Ok I got a bunch of suggestions. Here is my newly updated pf rule set.
I changed all the udp/tcp things, added the nat rules, and even turned
on OpenBSD's ftp-proxy. I've been wanting to throw away that charon ftp
proxy server for a long time. Are these in the correct order? Should
the blacklist be at the top? or bootom? or does it even matter?
Thanks so much for your suggestions. It looks like a really clean
config file now. This is from a 3 page ipchain ruleset. Gotta love PF!
:-D
===pasted pf.conf===
######################
# INTERFACE SETTINGS #
######################
WAN = "xl0"
LAN = "xl1"
DMZ = "xl2"
#############
# NAT Rules #
#############
nat on $WAN inet from ! ($WAN) to any -> ($WAN)
rdr on $WAN proto tcp from any to $WAN port 5900 -> 192.168.0.50 port
5900
#############
# FTP-PROXY #
#############
rdr on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021
##################################
# Block everything IN by default #
##################################
block in log on $WAN all
antispoof for $WAN
############################
# Unwanted list. #
# Keep these people away! #
############################
blacklist = "{ 66.220.25.151, 216.127.82.63, 216.228.123.2,
216.127.82.63, 138.9.200.8, 198.186.220.95, 65.243.141.125,
207.46.125.16, biz360.netmar.com, server37.aitcom.net, rhea.hmdns.net,
paris.webpipe.net, evrtwa1-ar3-4-65-130-024.evrtwa1.dsl-verizon.net,
dsl-52.psni.net, sea-host134.inter-tel.com, blv-proxy-07.boeing.com,
ip-216-73-190-204.hqglobal.net }"
block in log quick on $WAN inet from $blacklist to any
##############
# ROUTE RULE #
##############
pass in on { $WAN, $LAN, $DMZ } proto udp from any to any port route
keep state
########################
# MAIL SERVER SETTINGS #
########################
emailport = "{ smtp pop3 imap imaps pop3s 5309 }"
mailserver = "207.109.73.101"
pass in on $WAN proto tcp from any to $mailserver port $emailport keep
state
pass in log on $WAN proto tcp from any to $mailserver port ssh keep
state
#######################
# WEB SERVER SETTINGS #
#######################
webport = "{ www https }"
webudpport = "{ntp domain }"
webservers = "207.108.73.64/26"
pass in on $WAN proto tcp from any to $webservers port $webport keep
state
pass in on $WAN proto udp from any to $webservers port $webudpport keep
state
pass in log on $WAN proto tcp from any to $webservers port ssh keep
state
###############################
# FTP PROXY SETTINGS (CHARON) #
###############################
charonport = "{ ftp-data ftp 1024 }"
charon = "207.109.73.104"
pass in on { $WAN, $DMZ } proto tcp from any to $charon port $charonport
keep state
pass in log on $WAN proto tcp from any to $charon port ssh keep state
##################################
# MISCELLANEOUS SSH CONNECTIONS #
##################################
ghost = "207.109.73.74"
veda = "207.109.73.73"
lanfear = "207.109.73.93"
pass in on $WAN proto tcp from any to { $ghost, $veda, $lanfear } port
ssh keep state
##########################
# MISCELLANEOUS SETTINGS #
##########################
pass in on $WAN proto tcp from any to { $ghost, $veda } port 8879 <>
9001 keep state
################################
# Pass everying out by default #
################################
pass out on $WAN all
