Hi all, Anyone can make a review of this ruleset?
Server with 2 network cards (both with public ip). This server its on a network 1.1.1.X (example). ---- | |----- fxp0 (IP = 1.1.1.1) | | | |----- sis0 (IP = 1.1.1.2) ---- I what that every requests throw door 80 (web), 10000 (webmin interface), 22 (ssh), 21 (ftp) goes to the ext_if. And the samba (139,445), cups (631) goes only to the int_if. And security options it is enough? Thanks! PF.CONF: #INTERFACES ext_if="fxp0" int_if="sis0" ip_ext="1.1.1.1" #example ip ip_int="1.1.1.2" #example ip #INFO #SSH = 22 #WEB = 80 #FTP = 21 #WEBMIN = 10000 #SAMBA = 139, 445 #CUPS = 631 #UDP = 137, 138 #OPTIONS set block-policy drop block in log all label "blockin" block out log all label "blockout" scrub in all pass out quick on lo0 from any to any pass in quick on lo0 from any to any #SSH pass in quick on $ext_if proto tcp from any to $ip_ext port 22 flags S/SA keep state #WEB+WEBMIN+FTP pass in quick on $ext_if proto tcp from any to $ip_ext port {80,10000,21} flags S/SA keep state #PROFTPD pass in quick on $ext_if proto tcp from any to $ip_ext port 49151 >< 52000 pass out quick on $ext_if proto tcp from $ip_ext 49151 >< 52000 to any #SAMBA #a.a.a.a => ips from a vlan #b.b.b.b => ips in webserver lan pass in quick on $int_if proto tcp from a.a.a.a/20 to $ip_int port {139,445} pass in quick on $int_if proto tcp from b.b.b.b/24 to $ip_int port{139,445} #CUPS pass in quick on $int_if proto tcp from a.a.a.a/20 to $ip_int port 631 pass in quick on $int_if proto tcp from b.b.b.b/24 to $ip_int port 631 #ICMP pass in quick on $ext_if inet proto icmp all icmp-type 3 keep state pass in quick on $ext_if inet proto icmp all icmp-type 4 keep state pass out on $ext_if proto tcp from $ip_ext to any flags S/SA keep state pass out on $ext_if proto { icmp, udp } from $ip_ext to any keep state pass out on $int_if proto tcp from $ip_int to any flags S/SA keep state pass out on $int_if proto { icmp, udp } from $ip_int to any keep state