On Thu, 13 Feb 2003, Bryan Irvine wrote:
> In order to actually live test this rule set,
> I have to come in in the middle of the night and swap out the linux server.
>
> I'd like to have as many bugs worked out before then.
[snip]
> pass in on { $ext_if, $int_if, $dmz } proto { tcp, udp } from any to any port route
>keep state
afaik, route only does UDP, so you can remove the tcp part.
> emailport = "{ smtp pop3 imap imaps pop3s 5309 }"
> pass in on $ext_if proto { tcp, udp } from any to $mailserver port $emailport keep
>state
> pass in log on $ext_if proto { tcp, udp } from any to $mailserver port ssh keep state
Other way round here, i think ssh and all that mail stuff only does tcp.
> webport = "{ www https ntp domain }"
> pass in on $ext_if proto { tcp, udp } from any to $webservers port $webport keep
>state
> pass in log on $ext_if proto { tcp, udp } from any to $webservers port ssh keep state
Maybe split these for tcp/udp. www & https can only be tcp, but the others
might be both.
> charonport = "{ ftp-data ftp 1024 }"
> charon = "207.109.73.104"
> pass in on { $ext_if, $dmz } proto { tcp, udp } from any to $charon port $charonport
>keep state
> pass in log on $ext_if proto { tcp, udp } from any to $charon port ssh keep state
ssh & ftp == tcp
and i'm not exactly sure if this ftp setup is secure. i'm actually too
tired to think about it ;-)
> pass in on $ext_if proto { tcp, udp } from any to { $ghost, $veda, $lanfear } port
>ssh keep state
same thing ;-)
//Wouter
