Filtering on bridge

Tue, 10 Jun 2008 01:17:28 -0700 

Hi all,

I've a pf-based bridged box. The pf.conf file look like:

# 1. Macros
ext_if="em1"
int_if="em0"
bridge="{" $ext_if $int_if "}"
admin_if="em2"
pfsync_if="em3"
my_net="xxx.xxx.xxx.xxx/23"

# 2. Tables
table <unrestricted> persist file "/etc/pf_files/unrestricted.pf"

# brutes tables
table <ssh_brutes> persist
table <mysql_brutes> persist
table <http_brutes> persist
table <smtp_brutes> persist

# 3. Options
set skip on lo
set skip on em0
set skip on em2
set skip on em3
set fingerprints "/etc/pf.os"
set block-policy drop
set optimization aggressive
set limit states 700000
set loginterface em1

# 4. Scrub traffic
scrub in all

# 5. QUEUEING
# Not used.
# 6. TRANSLATION
# Not used.

# 7. FILTER RULES
# DEFAULT POLICY
block in on $ext_if

# antispoof
antispoof quick for lo

# allow ping/tracert tools
pass in inet proto icmp from any to any

# permit all outbound traffic
pass out quick

# turning away the brutes
block quick from <ssh_brutes>
block quick from <mysql_brutes>
block quick from <http_brutes>
block quick from <smtp_brutes>

# allow housing without restrictions
pass quick on $bridge inet proto { tcp, udp, icmp } from any to <unrestricted> allow-opts 

# www with brute control method
pass quick on $bridge inet proto tcp from any to $my_net port { 80, 443 } keep state \ 
        (max-src-conn 650, max-src-conn-rate 80/1, \
        overload <http_brutes> flush global)

# DNS
pass quick on $bridge inet proto { tcp, udp } from any to $my_net port 53

# smtp with brutes
pass quick on $bridge inet proto tcp from any to $my_net port { 25, 578} keep state \ 
         (max-src-conn 250, max-src-conn-rate 50/1, \
          overload <smtp_brutes> flush global)

# pop3, pop3s, imap4, imap4s
pass quick on $bridge inet proto tcp from any to $my_net port { 110, 143, 993, 995 } 

[.... other similar rules ...]
As you can see, I always use 'pass quick on $bridge .....', but you can also note that the bridge is formed by $ext_if (em1, externa NIC) and $int_if (em0, internal NIC) and I DON'T filter anything in em0 (option 'set skip on em0'). 

So, I think it will be better using 'pass quick on $ext_if....';

¿Am I wright?

--
Thanks,
Jordi Espasa Clofent

Reply via email to