Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 22 Jan 2010 10:45:17 +0100
From:      Erik Norgaard <norgaard@locolomo.org>
To:        kalin m <kalin@el.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: pf rules
Message-ID:  <4B5973AD.8070603@locolomo.org>
In-Reply-To: <4B594FC0.3010200@el.net>
References:  <4B594FC0.3010200@el.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
kalin m wrote:
> tcp_in = "{ www, https }"
> ftp_in = "{ ftp }"
> udp = "{ domain, ntp }"
> ping = "echoreq"
> 
> set skip on lo
> scrub in
> 
> antispoof for eth0 inet
> 
> block in all
> pass out all keep state
> pass proto udp to any port $udp
> pass inet proto icmp all icmp-type $ping keep state
> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
> pass proto tcp to any port ssh

To debug pf rules:

- always add direction to the rule, pass or block, add interface to all
   rules except default policy, keep state on all pass rules
- group your rules per direction, then per interface
- add log to all rules and watch pflog to see which rule blocks or
   passes traffic.
- use keyword quick for any decisive rule
- check the parsing of your ruleset, pfctl -sr

then come back and ask for help.

BR, Erik


-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4B5973AD.8070603>