View Single Post
  #6   (View Single Post)  
Old 22nd March 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Without a network topology and a description of the security policy your rules are supposed to implement it is rather difficult to give meaningful/correct tips and/or advice

Code:
# Allow all vpn data
pass in quick on em1 inet proto udp from any to any port = 500
pass in quick on em1 inet proto esp from any to any

pass out on em1 inet proto esp from any to any
pass out on em1 inet proto tcp all flags S/SA keep state
pass out on em1 inet proto udp from any to any port = 500
pass out on em1 inet proto esp from any to any
pass out on em1 inet proto udp all keep state
pass out on em1 inet proto icmp all keep state
What are you trying to accomplish here? Only allow incoming VPN connections in the first 2 rules, and passing out the return traffic in the remaining ones?

Or only allow outgoing VPN connections?

Why don't you use quick on the pass out rules as well?

Some rules say keep state, or flags S/SA keep state but some don't. That is not consistent
If you want stateful connections, you don't have to specify keep state. anymore. Stateful connections have been the default in pf for quite some time.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 22nd March 2011 at 09:33 AM.
Reply With Quote