Hi there,
May you help me with the following.
# pf.conf
#
# Translation
# use a macro for the interface name, so it can be changed easily
ext_if = "fx0"
# map daemon on 8080 to appear to be on 80
rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080
# map daemon on ???? to appear to be on ssl
rdr on $ext_if proto tcp from any to any port ?? -> 127.0.0.1 port ????
# map daemon on ???? to appear to be on https
rdr on $ext_if proto tcp from any to any port ?? -> 127.0.0.1 port ????
# map daemon on ???? to appear to be on X
rdr on $ext_if proto tcp from any to any port ?? -> 127.0.0.1 port ????
# map daemon on ???? to appear to be on lpt
rdr on $ext_if proto tcp from any to any port ?? -> 127.0.0.1 port ????
# map daemon on ???? to appear to be on UDP
rdr on $ext_if proto tcp from any to any port ?? -> 127.0.0.1 port ????
# map daemon on ???? to appear to be on ICMP
rdr on $ext_if proto tcp from any to any port ?? -> 127.0.0.1 port ????
???????????????????????
Would you tell me for sure what ports http, ssl, https, X, and lpt runs
on, as well as daemons for them?
??????????????????????????
# Filter
# normalize all incoming traffic
scrub in on $ext_if all fragment assemble
# block and log everything by default
block return log on $ext_if all
# block and log outgoing packets that do not have our address as source,
# they are either spoofed or something is misconfigured (NAT disabled,
# for instance), we want to be nice and do not send out garbage.
block out log quick on $ext_if from ! 157.161.48.183 to any--->
??????????????????????????????????????????????????
---> this is taken from man pf.conf filter example and
in the example the address is only routable. I run only one PC
and use DHCP, the question how to write the above in my case.
?????????????????????????????????????????
# silently drop broadcasts (cable modem noise)
block in quick on $ext_if from any to 255.255.255.255
# block and log incoming packets from reserved address space and
# invalid addresses, they are either spoofed or misconfigured,
# we cannot reply to them anyway (hence, no return-rst).
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \
192.168.0.0/16, 255.255.255.255/32 } to any
# ICMP
# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
pass on $ext_if inet proto icmp all icmp-type 8 code 0
# UDP
# pass out all UDP connections and keep state
pass out on $ext_if proto udp all
# pass in certain UDP connections and keep state (DNS)
pass in on $ext_if proto udp from any to any port domain
# TCP
# pass out all TCP connections and modulate state
pass out on $ext_if proto tcp all modulate state
# pass in certain TCP connections and keep state
# (SSH, SMTP, DNS, IDENT)
pass in on $ext_if proto tcp from any to any port
{ ssh, smtp, domain, \
auth }
# Do not allow Windows 9x SMTP connections since they are typically
# a viral worm. Alternately we could limit these OSes to 1 connection
each.
block in on $ext_if proto tcp from any os {"Windows 95", "Windows
98"} \
to any port smtp
And the last question can firefox and nedit run with such pf.conf??
Thanks in advance.
Igor.
