Re: the zen of pf

Thu, 18 Dec 2003 19:34:41 -0800 

As suggested here is the file.  The last 4 lines have no effect.  The
computer
can web surf all day.  Thanks

pf.conf file:

# Define useful variables
#
ExtIF="dc1"                   # External Interface
IntIF="dc0"                   # Internal Interface
loopbackIF="lo0"              # Loopback Interface
#
IntNet="192.168.100.0/24"     # Our internal network
Austin="192.168.100.129"
Gameroom="192.168.100.130"
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
Services="{ ssh }"

# nat on ext0 from 10.0.0.0/8 to any -> 192.168.100.1
nat on $ExtIF from $IntNet to any -> ($ExtIF)

#pass anything on loopback
pass in quick on $loopbackIF

# Clean up fragmented and abnormal packets
scrub in all

# don't allow anyone to spoof non-routeable addresses
block in  quick on $ExtIF from $NoRouteIPs to any
block out quick on $ExtIF from any to $NoRouteIPs

# by default, block all incoming packets, except those explicitly
# allowed by further rules
block in on $ExtIF all

# allow others to use allowed services
pass  in on $ExtIF inet proto tcp from any to any port $Services \
        flags S/SA keep state

# and let out-going traffic out and maintain state on established
connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
block out on $ExtIF                 all
pass  out on $ExtIF inet proto tcp  all flags S/SA keep state
pass  out on $ExtIF inet proto udp  all            keep state
pass  out on $ExtIF inet proto icmp all            keep state
#
block in  quick on $ExtIF from any to 192.168.100.130
block out quick on $ExtIF from 192.168.100.130 to any
block in  quick on $IntIF from any to 192.168.100.130
block out quick on $IntIF from 192.168.100.130 to any




----- Original Message ----- 
From: "Daniel Staal" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 18, 2003 7:38 PM
Subject: Re: the zen of pf
>
<snip>
>
> The most common 'gotcha' at this point is that NAT happens before
> filtering, so if you are blocking by IP addresses/ranges you have to
> remember that.  Beyound that, my advice at this point would be to
> post your pf.conf.
>
> Daniel T. Staal
>

Reply via email to