hi, i've created my first pf.conf file, and was
wondering if it can be optimized more, this pf.conf
was made by looking at other pf.conf file, i've also
been having problems with dhcp leases
here is what the needs of the internal machine are:
ftp, ssh, smtp, dns, http, pop3, ntp, https,
aim(5190), ability to traceroute and ping, but want to
stop people from pinging and tracerouting me
(firewall)
here is my pf.conf
-----------------------
#
# Interface:
# sis0 - internal to private network
# fxp0 - external to cable modem
#
# Macros
#
ext_if = "fxp0"
unfiltered = "{ lo0, sis0 }"
unroutable = "{ 0.0.0.0/32, 10.0.0.0/8, 127.0.0.0/8, \
169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, \
255.255.255.255/32 }"
services_tcp = "{ 21, 22, 25, 53, 80, 110, 123, 443, >
1024 }"
# Tables
#
# Options
#
set loginterface $ext_if
set limit { frags 500, states 10000 }
set optimization aggressive
set block-policy drop
set require-order yes
# Traffic Normalization
#
scrub in on $ext_if all
scrub out on $ext_if all random-id
# Queueing
#
# Translations
#
no nat on $unfiltered from any to any
no rdr on $unfiltered from any to any
# nat private network to single routable address
nat on $ext_if inet from 192.168.0.0/16 to any ->
$ext_if
# ftp-proxy redirection
rdr on $ext_if inet proto tcp from any to any port 21
-> 127.0.0.1 port 8081
# ==================================================
===========================
# Packet Filtering Rules (default block/pass)
# ==================================================
===========================
# pass on unfiltered interfaces
#
pass quick on $unfiltered
# silently drop TCP non-SYN packets, the remaining
ruleset only deals with
# TCP SYNs, which always create state when passed. the
ruleset basically
# deals with 'connections', not packets, beyond this
point.
#
block return-rst quick proto tcp all flags /S
block return-rst quick proto tcp all flags A/A
# block and log everything by default
#
block log
block return-rst log inet proto tcp
block return-icmp log inet proto udp
# ==================================================
===========================
# external interface (all external IPv4 traffic)
# ==================================================
===========================
# silently drop broadcasts
block in quick on $ext_if inet from any to {
255.255.255.255 }
# block some known-bad ports without logging
#
block return-rst in quick on $ext_if proto tcp from
any to any \
port { 111, 445, 6000 }
block return-icmp in quick on $ext_if proto udp from
any to any \
port { 135, 137, 138, 139, 1434 }
# block and log incoming packets from reserved address
space and invalid
# addresses, they are either spoofed or misconfigured,
we can't reply to
# them anyway (hence, no return-rst).
#
block in log quick on $ext_if inet from $unroutable to
any
# block and log outgoing packets that don't have my
address as source, they are
# either spoofed or something is misconfigured (NAT
disabled, for instance),
# we want to be nice and not send out garbage.
#
block out log quick on $ext_if inet from !$ext_if to
any
# ICMP
#
pass out on $ext_if inet proto icmp from $ext_if to
any \
icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp from any to $ext_if
\
icmp-type 8 code 0 keep state
# UDP
#
pass out on $ext_if inet proto udp from any to any \
keep state
pass in on $ext_if inet proto udp from any to $ext_if
\
port { 53, 68 } keep state
# TCP
#
pass out on $ext_if inet proto tcp from $ext_if to any
\
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $ext_if
port $services_tcp \
flags S/SA keep state (max 1024, tcp.first 10,
tcp.opening 10)
-----------------------
let me know how I can improve this, thanks
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
