Re: pf firewall for a server
Jonathan Horne [EMAIL PROTECTED] writes:
ive been googling for a while now this evening, but have
unsuccesfully found any examples on how to firewall a server. i do
*not* want to build a router, and unfortunatly, every article i seem
to find wants to tell me how to build a router!
The same principles apply everywhere - block everyting, allow the
traffic you need. What traffic you need to pass depends on the
services you intend to make accessible. For a host with a single
network interface, you can get away with a handful of lines, ie
localnet=xl0:network
offered={ ssh, netbios-ns, netbios-dgm, netbios-ssn, www, https }
needed={ ssh, domain, ntp, whois }
block all
pass proto { tcp, udp } from self to any port $needed keep state
pass proto { tcp, udp } from $localnet to self port $offered keep state
A lot of embellishment on this (untested, may contain nuts) is
possible, and you could probably do worse than spend a few moments
browsing the PF docs or for that matter my rather basic PF tutorial at
http://www.bgnett.no/~peter/pf/ to familiarize yourself with the
system.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf firewall for a server
On Wednesday 26 July 2006 02:30, Jonathan Horne wrote: ive been googling for a while now this evening, but have unsuccesfully found any examples on how to firewall a server. i do *not* want to build a router, and unfortunatly, every article i seem to find wants to tell me how to build a router! i just want to learn how to build a simple pf config suitable for a server. if anyone knows of a website where such an example might be found, that would be awesome (but direct config examples in a reply will also be duely appreicated as well :) There are some examples in /usr/share/examples/pf The OpenBSD site is easy to follow: http://www.openbsd.org/faq/pf/ thanks, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pf firewall for a server
ive been googling for a while now this evening, but have unsuccesfully found any examples on how to firewall a server. i do *not* want to build a router, and unfortunatly, every article i seem to find wants to tell me how to build a router! i just want to learn how to build a simple pf config suitable for a server. if anyone knows of a website where such an example might be found, that would be awesome (but direct config examples in a reply will also be duely appreicated as well :) thanks, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pf firewall for a server
why don't you try reading the firewall section of the handbook. it has working example rule set you can copy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jonathan Horne Sent: Tuesday, July 25, 2006 9:31 PM To: freebsd-questions@freebsd.org Subject: pf firewall for a server ive been googling for a while now this evening, but have unsuccesfully found any examples on how to firewall a server. i do *not* want to build a router, and unfortunatly, every article i seem to find wants to tell me how to build a router! i just want to learn how to build a simple pf config suitable for a server. if anyone knows of a website where such an example might be found, that would be awesome (but direct config examples in a reply will also be duely appreicated as well :) thanks, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf firewall for a server
On Tue, Jul 25, 2006 at 08:30:46PM -0500, Jonathan Horne wrote:
ive been googling for a while now this evening, but have unsuccesfully found
any examples on how to firewall a server. i do *not* want to build a router,
and unfortunatly, every article i seem to find wants to tell me how to build
a router!
i just want to learn how to build a simple pf config suitable for a server.
if anyone knows of a website where such an example might be found, that would
be awesome (but direct config examples in a reply will also be duely
appreicated as well :)
Most of the rulesets for router/gateway firewalls with give you lots of
good info for a single server, too. Understanding how the rules work is
the name of the game either way. The handbood is a great place to start,
and the pf faq on the OpenBSD site is another.
Here's a very simple but functional pf.conf to get you going:
-
if1 = ne0 # Our Interface
allowed_svc = { ssh www } # Services to let in
set skip on lo
scrub in
block in
pass out keep state
antispoof quick for lo
pass in log on $if1 inet proto icmp to ($if1) keep state # Optional
pass in log on $if1 inet proto tcp to ($if1) port $allowed_svc \
keep state
-
That is something you can start with. BUT, you need to understand what
the rules do! Do read the handbook, faq, and man pages. See if you can
find anything wrong with the above ruleset.
--
Darrin Chandler| Phoenix BSD Users Group
[EMAIL PROTECTED] | http://bsd.phoenix.az.us/
http://www.stilyagin.com/ |
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
