Re: Configuring PF

From: Pat Maddox (pergesu_at_gmail.com)
Date: 02/18/05

  • Next message: Euripides Ballis: "load enlightenment"
    Date: Fri, 18 Feb 2005 00:28:30 -0700
    To: FreeBSD Questions <freebsd-questions@freebsd.org>
    
    

    Can you guys let me know if this looks like a good conf file? I've
    got web, mail, ftp, ssh, and DNS that I need to have open.

    # Macros
    ext_if="fxp0"
    SYN_ONLY="S/FSRA"
    tcp_services = "{ 21, 22, 25, 53, 80, 143 }"
    icmp_types = "echoreq"

    # Default deny
    block all

    ## Filtering rules

    # Default TCP policy
    block return-rst in log on $ext_if proto TCP all
    pass in log quick on $ext_if proto TCP from any to $ext_if port
    $tcp_services flags $SYN_ONLY keep state

    # Default UDP policy
    block in log on $ext_if proto udp all
    pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state

    # Default ICMP policy
    block in log on $ext_if proto icmp all
    pass in inet proto icmp all icmp-type echoreq keep state

    block out log on $ext_if all
    pass out log quick on $ext_if from $ext_if to any keep state

    # Allow the local interface to talk unrestricted
    pass in quick on lo0 all
    pass out quick on lo0 all

    On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD <j65nko@gmail.com> wrote:
    > On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox <pergesu@gmail.com> wrote:
    > > I've managed to come up with something that works so far. I am having
    > > two problems though.
    > >
    > > The first is that I can't authenticate for IMAP anymore. No clue why,
    > > it just keeps rejecting my password. maillog shows imapd: LOGIN
    > > FAILED, that's it.
    > >
    > > Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of
    > > block in log on $ext_if proto udp all
    > >
    > > So all UDP ports should be shown as closed. Doesn't really make any
    > > sense to me. Anyone care to help?
    > >
    > > Thanks for the help so far.
    > >
    > > Pat
    >
    > Start with a default policy to block and log all traffic
    >
    > # --- default policy
    > block log from any to any
    >
    > Now you only have to open ports to let traffic in. If you don't know
    > which port to open for a certain protocol, you can run "tcpdump -eni
    > pfl0g". tcpdump will show which rule blocked, and on which port
    > address combination.
    >
    > =Adriaan=
    > _______________________________________________
    > freebsd-questions@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
    >
    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"


  • Next message: Euripides Ballis: "load enlightenment"