Below are my rules..
They are comprised of what I have learned over the past year..
I think I have a good rule set but would like others to offer
any comments or suggestions whether more restrictions
are needed..
much thanks..
Charles
Nat.conf
nat on dc0 from 192.168.1.0/24 to any -> dc0
nat on dc0 from 192.168.2.0/24 to any -> dc0
Pf.conf
# Interface:
# lo0 - loopback
# dc0 - external to cable modem
# xlx - internal to private network
#
Ext="dc0"
Int0="xl0"
Int1="xl1"
smtp="{68.1.17.19,68.1.17.17}"
dhcserver="{172.19.57.13,10.0.80.1,255.255.255.255}"
dom="{68.12.16.29,68.12.16.30,68.1.208.29,68.1.208.30}"
spoof="{192.168.0.0/16, 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8,
169.254.0.0/16}"
FTPPORTS="{ 55000 >< 57000 }" # Proxyed port range for Active FTP
proxy
#
------------------------------------------------------------------------
-
# Interface: all
# Block all incoming and outgoing packets
# block in log all
# block out log all
block in log on $Ext all
block out log on $Ext all
#
------------------------------------------------------------------------
-
# Interface: lo0
# Allow loopback to flow freely.
#
------------------------------------------------------------------------
-
pass in quick on lo0 all
pass out quick on lo0 all
#
------------------------------------------------------------------------
-
# Clean up fragmented and abnormal packets.
#
------------------------------------------------------------------------
-
scrub in all
#
------------------------------------------------------------------------
-
# prevent spoofing of non-routable addresses
block in on $Ext from $spoof to any
block out on $Ext from any to $spoof
#
------------------------------------------------------------------------
-
# Interface: xl0,xl1,xl2
# Allow internal traffic to flow freely.
#
------------------------------------------------------------------------
-
pass in quick on $Int0 all
pass out quick on $Int0 all
pass in quick on $Int1 all
pass out quick on $Int1 all
#
------------------------------------------------------------------------
-
#
------------------------------------------------------------------------
-
# [passive ftp client to outside ]
pass out quick on $Ext proto tcp from any to any port = 21 flags S/SA
keep state
pass out quick on $Ext proto tcp from any to any port > 1023 flags S/SA
keep state
#
------------------------------------------------------------------------
-
# Proxy the active FTP
# pass in quick on $Ext proto tcp from any port 20 to $Ext port
$FTPPORTS flags S/SA keep state
pass in on $Ext proto tcp from any to $Ext port > 49151 keep state
#
------------------------------------------------------------------------
-
# [mail to outside world]
pass out quick on $Ext proto tcp from any to $smtp port = 110 keep state
pass out quick on $Ext proto tcp from any to $smtp port = 25 keep state
#
------------------------------------------------------------------------
-
# [domain to outside world]
pass out quick on $Ext proto udp from any to $dom port = domain keep
state
#
------------------------------------------------------------------------
# [http and https to outside world]
pass out quick on $Ext proto tcp from any to any port = www flags S/SA
keep state
pass out quick on $Ext proto tcp from any to any port = 443 flags S/SA
keep state
#
------------------------------------------------------------------------
-
# kazaa port
pass out quick on $Ext proto udp from any to any port = 1214 keep state
pass out quick on $Ext proto tcp from any to any port = 1214 keep state
#
------------------------------------------------------------------------
-
# ssh port
pass in quick on $Ext proto tcp from MY.WORK.IP to any port = 22 flags
S/SA keep state
#
------------------------------------------------------------------------
-
# [traceroute to outside world 1st stage: probing...man traceroute(8)]
pass out quick on $Ext proto udp from any to any port 33434 >< 33525
keep state
#
------------------------------------------------------------------------
-
# [ping to outside world]
pass out quick on $Ext proto icmp from any to any keep state
#
------------------------------------------------------------------------
-
# [dhclient]
pass out quick on $Ext proto udp from any port = bootpc to $dhcserver
port = bootps
pass in quick on $Ext proto udp from $dhcserver port = bootps to any
port = bootpc
#
------------------------------------------------------------------------
-
# [traceroute to internal host 2nd stage: receiving error code of
icmp-type 3
# (destination unreachable) and icmp-type 11 (time exceeded)]
pass in quick on $Ext inet proto icmp from any to any icmp-type 3 keep
state
pass in quick on $Ext inet proto icmp from any to any icmp-type 11 keep
state
#
------------------------------------------------------------------------
-
#
------------------------------------------------------------------------
-
