On Tue, 08 Nov 2005 00:44:34 +0000, Larry Llong wrote:
> I just want to allow port 22, 25 and 80 to my server.
>
> I know I can activate and deactive pf with -e and -d, but that doesn't seem
> to reload the configuration. Does it?
How about -f, or man pfctl (which is faster than typing, I guess)
Here I use something like the following. Permits to change NICs and edit
the services. Chances are you want to log less. No warranty && YMMV:
# Define useful variables - Macros
Ext_IF = "ne1" # External Interface
TCP_Services = "{ ssh, smtp, www }"
ICMP_Types = "echoreq"
# Options
set block-policy return
set loginterface $Ext_IF
# Clean up fragmented and abnormal packets
scrub in all
# Filter rules
block all
pass quick on lo0 all
# allow the services as defined above
pass in log on $Ext_IF inet proto tcp from any to $Ext_IF \
port $TCP_Services flags S/SA keep state
pass in log on $Ext_IF inet proto { tcp, udp } from any to $Ext_IF \
port domain keep state
pass in log inet proto icmp all icmp-type $ICMP_Types keep state
pass out log on $Ext_IF proto tcp all modulate state flags S/SA
pass out log on $Ext_IF proto { udp, icmp } all keep state
Uwe
