Date: Tue, 17 May 2005 22:38:49 +0100 From: "Greg Hennessy" <Greg.Hennessy@nviz.net> To: <freebsd-pf@freebsd.org> Subject: RE: pf and mpd Message-ID: <20050517213850.4C1152C@gw2.local.net> In-Reply-To: <000701c55b1d$c422c780$0200a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help
> > # options > # expire state connections early > set optimization aggressive Why ? > set block-policy drop set block-policy return # makes you a good internet citizen and helps debug problems on your own network. > # to the ftp-proxy running on the firewall host (via inetd on > port 8081) rdr on ep1 proto tcp from any to any port 21 -> > 127.0.0.1 port 8021 > > # pass loopback traffic # Stick a block log all # here, a default deny posture is the most secure. # if you cannot see whats being dropped by default # it impossible to debug. Log everything! You can always tone it # down when the policy has been debugged. > pass quick on lo0 all > > # block windows email relays > block in quick on $EXT inet proto tcp from any os "Windows" > to any port 25 You've just killed anyone using Exchange as an MTA by doing that. > > # immediately prevent IPv6 traffic from entering or leaving > all interfaces block quick inet6 all A default block policy will do that anyway. > # silently block and drop broadcast cable modem noise block > in quick on $EXT from any to 255.255.255.255 > > # Block bad tcp flags from malicious people and nmap scans A waste of time, scrub will sort that. > flags S/AUPRFS modulate state This is a *really* bad idea, use flags 'S/SA' only. Otherwise it *will* cause problems. Applying 'modulate state' to each rule is overkill, let scrub of the form scrub on $Ext reassemble tcp random-id take care of it. > > # allow firewall to contact ftp server on behalf of passive > ftp client # on control port 21 pass out on $EXT \ inet proto > tcp \ from $EXT to any \ port 21 \ flags S/AUPRFS modulate state > > # allow firewall to contact ftp server on behalf of passive > ftp client # on standard unprivileged port range ( > 1024 ) > pass out on $EXT \ inet proto tcp \ from $EXT to any \ port > > 1024 \ flags S/AUPRFS modulate state > > # block everything from entering LAN > block in on $LAN all Handled by a default block policy. > > # allow UDP requests to port 53 from lan clients to enter LAN > # in order to perform dns queries on the firewall (keep state on this > connection) > pass in on $LAN \ > inet proto udp \ > from $LAN_clients to $LAN_firewall \ > port 53 \ > keep state > > # allow lan traffic from lan clients to enter lan # in order > to contact internet web servers (keep state on this > connection) pass in on $LAN \ inet proto tcp \ from > $LAN_clients to any \ port $LAN_TO_INT_SERVICES \ flags > S/AUPRFS modulate state PPTP consists of two parts, IP protocol 47 or GRE And 1723/tcp You're not allowing in the GRE part of the traffic. When I used mpd and pf last you need a rule of the form pass in on $EXT inet proto gre to $EXT keep state. & you need to add rules to allow traffic to flow for the ng* interfaces mpd will create on the fly for each tunnel. Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050517213850.4C1152C>