[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PF rules and Config files

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: PF rules and Config files
From: Shane Kaeo <skaeo_(_at_)_digestivehlth_(_dot_)_com>
Date: Tue, 08 Feb 2005 12:24:27 -0800

I would like feedback about problems with the following pf.conf rules. I have read doc's and scanned my system for possible holes but have not found anything noticeable. I just would like to block all traffic not originating for the internal network (interface rl1 [internal LAN] ). I have not put a [block] out statement on external interface because I trust the hosts on the lan and I am not 100% sure what applications they will be using. Well, actually I don't care what they do I just want to block out bad people from the Internet.

Any pointer and possible tips would be welcome. All RTFM are welcome as well as maybe I missed something the first time I read them. I have much to learn and figure getting flamed is a part of my journey as well.

Cheers,

cat /etc/pf.conf ---------------------- < PF.CONF> -------------------------------------------------------------- ext_if="rl0" int_if="rl1"

scrub in all

nat on $ext_if from !($ext_if) -> ($ext_if:0)

block in log all
block in quick inet6 all
block out quick inet6 all

#block return-icmp in on $ext_if from any to $ext_if port auth quick ( I am not sure how to be kind to the rest of the world with the above statement. I would like to be able to allow icmp returns for isp's. When I set this up live I will have dhcp enabled and I will not know my external IP. I thought I could use ext_if but that is not loading)

pass out keep state pass in log quick on $ext_if proto TCP from any to $ext_if port 22 flags S/FSRA keep state pass quick on { lo $int_if } antispoof quick for { lo $int_if }

openpuff# /sbin/pfctl -s rules ----------------------------------------------------------------------------------------------------- scrub in all fragment reassemble block drop in log all block drop in quick inet6 all block drop out quick inet6 all pass out all keep state pass in log quick on rl0 inet proto tcp from any to 192.132.132.6 port = ssh flags S/FSRA keep state

pass in log quick on rl0 inet6 proto tcp from any to fe80::210:b5ff:fe10:d068 port = ssh flags S/FSRA keep state pass quick on lo all pass quick on rl1 all block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick on ! rl1 inet from 192.168.100.0/24 to any block drop in quick inet from 192.168.100.1 to any block drop in quick on rl1 inet6 from fe80::210:b5ff:fe10:d394 to any openpuff# --

begin:vcard
fn:Shane Kaeo
n:Kaeo;Shane
org:Digestive Health Specialists;IS Department
adr:;;1901 S. Union Suite-2001;Tacoma;WA;98405;USA
email;internet:skaeo_(_at_)_digestivehlth_(_dot_)_com
title:Network Administrator
tel;work:(253) 503-2533
tel;fax:(253) 503-2572
x-mozilla-html:FALSE
url:http://www.digestivehlth.com
version:2.1
end:vcard

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Prev by Date: Re: pf do not load on snapshot 20050106
Next by Date: PF rules and Config file
Previous by thread: Re: bgpd and lost networks after reload ?
Next by thread: PF rules and Config file
Index(es):
- Date
- Thread

Visit your host, monkey.org