I was thinking about my rules here and wanted to ask the following, in
regards to this section:
# block NMAP stuff
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log on $ext_if all
Ok...im beginning to wonder if I even need this part in my rules. Why?
Because this particular box is sitting behind our company firewall, on the DMZ.
Are these rules redundant and not needed? Or is it good practice to have
these in.
Secondly, I am making this setup go live this week and want to verify a few
things...
Specifically, I want to verify that the only thing that will be allowed,
incoming wise is port 25, correct? everything else will be let through.
Lastly, as far as SSH is concerned, I want to make sure that only my
intranet IP address can SSH to the box, possibly to the second interface.
Does it look like that has been setup correctly?
Am I missing anything?
I appreciate any comments and suggestions.
Cheers,
Jason
At 04:44 PM 9/29/2003 -0700, you wrote:
Any thoughts at all on these rules?
I think they look pretty good, but would like some feed back on them for
any changes and recommendations?
Thanks.
jason
At 11:30 AM 9/26/2003 -0700, you wrote:
Hello everyone.
I have been tweaking some PF rules for a mail gateway server that is
going to be on my company's DMZ.
What I was hoping to accomplish was the following:
1.) Only allow port 25 traffic to the mail gateway
2.) Allow SSH connections from my intranet
3.) Secure box as much as I can.
With that in mind, here are a few things:
IP Range for DMZ, is 10.0.0.0/8
IP Range for intranet, 192.168.0.0/24
With that in mind, I have the following rules:
ext_if = fxp0
int_if = fxp1
tcp_services = { 25 }
tcp_int_services = { 22 }
table noroute const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8 }
#options
set optimization aggressive
set loginterface $ext_if
scrub in all fragment reassemble
#default Deny all
block log all
#allow loopback traffic
pass quick on lo0 all
block in quick on $ext_if from noroute to any
block out quick on $ext_if from any to noroute
pass in on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SAFR keep state
pass in on $int_if inet proto tcp from $int_if:network port
$tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
Just a few questions:
First, how do my rules look? Any possible problems or loopholes I missed.
Second, anyone have recommendations to modify and fine tune my rules?
I am open to all suggestions.
Thankyou.
Jason
