Date: Thu, 30 Nov 2006 18:40:45 +0100 From: Gergely CZUCZY <phoemix@harmless.hu> To: Daniel <daniel@britishemail.co.uk> Cc: freebsd-pf@freebsd.org Subject: Re: opinion on this ruleset Message-ID: <20061130174045.GA73984@harmless.hu> In-Reply-To: <20061130173504.CD06C43CBA@mx1.FreeBSD.org> References: <20061130173504.CD06C43CBA@mx1.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--VbJkn9YxBvnuCH5J
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Nov 26, 2006 at 01:35:57PM -0000, Daniel wrote:
> I was wondering if I could get some opinions on this ruleset please -=20
>=20
> Basically, I have FreeBSD6.1, running an IRC server on ports 6697, 7000,
> 6659 thorough to 6671, 9999, 27888. I am also running a nameserver, so h=
ave
> opened TCP and UDP 53. I also want incoming on port 80 and 22.
>=20
> I have about 15 IP addresses assigned to my external interface... would it
> be better to make a table for these? Or is using the ext_if as a macro j=
ust
> as effective?
>=20
>=20
> ext_if=3D"rl0"
>=20
> tcp_services=3D"{ 22, 80, 53, 6633, 6697, 7000, 6659 >< 6671, 9999, 27888=
}"
> udp_services=3D"{ 53 }
> icmp_types=3D"echoreq"
>=20
> set block-policy return
> set loginterface $ext_if
>=20
> set skip on lo
> scrub in
>=20
> block in
>=20
> pass out keep state
>=20
> antispoof quick for { lo $int_if }
>=20
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state
here i'd suggest using synproxy state
($ext_if) translates to an ip address of the interface,
and not to all addresses on the interface. so you might get
some unexpected behaviour from these rules, watch out.
as DNA had said, "expect the unexpected" ;)
> pass in on $ext_if inet proto udp from any to ($ext_if) \
> port $udp_services keep state
>=20
>=20
> pass in inet proto icmp all icmp-type $icmp_types keep state
wrong.
use this:
pass in on $ext_if proto icmp
if you wonder why, read the openbsd's FAQ on pf. or just google for it
Bye,
Gergely Czuczy
mailto: gergely.czuczy@harmless.hu
--=20
Weenies test. Geniuses solve problems that arise.
--VbJkn9YxBvnuCH5J
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
owGNVUtvHEUQNjEkYoBDThwQUmFZCoaZyT6yD29YG9ubREYiMdiIQ5Cs3pnambZ7
uifdPbYnkW9IcOAAHECALPgDSBxIhOA/8EfgljMS1bMPbwgSjFarmerur6q++qr6
85cWFy5c/v2nn++++dmX3z3z46UXhytZYa1MgozpIy6Deq1WDzrN1e614FrQbTbr
7Va70YrjmHVuqJfPtpS0KG2wV+bYA4sn9mouGJfXIUqZNmj7hR0FXW+6b8BNrgy3
XMkecCm4xNnanmbSjFAHN2SkYi6THtwrlMU4yDWXlg0Fet4dCbuF9OG2OoJG24dG
rdYGZqFW7zVbvVZn510IavT4MGCSo4BjTRA9bw224ZgZOFYyRoJLgI/IFKlCxJCg
BaMyBJVzSaEZUBJsyg3oQiBlAblAZhCCfqPmrVV/sMkMj5gQpU84KTtCuKkRN3cH
7bDu00EpnRcmYfv9LTCoj1A72Fxpa6DdXu340HGBElS73Volf0qrIknBKjJ0CGOV
Hsqw0+12QyAnLAMmjDrHBskyHEP7lACkfY/iIECVo8QY9rZ2KIAYPhjsQKs5xnAA
x0xaYj9SmYOZBAXdWrW50QinKU7yYkNVWKi3YJvg4lijMWiAGcMT54XizUqg0qOW
TBAuvYxYhGEYEt2OX24JbIj0s7RWHWCHhAtVUWGkyJZSIusAdzQQ7YVxgZHNwe5T
pahyjA5FWsFB3yuMAyQbjkYYWX6E65OQx3GPD/WbgyUtaktTq43yfUcWj9C4tQeU
qk9Z+8SNT5Q3q/9ZXcZVWXvr6WL0PYBTgoUi/idiqwmntMCjLN+31BOVGSMqLd6b
BeIENRQqOgxyJXhUgkZbaDlZESqZUQjL41TmT5pDnruaCeUMkS6GRPl0QwU7951T
lcBV7xAxB2OZxekSacA1oxpRl3E65KrwgFBhmdw7zk+fAOHSOZ3EQ1+uKai1lKMV
RlqRNmXpSvv6ZM8KfERn6anEtTzPPowESwzsXt3dmA8sRY3Ar8RgiiRBYycyMKUk
TyflZJd37sC6iSHIaJxjajViZiJQoLycfmZU+p4Tt1S22irEnJKrZp/bGrpeKlUB
GU9S66aDV02HQuJJTnojzQ+ROoOrQo9Tr9Q7HhY+dZeNUkd66JFEB7c3qIsoJ8Zj
H5bGCJW/c7gluL7i/SfRpLb/Q/S8KJ8u+5MVnUN3kq14cS+B0y4JYSbjeSCaqDIJ
qQmxmpE971/CPsf0PPp0ZI4nLxynNDA1EiOOAzeohia+YuDmxnvVJBqFQEI8oBaH
RKlkMh5ognibJRXRu4U6QVHC1v0iul96GePCqh4VqTKHUWV+my6fjIphwrTwvKAa
2x8i0oVASiFlhXCLPgpXfKMEjTiKlyZRRqspXSZMc4Oh9+n64nML7pabXpCXL7z6
7cL3N75+dLd36Zdff3vnlfyFg4t/PvvG82cLP3zy8JvDR389/urxF/4iv/ja2cOP
0z/+Bg==
=aRcG
-----END PGP SIGNATURE-----
--VbJkn9YxBvnuCH5J--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061130174045.GA73984>