On Mon, 28 May 2007, Lontronics Mailinglist account wrote:
> Okay, found some stuff on the internet; this is it at the moment:
>
> # $OpenBSD: PF firewall rules $
>
> # ports: see /etc/services
> # 21 = ftp
> # 22 = ssh
> # 25 = smtp
> # 53 = domain
> # 80 = www
> # 110 = pop3
> # 123 = ntp
> # 631 = ipp (CUPS)
> # 6667 = irc
>
> tcp_pass = "{ 21 22 25 53 80 110 123 6667}"
> udp_pass = "{ 53 110 }"
>
> # scrub
> scrub in all
>
> # setup a default deny policy
> block in all
> block out all
>
> antispoof for { bce0, wpi0 } inet
>
> pass out on { bce0, wpi0 } proto tcp to any port $tcp_pass
> pass out on { bce0, wpi0 } proto udp to any port $udp_pass
You may wish to add pass in and out rules for icmp, to be RFC compliant.
If you are passing to 80 outbound, you may want to also pass 443
(SSL, https).
You may wish to add "log" options to the block statements, particularly
the "out" -- if you are trying to pass packets that you have forbidden,
you probably want to know that, either to allow those packets, or to
wonder where they are coming from, going to, and why.
If you are going to be using pop and irc, you may wish to evalute
allowing inbound tcp on 113, the identd/auth service. (Also enabling
it in /etc/inetd.conf). Or not.
I wonder if this setup will allow you to do dhcp. Probably during
boot, (before it takes effect, when the rules in /etc/rc are active),
but afterwards, not. This might be an issue. I dunno how dhcp
communicates, don't use it myself.
But do try logging, maybe all packets at first, to familiarize
yourself with your normal network traffic. A tcpdump process
in a little xterm can be fascinating and make debugging a more
complicated pf setup easy or possible. I use
# /usr/sbin/tcpdump -n -e -ttt -i pflog0
to watch in realtime.
Dave
