Date: Fri, 22 Jan 2010 10:45:17 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: kalin m <kalin@el.net> Cc: freebsd-questions@freebsd.org Subject: Re: pf rules Message-ID: <4B5973AD.8070603@locolomo.org> In-Reply-To: <4B594FC0.3010200@el.net> References: <4B594FC0.3010200@el.net>
next in thread | previous in thread | raw e-mail | index | archive | help
kalin m wrote:
> tcp_in = "{ www, https }"
> ftp_in = "{ ftp }"
> udp = "{ domain, ntp }"
> ping = "echoreq"
>
> set skip on lo
> scrub in
>
> antispoof for eth0 inet
>
> block in all
> pass out all keep state
> pass proto udp to any port $udp
> pass inet proto icmp all icmp-type $ping keep state
> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
> pass proto tcp to any port ssh
To debug pf rules:
- always add direction to the rule, pass or block, add interface to all
rules except default policy, keep state on all pass rules
- group your rules per direction, then per interface
- add log to all rules and watch pflog to see which rule blocks or
passes traffic.
- use keyword quick for any decisive rule
- check the parsing of your ruleset, pfctl -sr
then come back and ask for help.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B5973AD.8070603>