On Fri, 18 Feb 2005 00:28:30 -0700, Pat Maddox <[EMAIL PROTECTED]> wrote: > Can you guys let me know if this looks like a good conf file? I've > got web, mail, ftp, ssh, and DNS that I need to have open. > > # Macros > ext_if="fxp0" > SYN_ONLY="S/FSRA" > tcp_services = "{ 21, 22, 25, 53, 80, 143 }" > icmp_types = "echoreq" > > # Default deny > block all > > ## Filtering rules > > # Default TCP policy > block return-rst in log on $ext_if proto TCP all
This block rule is not needed, You alreadt have a "default deny policy" > pass in log quick on $ext_if proto TCP from any to $ext_if port > $tcp_services flags $SYN_ONLY keep state > > # Default UDP policy > block in log on $ext_if proto udp all This block rule is not needed, You alreadt have a "default deny policy" > pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state > > # Default ICMP policy > block in log on $ext_if proto icmp all This block rule is not needed, You already have a "default deny policy" > pass in inet proto icmp all icmp-type echoreq keep state > > block out log on $ext_if all This block rule is not needed, You alreadt have a "default deny policy" > pass out log quick on $ext_if from $ext_if to any keep state > > # Allow the local interface to talk unrestricted > pass in quick on lo0 all > pass out quick on lo0 all > > > On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <[EMAIL PROTECTED]> wrote: > > On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <[EMAIL PROTECTED]> wrote: > > > I've managed to come up with something that works so far. I am having > > > two problems though. > > > > > > The first is that I can't authenticate for IMAP anymore. No clue why, > > > it just keeps rejecting my password. maillog shows imapd: LOGIN > > > FAILED, that's it. > > > > > > Also, after enabling pf, all my UDP ports show as open. I've got a > > > ruleset of > > > block in log on $ext_if proto udp all > > > > > > So all UDP ports should be shown as closed. Doesn't really make any > > > sense to me. Anyone care to help? > > > > > > Thanks for the help so far. > > > > > > Pat > > > > Start with a default policy to block and log all traffic > > > > # --- default policy > > block log from any to any > > > > Now you only have to open ports to let traffic in. If you don't know > > which port to open for a certain protocol, you can run "tcpdump -eni > > pfl0g". tcpdump will show which rule blocked, and on which port > > address combination. > > > > How about this? # ------- pf.conf skeleton for server # j65nko freebsdforums.org # # --------------- MACRO Section ----------------- EXT_IF="fxp0" PING = "echoreq" # --- allowed incoming services initiated by clients TCP_IN = "{ ssh, smtp, pop3, imap, http, https }" #UDP_IN = "{ domain }" # --- allowed services initiated by server TCP_OUT = "{ smtp }" UDP_OUT = "{ domain }" # ------------------ TABLE Section -------------- # ------------------ OPTIONS Section set loginterface $EXT_IF # --------- TRAFFIC NORMALIZATION ---------------- scrub in all # ---------- TRANSLATION Section (NAT/RDR) # ---------- FILTER section # --- DEFAULT POLICY block log all # --- LOOPBACK pass quick on lo0 all # ======================= INCOMING ================ # ----------- EXTERNAL INTERFACE # --- TCP pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port $TCP_IN flags S/SA keep state # --- UDP #pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port $UDP_IN keep state # --- ICMP #pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type $PING keep state # ======================= OUTGOING ================ # ----------- EXTERNAL INTERFACE # --- TCP pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port $TCP_OUT flags S/SA keep state # --- UDP pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port $UDP_OUT keep state # --- ICMP pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any icmp-type $PING keep state # ----------------- end of pr.conf =Adriaan= _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"