Date: Thu, 7 Jan 2010 19:46:48 -0600 From: Patrick Goggins <pgoggins@carrollu.edu> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: RE: freebsd 8 Message-ID: <23E3A2C29073ED4CB8EAEA459791FD7A0868CA4C9F@CMAIL.carrollu.edu> In-Reply-To: <40fc01eb1001071427g335634c9u1ffa8aacba1360f3@mail.gmail.com> References: <40fc01eb1001071427g335634c9u1ffa8aacba1360f3@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I would not recommend allowing everyone under the sun ssh access to the box= . Either restrict it by outside IP if possible and if that is not possible = at least alter the port to prevent bots. ~Patrick -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On= Behalf Of Kurt Turner Sent: Thursday, January 07, 2010 4:27 PM To: freebsd-pf@freebsd.org Subject: freebsd 8 Hello all In an effort not to create yet another insecure server on the www I'd like to ensure my pf.conf file is good and secure - will someone please review this configuration and let me know your thoughts? I only want to allow www and ssh inbound and have limited access also outbound - this is a remote web server I do not have access to at all. TIA #### First declare a couple of variables #### # outgoing services tcp_services =3D "{ ssh, smtp, domain, www, https, ntp, 43}" udp_services =3D "{ domain, ntp }" martians =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" ext_if =3D "re0" # Internet #### Normalization scrub in all #### Start filtering # Drop incoming everything block in all # Default connection refused message to client block return # keep stats of outging connections pass out keep state # activate spoofing protection for all interfaces block in quick from urpf-failed # Antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses antispoof log for $ext_if #Block RFC 1918 addresses block drop in log (all) quick on $ext_if from $martians to any block drop out log (all) quick on $ext_if from any to $martians # Allow outgoing via ssh, smtp, domain, www, https, whois etc pass out on $ext_if proto tcp to any port $tcp_services pass out on $ext_if proto udp to any port $udp_services # Allow outgoing Trace route pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state # Allow http traffic pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy modulate state # SSH pass in on $ext_if proto tcp from any to any port 22 flags S/SA synproxy modulate state _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?23E3A2C29073ED4CB8EAEA459791FD7A0868CA4C9F>