>From the manpage 'man 5 pf.conf':
BLOCKING SPOOFED TRAFFIC
"Spoofing" is the faking of IP addresses, typically for malicious
purpos-
es. The antispoof directive expands to a set of filter rules which
will
block all traffic with a source IP from the network(s) directly
connected
to the specified interface(s) from entering the system through any
other
interface.
For example, the line
antispoof for lo0
expands to
block in on ! lo0 inet from 127.0.0.1/8 to any
block in on ! lo0 inet6 from ::1 to any
Of course, you could always create a macro that blocks non-routables anyway
;-)
bad_stuff = "{ 10/8 172.16/12 192.168/16 127/8 0.0.0.0/32 }" etc.
block in log quick on $ext_if from $bad_stuff to any
Cheers,
Mike
-----Original Message-----
From: Bryan Irvine [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 13, 2003 2:53 PM
To: [EMAIL PROTECTED]
Subject: RE: pf.conf
On Thu, 2003-02-13 at 11:44, LaPane, Michael (NIH/NINDS) wrote:
> Without completely checking the rules - I would not do { tcp, udp } for
> ports that do not require it (i.e. don't do mail on udp/25) same for SSH.
> Also, didn't see a nat rule? did you do that separately?
>
> You might want to define a macro that shows your lan (it'll be easier to
> translate and to pass out only traffic that originates from your lan).
macro for the lan? I thought the last rule passed all that out...hmmm
> Remember the antispoof ('antispoof on $ex_if inet')and to pass traffic
> in/out of the loopback.
>
Ok here is the updated config complete with nat rules and removal of
udp/tcp where not needed.
What is antispoof? Is that the thing that rejects internal
addresses? We do use some internal addresses including 192.168, and the
172.19 ranges. Would antispoof only reject them if they hit the ext_if
interface?
######################
# INTERFACE SETTINGS #
######################
ext_if = "xl0"
int_if = "xl1"
dmz = "xl2"
#############
# NAT Rules #
#############
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
rdr on $ext_if proto tcp from any to $ext_if port 5900 -> 192.168.0.50
port 5900
##################################
# Block everything IN by default #
##################################
block in log on $ext_if all
############################
# Unwanted list. #
# Keep these people away! #
############################
blocklist = "{ 66.220.25.151, 216.127.82.63, 216.228.123.2,
216.127.82.63, 138.9.200.8, 198.186.220.95, 65.243.141.125,
207.46.125.16, biz360.netmar.com, server37.aitcom.net, rhea.hmdns.net,
paris.webpipe.net, evrtwa1-ar3-4-65-130-024.evrtwa1.dsl-verizon.net,
dsl-52.psni.net, sea-host134.inter-tel.com, blv-proxy-07.boeing.com,
ip-216-73-190-204.hqglobal.net }"
block in log quick on $ext_if inet from $blocklist to any
##############
# ROUTE RULE #
##############
pass in on { $ext_if, $int_if, $dmz } proto udp from any to any port
route keep state
########################
# MAIL SERVER SETTINGS #
########################
emailport = "{ smtp pop3 imap imaps pop3s 5309 }"
mailserver = "207.109.73.101"
pass in on $ext_if proto tcp from any to $mailserver port $emailport
keep state
pass in log on $ext_if proto tcp from any to $mailserver port ssh keep
state
#######################
# WEB SERVER SETTINGS #
#######################
webport = "{ www https }"
webudpport = "{ntp domain }"
webservers = "207.108.73.64/26"
pass in on $ext_if proto tcp from any to $webservers port $webport keep
state
pass in on $ext_if proto tcp from any to $webservers port webudpport
keep state
pass in log on $ext_if proto tcp from any to $webservers port ssh keep
state
###############################
# FTP PROXY SETTINGS (CHARON) #
###############################
charonport = "{ ftp-data ftp 1024 }"
charon = "207.109.73.104"
pass in on { $ext_if, $dmz } proto tcp from any to $charon port
$charonport keep state
pass in log on $ext_if proto tcp from any to $charon port ssh keep state
##################################
# MISCELLANEOUS SSH CONNECTIONS #
##################################
ghost = "207.109.73.74"
veda = "207.109.73.73"
lanfear = "207.109.73.93"
pass in on $ext_if proto tcp from any to { $ghost, $veda, $lanfear }
port ssh keep state
##########################
# MISCELLANEOUS SETTINGS #
##########################
pass in on $ext_if proto tcp from any to { $ghost, $veda } port 8879 <>
9001 keep state
################################
# Pass everying out by default #
################################
pass out on $ext_if all
