Will the ruleset below block MSN messenger, AIM, IRC, etc...?
I've blocked _in_ all except what is explicitly allowed, but allowed out
_all_.
My company bans chat clients, and I'm in the process of rebuilding the
firewall.
Should add a rule that blocks those specific ports? (ports 1863, 5190,
6667)?
================================
|| Current untested pf.conf ||
================================
######################
# INTERFACE SETTINGS #
######################
WAN = "xl0"
LAN = "xl1"
DMZ = "xl2"
#############
# NAT Rules #
#############
nat on $WAN inet from ! ($WAN) to any -> ($WAN)
rdr on $WAN proto tcp from any to $WAN port 5900 -> 192.168.0.50 port
5900
#############
# FTP-PROXY #
#############
rdr on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021
##################################
# Block everything IN by default #
##################################
block in log on $WAN all
antispoof for $WAN
############################
# Unwanted list. #
# Keep these people away! #
############################
blacklist = "{ 66.220.25.151, 216.127.82.63, 216.228.123.2,
216.127.82.63, 138.9.200.8, 198.186.220.95, 65.243.141.125,
207.46.125.16, biz360.netmar.com, server37.aitcom.net, rhea.hmdns.net,
paris.webpipe.net, evrtwa1-ar3-4-65-130-024.evrtwa1.dsl-verizon.net,
dsl-52.psni.net, sea-host134.inter-tel.com, blv-proxy-07.boeing.com,
ip-216-73-190-204.hqglobal.net }"
block in log quick on $WAN inet from $blacklist to any
##############
# ROUTE RULE #
##############
pass in on { $WAN, $LAN, $DMZ } proto udp from any to any port route
keep state
########################
# MAIL SERVER SETTINGS #
########################
emailport = "{ smtp pop3 imap imaps pop3s 5309 }"
mailserver = "207.109.73.101"
pass in on $WAN proto tcp from any to $mailserver port $emailport keep
state
pass in log on $WAN proto tcp from any to $mailserver port ssh keep
state
#######################
# WEB SERVER SETTINGS #
#######################
webport = "{ www https }"
webudpport = "{ntp domain }"
webservers = "207.108.73.64/26"
pass in on $WAN proto tcp from any to $webservers port $webport keep
state
pass in on $WAN proto udp from any to $webservers port $webudpport keep
state
pass in log on $WAN proto tcp from any to $webservers port ssh keep
state
###############################
# FTP PROXY SETTINGS (CHARON) #
###############################
charonport = "{ ftp-data ftp 1024 }"
charon = "207.109.73.104"
pass in on { $WAN, $DMZ } proto tcp from any to $charon port $charonport
keep state
pass in log on $WAN proto tcp from any to $charon port ssh keep state
##################################
# MISCELLANEOUS SSH CONNECTIONS #
##################################
ghost = "207.109.73.74"
veda = "207.109.73.73"
lanfear = "207.109.73.93"
pass in on $WAN proto tcp from any to { $ghost, $veda, $lanfear } port
ssh keep state
##########################
# MISCELLANEOUS SETTINGS #
##########################
pass in on $WAN proto tcp from any to { $ghost, $veda } port 8879 <>
9001 keep state
################################
# Pass everying out by default #
################################
pass out on $WAN all
