I have been tweaking some PF rules for a mail gateway server that is going to be on my company's DMZ.
What I was hoping to accomplish was the following:
1.) Only allow port 25 traffic to the mail gateway 2.) Allow SSH connections from my intranet 3.) Secure box as much as I can.
With that in mind, here are a few things:
IP Range for DMZ, is 10.0.0.0/8 IP Range for intranet, 192.168.0.0/24
With that in mind, I have the following rules:
ext_if = "fxp0"
int_if = "fxp1"
tcp_services = "{ 25 }"
tcp_int_services = "{ 22 }"table <noroute> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8 }#options set optimization aggressive set loginterface $ext_if
scrub in all fragment reassemble
#default Deny all block log all
#allow loopback traffic pass quick on lo0 all
block in quick on $ext_if from <noroute> to any block out quick on $ext_if from any to <noroute>
pass in on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SAFR keep state
pass in on $int_if inet proto tcp from $int_if:network port $tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
Just a few questions: First, how do my rules look? Any possible problems or loopholes I missed. Second, anyone have recommendations to modify and fine tune my rules?
I am open to all suggestions.
Thankyou.
Jason
