Date: Tue, 25 Jul 2006 20:44:32 -0700 From: Darrin Chandler <dwchandler@stilyagin.com> To: Jonathan Horne <freebsd@dfwlp.com> Cc: freebsd-questions@freebsd.org Subject: Re: pf firewall for a server Message-ID: <20060726034432.GA7790@jeeves.stilyagin.local> In-Reply-To: <200607252030.46540.freebsd@dfwlp.com> References: <200607252030.46540.freebsd@dfwlp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 25, 2006 at 08:30:46PM -0500, Jonathan Horne wrote: > ive been googling for a while now this evening, but have unsuccesfully found > any examples on how to firewall a server. i do *not* want to build a router, > and unfortunatly, every article i seem to find wants to tell me how to build > a router! > > i just want to learn how to build a simple pf config suitable for a server. > if anyone knows of a website where such an example might be found, that would > be awesome (but direct config examples in a reply will also be duely > appreicated as well :) Most of the rulesets for router/gateway firewalls with give you lots of good info for a single server, too. Understanding how the rules work is the name of the game either way. The handbood is a great place to start, and the pf faq on the OpenBSD site is another. Here's a very simple but functional pf.conf to get you going: ----- if1 = "ne0" # Our Interface allowed_svc = "{ ssh www }" # Services to let in set skip on lo scrub in block in pass out keep state antispoof quick for lo pass in log on $if1 inet proto icmp to ($if1) keep state # Optional pass in log on $if1 inet proto tcp to ($if1) port $allowed_svc \ keep state ----- That is something you can start with. BUT, you need to understand what the rules do! Do read the handbook, faq, and man pages. See if you can find anything wrong with the above ruleset. -- Darrin Chandler | Phoenix BSD Users Group dwchandler@stilyagin.com | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060726034432.GA7790>