From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 16:13:54 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D92F10659C7 for ; Tue, 24 Mar 2009 16:13:53 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-defer02.adhost.com (mail-defer02.adhost.com [216.211.128.177]) by mx1.freebsd.org (Postfix) with ESMTP id 83DDF8FC43 for ; Tue, 24 Mar 2009 16:13:52 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in01.adhost.com (mail-in01.adhost.com [10.212.3.11]) by mail-defer02.adhost.com (Postfix) with ESMTP id 6F7E61388A3C for ; Tue, 24 Mar 2009 08:56:40 -0700 (PDT) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (exchange.adhost.com [216.211.143.69]) by mail-in01.adhost.com (Postfix) with ESMTP id 247C02D74E2; Tue, 24 Mar 2009 08:56:39 -0700 (PDT) (envelope-from mksmith@adhost.com) X-MimeOLE: Produced By Microsoft Exchange V6.5 MIME-Version: 1.0 x-pgp-encoding-format: MIME x-pgp-mapi-encoding-version: 2.5.0 Content-Type: multipart/signed; boundary="PGP_Universal_26B26C90_1D64BE14_62964B46_B2FA098D"; protocol="application/pgp-signature"; micalg=pgp-sha1 x-pgp-encoding-version: 2.0.2 Content-class: urn:content-classes:message Date: Tue, 24 Mar 2009 08:56:38 -0700 Message-ID: <17838240D9A5544AAA5FF95F8D52031605B42800@ad-exh01.adhost.lan> In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: first firewall with pf Thread-Index: Acmsk4an3jsLNlMDSFC8OpzVvBXroQAA7hIA References: From: "Michael K. Smith - Adhost" To: "Eric Magutu" , Cc: Subject: RE: first firewall with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 16:14:19 -0000 --PGP_Universal_26B26C90_1D64BE14_62964B46_B2FA098D Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: QUOTED-PRINTABLE Hello: > ############# > #interfaces # > ############# > ext_if=3D"bce0" > ext_if2=3D"bce1" >=20 I would also define your inside interface(s), not just your outside. Let's= call it "bce2" for the example: int_if=3D"bce2" >=20 > ############################################# > #allow all connections from and to loopback # > ############################################# >=20 > pass in quick on lo0 all keep state > pass out quick on lo0 all keep state >=20 You might want to add anti-spoofing as well (can't come in on your IP's) antispoof quick for { lo $ext_if $ext_if2 } inet > ######################################################## > #allow all connections out through external interfaces # > ######################################################## > You can shorten these (as below) > pass out quick on $ext_if all keep state > pass out quick on $ext_if2 all keep state pass out quick on { $ext_if $ext_if2 $int_if } Also, add an inbound allow for your inside interface, unless you want to bl= ock things more granularly. pass in quick on $int_if >=20 > ############################ > #smtp connections allowed # > ############################ >=20 Did you mean SSH? If you meant SMTP you should change 22 to 25 >#a.b.c.d is the server's ip > #Euro servers > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep > state >=20 > #American servers > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep > state >=20 > #from the old iptables??? > pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22 keep > state >=20 >=20 > ################################### > # pass traffic from allowed ports # > ################################### >=20 >=20 > #pass traffic from allowed tcp ports > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port > $good_port_tcp keep state >=20 > #pass traffic from allowed udp ports > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port > $good_port_tcp keep state >=20 > ########################################## > # allow connections from NMC and servers # > ########################################## >=20 I would limit ICMP to echo-request from the outside. pass in quick on { $ext_if $ext_if2 } proto icmp from x.x.x.x/12 to a.b.c.d= icmp-type { echoreq trace }=20 > #x.x.x.x/12 are the internal ips NMC access with > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to > a.b.c.d keep state >=20 > #x.x.x.x/24 are the ips for the other European servers > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to > a.b.c.d keep state >=20 > #x.x.x.x/24 are the ips for the American servers > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to > a.b.c.d keep state >=20 >=20 > ########################## > #block all other traffic # > ########################## >=20 > # should be last rule >=20 > block in quick on $ext_if all Should be first as previously discussed. Regards, Mike --PGP_Universal_26B26C90_1D64BE14_62964B46_B2FA098D Content-Type: application/pgp-signature; name="PGP.sig" Content-Transfer-Encoding: 7BIT Content-Disposition: attachment; filename="PGP.sig" -----BEGIN PGP SIGNATURE----- Version: 9.9.1 (Build 287) iQEVAwUBSckCtvTXQhZ+XcVAAQjMLwf/TdiUofme3wtvqQtPO7fgfGJTTon31E7q +MltU01FDuR8sUdbdyxKk28rM0FYKcDrdvu0f9s3EyBsmow/i65b0D5pz3XspBUs Z5x9JRwJFFSBSGLtFhpg2ak9OpBQfdTLo74KTlUWa8eIpF6pCYE+WC/AYESEufIg 03UmETyLP9bdGnqA4LfYKAbq/xLRkopWwmH4GMyg67EjtIuINnIsy/jXRmpm6e9R jHIIGxzLmYktGaSVhfCwkPhyLkmRvb87SSA7r+u0YpqQNdxteWegqp7ksiyThGIp jxcgAN7OVO+VR6NKzw6rzjpNuEEZQRS3BeFUne/r3rN8rBYJvyMEOw== =Dqa/ -----END PGP SIGNATURE----- --PGP_Universal_26B26C90_1D64BE14_62964B46_B2FA098D--