Dear all,
I'm new to PF and I would have liked to have the opinion of more
experienced users of PF about my firewall rules. It's a box with one interface,
where only SSH is allowed from outside. After reading the PF documentation
and a few other resources, I came up with the rules below.
Thank you in advance for all comments!
Cheers,
Xavier
# Set macros
ext_if = "rl0"
tcp_flags = "S/SA"
tcp_services_in_proxy = "{ 22 }"
tcp_services_out = "{ 22, 80, 443 }"
udp_services_out = "{ 53, 123 }"
icmp_types = "echoreq"# Set options set block-policy drop set state-policy if-bound set loginterface $ext_if
# Scrub all incoming packets scrub in all
# Default policy (block all traffic on all interfaces in either direction)
block in log-all all
block out log all
# Pass traffic on the loopback interface in either direction pass quick on lo0 all
# Activate anti-spoofing protections antispoof quick for $ext_if
# Allowed traffic from outside
pass in log quick on $ext_if inet proto tcp from any to $ext_if port
$tcp_services_in_proxy flags $tcp_flags synproxy state# Allowed traffic from inside
pass out log quick on $ext_if inet proto tcp from $ext_if to any port
$tcp_services_out flags $tcp_flags modulate state
pass out log quick on $ext_if inet proto udp from $ext_if to any port
$udp_services_out modulate state
pass out log quick on $ext_if inet proto icmp from $ext_if to any icmp-type
$icmp_types keep state
