Date: Tue, 24 Mar 2009 17:47:36 +0300 From: Eric Magutu <emagutu@gmail.com> To: freebsd-pf@freebsd.org Subject: first firewall with pf Message-ID: <e9cb8190903240747k714e6d52p9bc8939189c18c14@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, I am converting some systems from Linux to freeBSD and I'm new to pf. I wanted to run this on a live system but I'm not sure if everything is correct. Can you please advise me if it would work and if there is anything I need to add or remove to make it work. I have written the following pf.conf: ######## #Tests # ######## #check syntax of rules # pfctl -vf /etc/pf.conf #interpret rules but don't load # pfctl -nf /etc/pf.conf ############# #interfaces # ############# ext_if="bce0" ext_if2="bce1" ##################### #ports to be opened # ##################### #tcp ports good_port_tcp="{ 22, 80, 110, 143, 161, 443, 873, 3306, 40555 }" #udp ports good_port_udp="{ 161, 873 }" ############################################# #allow all connections from and to loopback # ############################################# pass in quick on lo0 all keep state pass out quick on lo0 all keep state ######################################################## #allow all connections out through external interfaces # ######################################################## pass out quick on $ext_if all keep state pass out quick on $ext_if2 all keep state ############## #Blocked ips # ############## # 1.2.3.4 is the ip you want to block block in quick on $ext_if inet 1.2.3.4 # 1.2.3.4/24 is the ip range you want to block block in quick on $ext_if inet 1.2.3.4/24 ############################ #smtp connections allowed # ############################ #a.b.c.d is the server's ip #Euro servers pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep state #American servers pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep state #from the old iptables??? pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22 keep state ################################### # pass traffic from allowed ports # ################################### #pass traffic from allowed tcp ports pass in quick on $ext_if inet proto tcp from any to a.b.c.d port $good_port_tcp keep state #pass traffic from allowed udp ports pass in quick on $ext_if inet proto tcp from any to a.b.c.d port $good_port_tcp keep state ########################################## # allow connections from NMC and servers # ########################################## #x.x.x.x/12 are the internal ips NMC access with pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to a.b.c.d keep state #x.x.x.x/24 are the ips for the other European servers pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to a.b.c.d keep state #x.x.x.x/24 are the ips for the American servers pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to a.b.c.d keep state ########################## #block all other traffic # ########################## # should be last rule block in quick on $ext_if all ################################################## #for any questions contact Eric# ################################################## -- Regards, Eric Magutu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e9cb8190903240747k714e6d52p9bc8939189c18c14>