Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 15 Dec 2009 19:59:23 -0500
From:      David Mehler <dave.mehler@gmail.com>
To:        freebsd-pf@freebsd.org
Subject:   new firewall config
Message-ID:  <78e0dabc0912151659h5d2a9bd4i5a0c4f5a1ff69884@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Hello,
I'm writing a new firewall for an 8.0 machine. It's a gateway box, it
runs an ftp proxy, dhcp and dns services and ntp. It also routes.
Other than that it should block everything else. I've got the below
rules, and am wondering since it works if it's the most efficient it
can be or if there are any holes in it?
Comments appreciated.
Thanks.
Dave.

# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.

ext_if="em0"	# replace with actual external interface name i.e., dc0
int_if="em1"	# replace with actual internal interface name i.e., dc1
internal_net="192.168.5.0/24"
tcp_services="{ ftp-data, ftp, ssh, domain, http, pop3, https, 1503,
1863, 3389, 5999, 7001, 8000, 8080 }"
udp_services="{ 9, domain, bootps, ntp, 7001 }"
icmp_types = "echoreq"

set optimization normal
set block-policy return
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0

scrub in all

nat on $ext_if from $internal_net to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 \
         port 8021

antispoof for $ext_if
antispoof for $int_if

block all
anchor "ftp-proxy/*"
pass out proto tcp from 127.0.0.1 to any port 21 keep state
pass quick inet proto tcp to any port $tcp_services flags S/SA keep state
pass quick inet proto { tcp, udp } to any port $udp_services keep state
pass inet proto icmp all icmp-type $icmp_types keep state
pass inet proto icmp all icmp-type unreach code needfrag keep state

# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass inet proto udp from any to any \
             port 33433 >< 33626 keep state

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?78e0dabc0912151659h5d2a9bd4i5a0c4f5a1ff69884>