comment on the following line

Fri, 28 Jul 2006 06:31:59 -0700 

Dear friends,

here is my first message to this mailing list. I have just started
learning openbsd PF and would like your consideration on my very first
FW configuration and layout. Configuration is show above:

#
# It has three interfaces, one for Internet (EIF) and two for
internets (IIF_0, IIF_1).
#

$EIF = "fxp0"
$IIF_0 = "fxp1"
$IIF_1 = "fxp2"

#
# Let's define some tables to get things easier
#

table <noroute> const { 127/8 255.255.255.255/32 }
table <rfc1918> persist const { 10/8 172.16/12 192.168/16 }
table <badhosts> persist
table <nets> persist { ($EIF) ($IIF_0) ($IIF_1) }

#
# For now, we have no options
# For now, we have no traffic normalization
# For now, we have no queueing
# For now, we have no translation
#

#
# Filtering to be done
#

# Block everything by default
block all

# The router itself has access to all internets
pass in on $EIF from ($EIF):network to ($EIF) tag RTD
pass out on $EIF from ($EIF) to ($EIF):network tag RTD
pass in on $IIF_0 from ($IIF_0):network to ($IIF_0)
pass out on $IIF_0 from ($IIF_0) to ($IIF_0):network
pass in on $IIF_1 from ($IIF_1):network to ($IIF_1)
pass out on $IIF_1 from ($IIF_1) to ($IIF_0):network

# What is allowed goes here (we have nothing allowed)

# Let correct some problems, nonroutable IP address, spoofing, etc.
# default on each internal interface
block in on $IIF_0 from { ($IIF_0) ($IIF_0):broadcast }
block in on !$IIF_0 from ($IIF_0):network
block in on !$IIF_0 to ($IIF_0):broadcast

block in on $IIF_1 from { ($IIF_1) ($IIF_1):broadcast }
block in on !$IIF_1 from ($IIF_1):network
block in on !$IIF_1 to ($IIF_1):broadcast

# default external interface
block in on $EIF from { ($EIF) ($EIF):broadcast }
block in on !$EIF from !<net>

# default general rule(s)
block in from <rfc1918> tagged ! RTD
block in to <rfc1918> tagged ! RTD
block in from { <noroute> 0/0 }
block in to { <noroute> 0/0 }

# End of pf.conf

Well folks, that's it. I would like to have a solid configuration,
like preventing IP spoofing, prevent packets with not allowed IP to
travel the Internet, etc.

Is it (my pf.conf, for now only) sound any few?


Thank you a lot for your time and cooperation.

Best regards.

gustavo Rios

Reply via email to