In order to actually live test this rule set,
I have to come in in the middle of the night and swap out the linux server.
I'd like to have as many bugs worked out before then.
I finally have a pf rule the "pf -f /etc/pf.conf" command
doesn't puke on. I now submit it to you to see if there's
anything funky I did, perhaps things should be moved around.
the way it's setup is like this
INTERNET------Firewall-----INTERNET SERVERS
|
|
NAT
I want by default all access in to be denied unless explicitly allowed.
and all access out to allowed
(except msn messanger and aol which i have yet to figure out).
on to the config!
=====PASTE CONFIG FILE=====
######################
# INTERFACE SETTINGS #
######################
ext_if = "xl0"
int_if = "xl1"
dmz = "xl2"
##################################
# Block everything IN by default #
##################################
block in log on $ext_if all
############################
# Unwanted list. #
# Keep these people away! #
############################
blocklist = "{ 66.220.25.151, 216.127.82.63, 216.228.123.2, 216.127.82.63,
138.9.200.8, 198.186.220.95, 65.243.141.125, 207.46.125.16, biz360.netmar.com,
server37.aitcom.net, rhea.hmdns.net, paris.webpipe.net,
evrtwa1-ar3-4-65-130-024.evrtwa1.dsl-verizon.net, dsl-52.psni.net,
sea-host134.inter-tel.com, blv-proxy-07.boeing.com, ip-216-73-190-204.hqglobal.net }"
block in log quick on $ext_if inet from $blocklist to any
##############
# ROUTE RULE #
##############
pass in on { $ext_if, $int_if, $dmz } proto { tcp, udp } from any to any port route
keep state
########################
# MAIL SERVER SETTINGS #
########################
emailport = "{ smtp pop3 imap imaps pop3s 5309 }"
mailserver = "207.109.73.101"
pass in on $ext_if proto { tcp, udp } from any to $mailserver port $emailport keep
state
pass in log on $ext_if proto { tcp, udp } from any to $mailserver port ssh keep state
#######################
# WEB SERVER SETTINGS #
#######################
webport = "{ www https ntp domain }"
webservers = "207.108.73.64/26"
pass in on $ext_if proto { tcp, udp } from any to $webservers port $webport keep state
pass in log on $ext_if proto { tcp, udp } from any to $webservers port ssh keep state
###############################
# FTP PROXY SETTINGS (CHARON) #
###############################
charonport = "{ ftp-data ftp 1024 }"
charon = "207.109.73.104"
pass in on { $ext_if, $dmz } proto { tcp, udp } from any to $charon port $charonport
keep state
pass in log on $ext_if proto { tcp, udp } from any to $charon port ssh keep state
##################################
# MISCELLANEOUS SSH CONNECTIONS #
##################################
ghost = "207.109.73.74"
veda = "207.109.73.73"
lanfear = "207.109.73.93"
pass in on $ext_if proto { tcp, udp } from any to { $ghost, $veda, $lanfear } port ssh
keep state
##########################
# MISCELLANEOUS SETTINGS #
##########################
pass in on $ext_if proto { tcp, udp } from any to { $ghost, $veda } port 8879 <> 9001
keep state
################################
# Pass everying out by default #
################################
pass out on $ext_if all
=====END OF THE CONFIG=====
--Bryan
