Toomas Aas wrote:
Im sorry, I wrote the rules from memory. This is what I use at my server:Omar Armas wrote:
Don't you get any error mesages when loading the rules? The syntax of your rules for 111/tcp, 22/tcp and 389/tcp doesn't look correct to me. They should be:
----------------
pass in quick on lo0 all
pass out quick on lo0 all
#pass out all. is it neccesary?
pass out quick on rl0 all keep state
#pass NFS for trusted class
pass in quick on rl0 proto tcp from 192.168.101.0/24 to any port = 111 keep state
#pass SSH for trusted class
pass in quick on rl0 proto tcp from 192.168.101.0/24 to any port = 22 keep state
#pass LDAP for trusted class
pass in quick on rl0 proto tcp from 192.168.101.0/24 to any port = 389 keep state
#pass POP, SMTP and IMAP for all world
pass in quick on rl0 proto tcp from any to any port = 25 flags S keep state
pass in quick on rl0 proto tcp from any to any port = 80 flags S keep state
pass in quick on rl0 proto tcp from any to any port = 110 keep state
pass in quick on rl0 proto tcp from any to any port = 143 flags S keep state
pass in quick on rl0 proto icmp from any to any
---------------
Does it allow SSH, NFS and LDAP only to 192.168.101.0/24 and POP, HTTP, POP and IMAP to the rest of the world?
Is it secure enough?
Omar
