Date: Sun, 26 Nov 2006 13:35:57 -0000 From: "Daniel" <daniel@britishemail.co.uk> To: <freebsd-pf@freebsd.org> Subject: opinion on this ruleset Message-ID: <20061130173504.CD06C43CBA@mx1.FreeBSD.org>
next in thread | raw e-mail | index | archive | help
I was wondering if I could get some opinions on this ruleset please -
Basically, I have FreeBSD6.1, running an IRC server on ports 6697, 7000,
6659 thorough to 6671, 9999, 27888. I am also running a nameserver, so have
opened TCP and UDP 53. I also want incoming on port 80 and 22.
I have about 15 IP addresses assigned to my external interface... would it
be better to make a table for these? Or is using the ext_if as a macro just
as effective?
ext_if="rl0"
tcp_services="{ 22, 80, 53, 6633, 6697, 7000, 6659 >< 6671, 9999, 27888 }"
udp_services="{ 53 }
icmp_types="echoreq"
set block-policy return
set loginterface $ext_if
set skip on lo
scrub in
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) \
port $udp_services keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061130173504.CD06C43CBA>