On Wed, 12 Jan 2005 11:33:24 -0600, Omar Armas <[EMAIL PROTECTED]> wrote:
> Does it allow SSH, NFS and LDAP only to 192.168.101.0/24
It allows NFS, SSH and LDAP *FROM* 192.168.101.0/25 only.
> and POP, HTTP,
> POP and IMAP to the rest of the world?
SMTP, HTTP, POP and IMAP from anywhere, in theory to any host (so, in
theory, if you accidentally configure your host to forward packets,
anybody could use it to route packets through you).
> Is it secure enough?
That's a call only you can make. I'd suggest the you do this however:
pass in quick on lo0 all
pass out quick on lo0 all
#pass out all. is it neccesary?
pass out quick on rl0 all keep state
block in quick on rl0 from any to SERVER_IP/32 head 10
# Group 10 - any host
#pass POP, SMTP and IMAP for all world
pass in quick proto tcp from any to any port = 25 flags S keep state group 10
pass in quick proto tcp from any to any port = 80 flags S keep state group 10
pass in quick proto tcp from any to any port = 110 keep state group 10
pass in quick proto tcp from any to any port = 143 flags S keep state group 10
pass in quick proto icmp from any to any group 10
block in quick from 192.168.101/0/24 to any head 20 group 10
# Group 20 - trusted network
pass in quick proto tcp from any to any port = 111 keep state group 20
#pass SSH for trusted class
pass in quick proto tcp from any to any port = 22 keep state group 20
#pass LDAP for trusted class
pass in quick proto tcp from any to any port = 389 keep state group 20
But that's just me :)
--
Please keep list traffic on the list.
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche
