Date: Thu, 7 Jan 2010 16:27:20 -0600 From: Kurt Turner <kturner@absolutenetworks.biz> To: freebsd-pf@freebsd.org Subject: freebsd 8 Message-ID: <40fc01eb1001071427g335634c9u1ffa8aacba1360f3@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello all
In an effort not to create yet another insecure server on the www I'd like
to ensure my pf.conf file is good and secure - will someone please review
this configuration and let me know your thoughts?
I only want to allow www and ssh inbound and have limited access also
outbound - this is a remote web server I do not have access to at all. TIA
#### First declare a couple of variables ####
# outgoing services
tcp_services = "{ ssh, smtp, domain, www, https, ntp, 43}"
udp_services = "{ domain, ntp }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
ext_if = "re0" # Internet
#### Normalization
scrub in all
#### Start filtering
# Drop incoming everything
block in all
# Default connection refused message to client
block return
# keep stats of outging connections
pass out keep state
# activate spoofing protection for all interfaces
block in quick from urpf-failed
# Antispoof is a common special case of filtering and blocking. This
mechanism protects against activity from spoofed or forged IP addresses
antispoof log for $ext_if
#Block RFC 1918 addresses
block drop in log (all) quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians
# Allow outgoing via ssh, smtp, domain, www, https, whois etc
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services
# Allow outgoing Trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep
state
# Allow http traffic
pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy
modulate state
# SSH
pass in on $ext_if proto tcp from any to any port 22 flags S/SA synproxy
modulate state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40fc01eb1001071427g335634c9u1ffa8aacba1360f3>