Without completely checking the rules - I would not do { tcp, udp } for
ports that do not require it (i.e. don't do mail on udp/25) same for SSH.
Also, didn't see a nat rule? did you do that separately?
You might want to define a macro that shows your lan (it'll be easier to
translate and to pass out only traffic that originates from your lan).
Remember the antispoof ('antispoof on $ex_if inet')and to pass traffic
in/out of the loopback.
I don't think the ftp rule is going to work the way you want it to. I'm
assuming you wanted a >1024 for return traffic??
You should be able to do the charon rules with:
charonport = "{ ftp-data ftp ssh }"
pass in on { $ext_if, $dmz } proto tcp from any to $charon port $charonport
keep state
These are just off the top of my head.
Cheers,
-Mike
-----Original Message-----
From: Bryan Irvine [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 13, 2003 2:15 PM
To: [EMAIL PROTECTED]
Subject: pf.conf
In order to actually live test this rule set,
I have to come in in the middle of the night and swap out the linux server.
I'd like to have as many bugs worked out before then.
I finally have a pf rule the "pf -f /etc/pf.conf" command
doesn't puke on. I now submit it to you to see if there's
anything funky I did, perhaps things should be moved around.
the way it's setup is like this
INTERNET------Firewall-----INTERNET SERVERS
|
|
NAT
I want by default all access in to be denied unless explicitly allowed.
and all access out to allowed
(except msn messanger and aol which i have yet to figure out).
on to the config!
=====PASTE CONFIG FILE=====
######################
# INTERFACE SETTINGS #
######################
ext_if = "xl0"
int_if = "xl1"
dmz = "xl2"
##################################
# Block everything IN by default #
##################################
block in log on $ext_if all
############################
# Unwanted list. #
# Keep these people away! #
############################
blocklist = "{ 66.220.25.151, 216.127.82.63, 216.228.123.2, 216.127.82.63,
138.9.200.8, 198.186.220.95, 65.243.141.125, 207.46.125.16,
biz360.netmar.com, server37.aitcom.net, rhea.hmdns.net, paris.webpipe.net,
evrtwa1-ar3-4-65-130-024.evrtwa1.dsl-verizon.net, dsl-52.psni.net,
sea-host134.inter-tel.com, blv-proxy-07.boeing.com,
ip-216-73-190-204.hqglobal.net }"
block in log quick on $ext_if inet from $blocklist to any
##############
# ROUTE RULE #
##############
pass in on { $ext_if, $int_if, $dmz } proto { tcp, udp } from any to any
port route keep state
########################
# MAIL SERVER SETTINGS #
########################
emailport = "{ smtp pop3 imap imaps pop3s 5309 }"
mailserver = "207.109.73.101"
pass in on $ext_if proto { tcp, udp } from any to $mailserver port
$emailport keep state
pass in log on $ext_if proto { tcp, udp } from any to $mailserver port ssh
keep state
#######################
# WEB SERVER SETTINGS #
#######################
webport = "{ www https ntp domain }"
webservers = "207.108.73.64/26"
pass in on $ext_if proto { tcp, udp } from any to $webservers port $webport
keep state
pass in log on $ext_if proto { tcp, udp } from any to $webservers port ssh
keep state
###############################
# FTP PROXY SETTINGS (CHARON) #
###############################
charonport = "{ ftp-data ftp 1024 }"
charon = "207.109.73.104"
pass in on { $ext_if, $dmz } proto { tcp, udp } from any to $charon port
$charonport keep state
pass in log on $ext_if proto { tcp, udp } from any to $charon port ssh keep
state
##################################
# MISCELLANEOUS SSH CONNECTIONS #
##################################
ghost = "207.109.73.74"
veda = "207.109.73.73"
lanfear = "207.109.73.93"
pass in on $ext_if proto { tcp, udp } from any to { $ghost, $veda, $lanfear
} port ssh keep state
##########################
# MISCELLANEOUS SETTINGS #
##########################
pass in on $ext_if proto { tcp, udp } from any to { $ghost, $veda } port
8879 <> 9001 keep state
################################
# Pass everying out by default #
################################
pass out on $ext_if all
=====END OF THE CONFIG=====
--Bryan
