I would like to know what I can do to improve my firewall ruleset. This exact set protects my own internal LAN (8 computers), and includes P2P rules. I have similar rulesets protecting other networks I have worked on, none with more than 300 clients though. # pF.conf working for Wall # Variables & Tables int_dev="xl0" # Internal network device. ext_dev="ep0" # External network device. cwork="{ bunch of IPs here }" overpeer="{ 64.15.228.160/27 }" max_mss="1432" unrouteable="{ 0/8, 10/8, 127/8, 169.254/16, 172.16/12, 192.0.2/24, 192.168/16 }" ext_bandwidth="1544Kb" # Options set optimization conservative set loginterface $ext_dev # Normalize (defragment) packets on External Interface scrub in on $ext_dev all fragment reassemble scrub out on $ext_dev all max-mss $max_mss fragment reassemble # NAT Rules # only internal LAN gets NAT currently nat on $ext_dev from 192.168.1.0/24 to any -> $ext_dev # Port Forwarding Rules rdr on $ext_dev proto tcp from any to any port 443 -> 192.168.1.2 port 443 rdr on $ext_dev proto tcp from any to any port 892 -> 192.168.1.2 port 892 rdr on $ext_dev proto udp from any to any port 4665 -> 192.168.1.2 port 4665 rdr on $ext_dev proto tcp from any to any port 4662 -> 192.168.1.2 port 4662 rdr on $ext_dev proto tcp from any to any port 2000 -> 192.168.1.2 port 2000 rdr on $ext_dev proto tcp from any to any port 222 -> 192.168.1.2 port 222 rdr on $ext_dev proto tcp from any to any port 6774 -> 192.168.1.2 port 6774 rdr on $ext_dev proto tcp from any to any port 3389 -> 192.168.1.2 port 3389 rdr on $ext_dev proto tcp from any to any port 6699 -> 192.168.1.2 port 6699 rdr on $ext_dev proto udp from any to any port 6257 -> 192.168.1.2 port 6257 rdr on $ext_dev proto udp from any to any port 1494 -> 192.168.1.2 port 1494 # Deny all connections - default packet filter rule block in log on $ext_dev from any to any label "block_in_all" # pass all loopback traffic pass in quick on lo0 all pass out quick on lo0 all # block out all Microsoft AD & Netbios traffic # mainly a paranoia rule block out log quick on $ext_dev inet proto tcp from any to any port 445 block out log quick on $ext_dev inet proto udp from any to any port { 138, 137, 139 } # Outbound Connection Rules for External Interface pass out quick on $ext_dev proto tcp all modulate state pass out quick on $ext_dev proto udp all keep state pass out quick on $ext_dev proto icmp all keep state # Block in all invalid combos of TCP flags & Log them # these rules exist mainly to log these packets so I can curse at the bad people block in log quick on $ext_dev inet proto tcp from any to any flags /UAPRSF block in log quick on $ext_dev inet proto tcp from any to any flags F/AF block in log quick on $ext_dev inet proto tcp from any to any flags P/AP block in log quick on $ext_dev inet proto tcp from any to any flags U/UA block in log quick on $ext_dev inet proto tcp from any to any flags RF/RF block in log quick on $ext_dev inet proto tcp from any to any flags SF/SF block in log quick on $ext_dev inet proto tcp from any to any flags RS/RS block in log quick on $ext_dev inet proto tcp from any to any flags UPF/UAPRSF block in log quick on $ext_dev inet proto tcp from any to any flags UPSF/UAPRSF block in log quick on $ext_dev inet proto tcp from any to any flags UARSF/UAPRSF block in log quick on $ext_dev inet proto tcp from any to any flags UAPRSF/UAPRSF # Rules to allow incoming traffic for internal services & P2P traffic pass in quick on $ext_dev proto tcp from any to 192.168.1.2 port {443,892,222,1494,3389,2000} flags S/SA modulate state pass in quick on $ext_dev proto tcp from any to $ext_dev port=22 flags S/SA modulate state pass in log quick on $ext_dev proto tcp from any to $ext_dev port=25 flags S/SA modulate state pass in on $ext_dev proto udp from any to 192.168.1.2 port {4665,6257} keep state pass in on $ext_dev proto tcp from any to 192.168.1.2 port {4662,6774,6699} modulate state # block and log incoming packets from reserved address space and invalid addresses block in log on $ext_dev inet from $unrouteable to any # properly respond to ident protocol also block return-rst in proto tcp from any to any port { 111, 6000, 6667 } block return-icmp in proto udp from any to any port { 137 } # block Overpeer shit block in on $ext_dev inet from $overpeer to any