Re: please chek my pf

Thu, 28 Sep 2006 08:25:25 -0700 

On Sep 28, 2006, at 7:34 AM, sonjaya wrote:


i have bsd machine run as gateway + proxy ( running for internet acces
n dns forom my lan )
i want create rule , all internet request by proxy working fine , but
i see in pftop some protocol such as p2p aplication pass my gateway ,
how to block it .
p2p=edonkey and bittorent

bellow my script pf

ext_if="xl0"
int_if="xl1"
int_ip="127.0.0.1"
ip_limited="192.168.0.50"
tcp_allow="{ 22, 80, 8080, 443, 113}"
udp_allow="{ 53, 113}"
icmp_types="echoreq"
set block-policy return
set skip on lo
scrub all
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port 80 -> $int_ip port 8080
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 110 -> 192.168.0.1
block all
pass out keep state
pass in on $ext_if inet proto tcp from any to {$ext_if} \
   port $tcp_allow flags S/SA keep state
pass in on $ext_if inet proto udp from any to {$ext_if} \
   port $udp_allow  keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
My default policy is 'block in all' instead of 'block all'. Now I know that a packet won't go out unless I let it in. Your current rule set allows anything from your LAN to pass through. If you did something similar to my block policy then remove the last line in the rule set above, 'pass in quick on $int_if', that will cut off your LAN from communicating with any outside hosts. Then you can add rules to allow those protocols which are required by hosts in your LAN. 


For example

##-----------------------------------------------
# Inside -> Outside traffic
##-----------------------------------------------
#
## WebCache requests
pass in inet proto tcp from $carp_int:network to 127.0.0.1 port 3128 modulate state 
## Authorized SMTP hosts
pass in inet proto tcp from <smtpallow> to any port { smtp } flags S/ SA modulate state 
## Allow whois queries
pass in inet proto tcp from $carp_int:network to any port whois modulate state
After reading http://www.undeadly.org/cgi? action=article&sid=20060927091645 I should probably add interface sections to my rules, to increase the skip steps, but certainly not needed for functionality. 

-Chad

Reply via email to