > > # pass traffic from allowed ports # > > ################################### > > > > > > #pass traffic from allowed tcp ports > > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port > > $good_port_tcp keep state > > > > #pass traffic from allowed udp ports > > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port > > $good_port_tcp keep state > > > > ########################################## > > # allow connections from NMC and servers # > > ########################################## > > > > I would limit ICMP to echo-request from the outside. > > pass in quick on { $ext_if $ext_if2 } proto icmp from x.x.x.x/12 to a.b.c.d > icmp-type { echoreq trace } > > > #x.x.x.x/12 are the internal ips NMC access with > > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to > > a.b.c.d keep state > > > > #x.x.x.x/24 are the ips for the other European servers > > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to > > a.b.c.d keep state > > > > #x.x.x.x/24 are the ips for the American servers > > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to > > a.b.c.d keep state > > > > > > ########################## > > #block all other traffic # > > ########################## > > > > # should be last rule > > > > block in quick on $ext_if all > > Should be first as previously discussed. > > Regards, > > Mike > -- Regards, Eric Magutu