Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 Mar 2009 17:47:36 +0300
From:      Eric Magutu <emagutu@gmail.com>
To:        freebsd-pf@freebsd.org
Subject:   first firewall with pf
Message-ID:  <e9cb8190903240747k714e6d52p9bc8939189c18c14@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hi,
I am converting some systems from Linux to freeBSD and I'm new to pf. I
wanted to run this on a live system but I'm not sure if everything is
correct. Can you please advise me if it would work and if there is anything
I need to add or remove to make it work. I have written the following
pf.conf:


########
#Tests #
########

#check syntax of rules
# pfctl -vf /etc/pf.conf
#interpret rules but don't load
# pfctl -nf /etc/pf.conf

#############
#interfaces #
#############
ext_if="bce0"
ext_if2="bce1"

#####################
#ports to be opened #
#####################

#tcp ports
good_port_tcp="{ 22, 80, 110, 143, 161, 443, 873, 3306, 40555 }"
#udp ports
good_port_udp="{ 161, 873  }"

#############################################
#allow all connections from and to loopback #
#############################################

pass in quick on lo0 all keep state
pass out quick on lo0 all keep state

########################################################
#allow all connections out through external interfaces #
########################################################

pass out quick on $ext_if all keep state
pass out quick on $ext_if2 all keep state



##############
#Blocked ips #
##############
# 1.2.3.4 is the ip you want to block
block in quick on $ext_if inet 1.2.3.4

# 1.2.3.4/24 is the ip range you want to block
block in quick on $ext_if inet 1.2.3.4/24



############################
#smtp connections allowed  #
############################
#a.b.c.d is the server's ip
#Euro servers
pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep
state

#American servers
pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep
state

#from the old iptables???
pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22 keep
state


###################################
# pass traffic from allowed ports #
###################################


#pass traffic from allowed tcp ports
pass in quick on $ext_if inet proto tcp from any to a.b.c.d port
$good_port_tcp keep state

#pass traffic from allowed udp ports
pass in quick on $ext_if inet proto tcp from any to a.b.c.d port
$good_port_tcp keep state

##########################################
# allow connections from NMC and servers #
##########################################

#x.x.x.x/12 are the internal ips NMC access with
pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to
a.b.c.d keep state

#x.x.x.x/24 are the ips for the other European servers
pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to
a.b.c.d keep state

#x.x.x.x/24 are the ips for the American servers
pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to
a.b.c.d keep state


##########################
#block all other traffic #
##########################

# should be last rule

block in quick on $ext_if all



##################################################
#for any questions contact Eric#
##################################################

-- 
Regards,
Eric Magutu



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e9cb8190903240747k714e6d52p9bc8939189c18c14>