Date: Mon, 10 Apr 2017 21:37:47 +0200 From: Polytropon <freebsd@edvax.de> To: Miha Smrekar <smrekar.miha@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD firewall configuration Message-ID: <20170410213747.c22fffa7.freebsd@edvax.de> In-Reply-To: <CAOVvEHVukRGa1kfGW=MNp2DRfzE3voOe880LwZbH-MqUDsmTdg@mail.gmail.com> References: <CAOVvEHXi2V89bF1iD-718v7V=thFfR4c-h1KDxoctoe207qwLQ@mail.gmail.com> <20170407210017.0c2c2cbb.freebsd@edvax.de> <CAOVvEHVukRGa1kfGW=MNp2DRfzE3voOe880LwZbH-MqUDsmTdg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Re-including list, hope that's okay. On Mon, 10 Apr 2017 09:34:16 +0200, Miha Smrekar wrote: > OK, with that rule I have succesfully connected to my computer through > PUTTY on SSH connection on 1024 port. I've done the same with ports 80 and > 443. Excellent. It all follows the same idea. > Will those 3 rules be enough to block all the traffic on other ports, or do > I have to block all other ports? Depending on the firewall's configuration - "default to accept" or "default to deny", you're probably safe when you explicitely block everything first, and then define what you intendedly want to allow. For example: ext_if="xl0" block all pass in quick on $ext_if inet proto tcp from any to $ext_if port 1024 keep state pass in quick on $ext_if inet proto tcp from any to $ext_if port 443 keep state pass in quick on $ext_if inet proto tcp from any to $ext_if port 80 keep state This is what your configuration probably will look like. > Can you also help me with the rule to forward incoming trafic to other > interface? You first need to put net.inet.ip.forwarding=1 into /etc/sysctl.conf and make this change active (read: reboot or manually call "service sysctl restart". Additionally, add gateway_enable="YES" to /etc/rc.conf. Now you can do something like this in your pf.conf: ext_if="xl0" int_if="fxp0" pass in on $ext_if from $ext_if:network to $int_if:network port 1024 keep state pass out on $int_if from $ext_if:network to $int_if:network port 1024 keep state This for example would forward port 1024 traffic from the external interface to the internal one. It's easy to define which one is which using variables like ext_if and int_if for the actual network inter- faces (see "ifconfig -a" to check). I also recommend this article for more inspiration: https://home.nuug.no/~peter/pf/en/long-firewall.html This is where I constructed the example from. ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170410213747.c22fffa7.freebsd>