Re: Configuring PF

From: Pat Maddox (
Date: 02/18/05

  • Next message: Euripides Ballis: "load enlightenment"
    Date: Fri, 18 Feb 2005 00:28:30 -0700
    To: FreeBSD Questions <>

    Can you guys let me know if this looks like a good conf file? I've
    got web, mail, ftp, ssh, and DNS that I need to have open.

    # Macros
    tcp_services = "{ 21, 22, 25, 53, 80, 143 }"
    icmp_types = "echoreq"

    # Default deny
    block all

    ## Filtering rules

    # Default TCP policy
    block return-rst in log on $ext_if proto TCP all
    pass in log quick on $ext_if proto TCP from any to $ext_if port
    $tcp_services flags $SYN_ONLY keep state

    # Default UDP policy
    block in log on $ext_if proto udp all
    pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state

    # Default ICMP policy
    block in log on $ext_if proto icmp all
    pass in inet proto icmp all icmp-type echoreq keep state

    block out log on $ext_if all
    pass out log quick on $ext_if from $ext_if to any keep state

    # Allow the local interface to talk unrestricted
    pass in quick on lo0 all
    pass out quick on lo0 all

    On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <> wrote:
    > On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <> wrote:
    > > I've managed to come up with something that works so far. I am having
    > > two problems though.
    > >
    > > The first is that I can't authenticate for IMAP anymore. No clue why,
    > > it just keeps rejecting my password. maillog shows imapd: LOGIN
    > > FAILED, that's it.
    > >
    > > Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of
    > > block in log on $ext_if proto udp all
    > >
    > > So all UDP ports should be shown as closed. Doesn't really make any
    > > sense to me. Anyone care to help?
    > >
    > > Thanks for the help so far.
    > >
    > > Pat
    > Start with a default policy to block and log all traffic
    > # --- default policy
    > block log from any to any
    > Now you only have to open ports to let traffic in. If you don't know
    > which port to open for a certain protocol, you can run "tcpdump -eni
    > pfl0g". tcpdump will show which rule blocked, and on which port
    > address combination.
    > =Adriaan=
    > _______________________________________________
    > mailing list
    > To unsubscribe, send any mail to ""
    _______________________________________________ mailing list
    To unsubscribe, send any mail to ""

  • Next message: Euripides Ballis: "load enlightenment"

    Relevant Pages

    • Re: UDP question
      ... Re: UDP question.eml ... >>> Most modern services utilise TCP, ... The only open port should be the port I use for Open VPN, ...
    • Vim and NFS and ipfilter(strange problem)
      ... block in log proto tcp all flags S/SA ... pass in quick proto tcp from any to any port = www keep state ... pass out quick proto tcp/udp from any to any port = 2049 keep state ...
    • Re: Block UDP Ports?
      ... I'm using Checkpoint Firewall-1. ... reasonable that Firewall-1 would leave UDP wide open. ... > UDP ICMP port unreachable scanning: This scanning method varies from the ...
    • UDP DoS attack in Win2k via IKE
      ... This memo should clarify the issue discovered with the UDP DOS ... Sending of UDP traffic to port 500 UDP will cause windows to ... attacked host is an IPSec gateway). ...
    • Re: Bind as cache DNS and firewall
      ... As it's UDP I think of UDP queries going from my cache server to other DNS server, and I catch their UDP responses in the firewall. ... So I should open my firewall for UDP on port 53 for all the world? ...