Date: Thu, 26 Mar 2009 17:23:23 +0300 From: Eric Magutu <emagutu@gmail.com> To: "Michael K. Smith - Adhost" <mksmith@adhost.com> Cc: freebsd-questions@freebsd.org Subject: Re: first firewall with pf Message-ID: <e9cb8190903260723y40f12cd9s7af35670f7285627@mail.gmail.com> In-Reply-To: <17838240D9A5544AAA5FF95F8D52031605B4283F@ad-exh01.adhost.lan> References: <53529.216.241.167.212.1237911183.squirrel@webmail.pknet.net> <op.ura05ywcflcvyi@da1-desktop-x64> <17838240D9A5544AAA5FF95F8D52031605B4283F@ad-exh01.adhost.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi everyone,
Thanks for all your input so far. I have tried to implement all you
suggestions but have gotten stuck. I set up a test machine in the office
with the ip 10.0.0.110 and encountered the following problems:
when I enables antispoofing the firewall didn't work
when I tried allowing the 10.0.0.0 subnet it worked ok but when i tried
connecting from machines on the 172.16 subnet I was unable to connect.
Can you please let me know what I'm doing wrong?
#############
#interfaces #
#############
ext_if="le0"
#ext_if2="bce1"
#####################
#ports to be opened #
#####################
#tcp ports
good_port_tcp="{ 80, 110, 143, 161, 443, 873 }"
#udp ports
good_port_udp="{ 161, 873 }"
##########################
#block all other traffic #
##########################
# should be the first rule
block in on $ext_if all
################
#anti-spoofing #
################
#traffic can't come in on your IP's
#antispoof quick for { lo0 $ext_if $ext_if2 } inet
#############################################
#allow all connections from and to loopback #
#############################################
pass in quick on lo0 all keep state
pass out quick on lo0 all keep state
########################################################
#allow all connections out through external interfaces #
########################################################
pass out quick on $ext_if all keep state
##############
#Blocked ips #
##############
#put ips or ip blocks as below
badguys="{ 192.168.1.100, 192.160.1.2, 192.168.200.0/24 }"
block in quick on $ext_if from $badguys
############################
#smtp connections allowed #
############################
#European servers
pass in quick on $ext_if proto tcp from x.x.x.0/26 to 10.0.0.110 port 25
keep state
#American
pass in quick on $ext_if proto tcp from x.x.x.0/26 to 10.0.0.110 port 25
keep state
#from the old iptables???
pass in quick on $ext_if proto tcp from x.x.x.0/27 to 10.0.0.110 port 25
keep state
###################################
# pass traffic from allowed ports #
###################################
#pass traffic from allowed tcp ports
pass in on $ext_if inet proto tcp from any to 10.0.0.110 port $good_port_tcp
keep state
#pass traffic from allowed udp ports
pass in on $ext_if inet proto tcp from any to 10.0.0.110 port $good_port_tcp
keep state
##########################################
# allow connections from NMC and servers #
##########################################
#my ip
pass in quick on $ext_if inet proto { tcp, udp, icmp } from 10.0.0.58 to
10.0.0.110 keep state
#172.16.0.0/12 are the ips NMC access with
pass in on $ext_if inet proto { tcp, udp, icmp } from 172.16.0.0/8 to
10.0.0.110 keep state
##################
# enable logging #
##################
block in log on $ext_if
# to view log run command below
#tcpdump -n -e -ttt -i pflog0
##################################################
#for any questions contact me#
##################################################
On Tue, Mar 24, 2009 at 8:00 PM, Michael K. Smith - Adhost <
mksmith@adhost.com> wrote:
> I also forgot to mention:
>
> You should probably log your block rule so that you can see what's going on
> if things don't work as expected.
>
> So:
>
> block in log on $ext_if
>
> Note the lack of "quick" as well, as previously mentioned.
>
> With logging enabled, provided you have pflog running (which you should),
> you can use the following to see what's being blocked.
>
> tcpdump -n -e -ttt -i pflog0 (provided pflog0 is your pflog interface).
>
> Regards,
>
> Mike
>
--
Regards,
Eric Magutu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e9cb8190903260723y40f12cd9s7af35670f7285627>