Nathan Fisher <[EMAIL PROTECTED]> wrote : > I'm a newbie myself, isn't it best to lock out all > inbound connections and then open up only the services you want to > provide? Can anyone tell me if this would be an appropriate > configuration for a trusted network w/ a 2 port router?
Yes : it's better to use this solution and a 2-port firewall. Block all inbound connections and allow only connections for services with redirection. > # BEGIN /etc/pf.conf > > #----- variables ----- > > ExtIF="dc1" [...] > FlagsOSfinger="flags FUP/FUP" > #----- end variables ----- Maybe, too many macros and the conf becomes more difficult to read : suppress "Flags" and "Tcp" variables if you want. > # immediate block of private IP's > block in log quick on $ExtIF inet from $PrivateIPs to any > block out log quick on $ExtIF inet from any to $PrivateIPs You can replace these rules with 'antispoof' keyword : see pf.conf(5) > #----- stateful services ----- > # Is this section correct? Yes this section is correct : redirection of inbound HTTP and SMTP connections to internal HTTP and SMTP servers. A++ Foxy. -- Laurent Cheylus <[EMAIL PROTECTED]> OpenPGP ID 0x5B766EC2
