Hello everyone. I wanted to send out my updated PF rules and get some feed
back and critique on them to better them and lock everything down.
I want to thank everyone who has helped me and I value their input. (A lot
of whats in here is from the example from the pf.conf man page)
Here goes:

Network info:

ISP = cable modem with dynamic IP, DHCP
OpenBSD 3.1 as the Router/Gateway---->running PF and NAT
4 Computers inside internal LAN--->1 Win2k box, 2 Linux and one BSD.
Not running any mail server, email or DNS server on my LAN.
LAN IP range is: 192.168.1.0/24

So here are my rules:

-----Nat.conf-----
#NAT info
nat on $ext_int from 192.168.1.0/24 to any -> $ext_int 

#Hostname Files
/etc/hostname.dc0 
dhcp NONE NONE NONE 

Internal Lan 
/etc/hostname.dc1 
inet 192.168.1.1 255.255.255.0 NONE media autoselect 
----------------------Pf.conf-------------------------------

#Declare interfaces  
ext_if = "dc0" 
in_int = "dc1" 

#Scrub on incoming packets
scrub in on $ext_if all 


# block and log everything by default 
block out log on $ext_if all 
block in log on $ext_if all 
block return-rst out log on $ext_if proto tcp all 
block return-rst in log on $ext_if proto tcp all 
block return-icmp out log on $ext_if proto udp all 
block return-icmp in log on $ext_if proto udp all 

# block anything coming form source we have no back routes for 
block in from no-route to any 

# silently drop broadcasts (cable modem noise) 
block in quick on $ext_if from any to 255.255.255.255 
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, 255.255.255.255/32 } to any  (any other suggestions for
additions here?)

# ICMP 
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state 
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state 

# UDP 
pass out log on $ext_if proto udp all keep state 
pass in on $ext_if proto udp from any to $ext_if  keep state 
pass in on $ext_if proto udp from any to any keep state 

# TCP 
pass out on $ext_if proto tcp all modulate state 
pass in log on $ext_if proto tcp from any to any port { www, ftp, smtp, }
keep state 
pass out log on $ext_if proto tcp from any to any port { www, ftp, ssh,
smtp,  pop3, 110, 143, 147 } keep state 
pass in log on $ext_if proto tcp from any to $ext_if  
pass in log on $ext_if proto tcp from any to $ext_if keep state 

Basically, I just want to allow my internal LAN desktops access to the
internet and the basic services: ftp, http, https, nntp, pop, smtp. Also,
i'd like to allow actions like nslookup, dig, whois etc.
Thanks for everyones help. I want to thank David for helping me out and
answering my numerous questions regarding PF and sorts.
I wanted to get started here as quickly as possible so I can get my LAN and
continue to learn as much as I can.

Thanks everyone. Your comments and suggestions are greatly appreciated.

Jason



<<attachment: winmail.dat>>

Reply via email to