From owner-freebsd-pf@FreeBSD.ORG Wed Dec 16 01:27:07 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 661B81065676 for ; Wed, 16 Dec 2009 01:27:07 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id E58338FC18 for ; Wed, 16 Dec 2009 01:27:06 +0000 (UTC) Received: by bwz5 with SMTP id 5so412383bwz.3 for ; Tue, 15 Dec 2009 17:27:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=Kzh3YS/JBgC7Vi9zFRIMLKiryzgFExtxv91pF6ye0j4=; b=Zi2m3lIcTfa/1XhHNwqw8xwGI9Js7JyrJW8r58smWhQjU7i01yRTRv72pWl9aU7SjC kXDf3aE5jjuGX4ZZNl/M6mphi1EbQCsuY54NQaIvX1W3n1ZHf7HYo0gi1+ixXSTOH6PE TgFFA5bIYvBGCp7RcAID8FCSOsSYyfxFrMRF0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=uGxOdQf41uxJDqVcd2cVJ3Cum++vYA+x8psPRmLi2L7VEq3MGFffRDVynLOUMo9dlp no7vW2/+BbKoqqLqooP0NrL3Dv6EbAACxYLYA2as1gl5rRaWNOtshd2kkuLEvnc8KkzU PpG8kjI+03c5Ha8d+77iXurxETh9t8azP1Av8= MIME-Version: 1.0 Received: by 10.204.148.82 with SMTP id o18mr143686bkv.188.1260925163471; Tue, 15 Dec 2009 16:59:23 -0800 (PST) Date: Tue, 15 Dec 2009 19:59:23 -0500 Message-ID: <78e0dabc0912151659h5d2a9bd4i5a0c4f5a1ff69884@mail.gmail.com> From: David Mehler To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: new firewall config X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2009 01:27:07 -0000 Hello, I'm writing a new firewall for an 8.0 machine. It's a gateway box, it runs an ftp proxy, dhcp and dns services and ntp. It also routes. Other than that it should block everything else. I've got the below rules, and am wondering since it works if it's the most efficient it can be or if there are any holes in it? Comments appreciated. Thanks. Dave. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. ext_if="em0" # replace with actual external interface name i.e., dc0 int_if="em1" # replace with actual internal interface name i.e., dc1 internal_net="192.168.5.0/24" tcp_services="{ ftp-data, ftp, ssh, domain, http, pop3, https, 1503, 1863, 3389, 5999, 7001, 8000, 8080 }" udp_services="{ 9, domain, bootps, ntp, 7001 }" icmp_types = "echoreq" set optimization normal set block-policy return set require-order yes set fingerprints "/etc/pf.os" set skip on lo0 scrub in all nat on $ext_if from $internal_net to any -> ($ext_if) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 \ port 8021 antispoof for $ext_if antispoof for $int_if block all anchor "ftp-proxy/*" pass out proto tcp from 127.0.0.1 to any port 21 keep state pass quick inet proto tcp to any port $tcp_services flags S/SA keep state pass quick inet proto { tcp, udp } to any port $udp_services keep state pass inet proto icmp all icmp-type $icmp_types keep state pass inet proto icmp all icmp-type unreach code needfrag keep state # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) pass inet proto udp from any to any \ port 33433 >< 33626 keep state