Re: pf firewall for a server
On Wednesday 26 July 2006 02:30, Jonathan Horne wrote: > ive been googling for a while now this evening, but have unsuccesfully > found any examples on how to firewall a server. i do *not* want to build a > router, and unfortunatly, every article i seem to find wants to tell me how > to build a router! > > i just want to learn how to build a simple pf config suitable for a server. > if anyone knows of a website where such an example might be found, that > would be awesome (but direct config examples in a reply will also be duely > appreicated as well :) > There are some examples in /usr/share/examples/pf The OpenBSD site is easy to follow: http://www.openbsd.org/faq/pf/ > thanks, > jonathan > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf firewall for a server
Jonathan Horne <[EMAIL PROTECTED]> writes: > ive been googling for a while now this evening, but have > unsuccesfully found any examples on how to firewall a server. i do > *not* want to build a router, and unfortunatly, every article i seem > to find wants to tell me how to build a router! The same principles apply everywhere - block everyting, allow the traffic you need. What traffic you need to pass depends on the services you intend to make accessible. For a host with a single network interface, you can get away with a handful of lines, ie localnet="xl0:network" offered="{ ssh, netbios-ns, netbios-dgm, netbios-ssn, www, https }" needed="{ ssh, domain, ntp, whois }" block all pass proto { tcp, udp } from self to any port $needed keep state pass proto { tcp, udp } from $localnet to self port $offered keep state A lot of embellishment on this (untested, may contain nuts) is possible, and you could probably do worse than spend a few moments browsing the PF docs or for that matter my rather basic PF tutorial at http://www.bgnett.no/~peter/pf/ to familiarize yourself with the system. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf firewall for a server
On Tue, Jul 25, 2006 at 08:30:46PM -0500, Jonathan Horne wrote: > ive been googling for a while now this evening, but have unsuccesfully found > any examples on how to firewall a server. i do *not* want to build a router, > and unfortunatly, every article i seem to find wants to tell me how to build > a router! > > i just want to learn how to build a simple pf config suitable for a server. > if anyone knows of a website where such an example might be found, that would > be awesome (but direct config examples in a reply will also be duely > appreicated as well :) Most of the rulesets for router/gateway firewalls with give you lots of good info for a single server, too. Understanding how the rules work is the name of the game either way. The handbood is a great place to start, and the pf faq on the OpenBSD site is another. Here's a very simple but functional pf.conf to get you going: - if1 = "ne0" # Our Interface allowed_svc = "{ ssh www }" # Services to let in set skip on lo scrub in block in pass out keep state antispoof quick for lo pass in log on $if1 inet proto icmp to ($if1) keep state # Optional pass in log on $if1 inet proto tcp to ($if1) port $allowed_svc \ keep state - That is something you can start with. BUT, you need to understand what the rules do! Do read the handbook, faq, and man pages. See if you can find anything wrong with the above ruleset. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: pf firewall for a server
why don't you try reading the firewall section of the handbook. it has working example rule set you can copy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jonathan Horne Sent: Tuesday, July 25, 2006 9:31 PM To: freebsd-questions@freebsd.org Subject: pf firewall for a server ive been googling for a while now this evening, but have unsuccesfully found any examples on how to firewall a server. i do *not* want to build a router, and unfortunatly, every article i seem to find wants to tell me how to build a router! i just want to learn how to build a simple pf config suitable for a server. if anyone knows of a website where such an example might be found, that would be awesome (but direct config examples in a reply will also be duely appreicated as well :) thanks, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
pf firewall for a server
ive been googling for a while now this evening, but have unsuccesfully found any examples on how to firewall a server. i do *not* want to build a router, and unfortunatly, every article i seem to find wants to tell me how to build a router! i just want to learn how to build a simple pf config suitable for a server. if anyone knows of a website where such an example might be found, that would be awesome (but direct config examples in a reply will also be duely appreicated as well :) thanks, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"