View Single Post
  #1   (View Single Post)  
Old 9th October 2011
Scott7 Scott7 is offline
OpenBSD / XP
 
Join Date: Jan 2009
Posts: 7
Default PF Help 4.6 to 4.7

Hi there, I've been running my 4.6 firewall since release. I'm now going to do a fresh install.

I need a little bit of help replacing rdr with match rules etc.

Below is my edited 4.6 pf.conf for 4.9:

Code:
intIF = "rl0"
extIF = "vr0"


##### States Queues #####
synState="flags S/SA synproxy state"
tcpState="flags S/SA modulate state"
udpState="keep state"


##### Ports #####
# P2 #
p2ports = "{ 80, 20, 21, 49163:49173, 58939 }"
# ICMP #
icmpTypes = "echoreq unreach"
# PC #
pcports = "{ 58938 }"

##### LAN Info #####
# Local #
myNet = "192.168.1.0/24"
# P2 #
p2 = "192.168.1.3"
# PC #
pc = "192.168.1.2"

##### Banned #####
#fIP   = "{}"


##### Block Timeout #####
#set ruleset-optimization none
set debug urgent
set block-policy return
set optimization normal
set fingerprints "/etc/pf.os"
set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }
set limit { states 100000, frags 100000, src-nodes 50000 }
set skip on lo0


##### Scrub #####
#scrub log on $extIF all random-id min-ttl 128 max-mss 1460 set-tos\
	throughput reassemble tcp fragment reassemble


##### NAT #####
#match out on $extIF inet from $xbox360 to any -> $extIF static-port
match out on $extIF from $myNet nat-to ($extIF)


##### Block #####
block log all
antispoof log quick for { $extIF, $intIF }


##### Ban's #####
#block in quick on $intIF from $fIP to any


##### PASS #####
# ICMP #
pass log inet proto icmp all icmp-type echoreq $udpState
pass log inet proto icmp all icmp-type unreach $udpState

# Allow P2 #
pass in log on $extIF inet proto tcp from any to any port $p2ports $synState
pass out log on $extIF inet proto tcp from any to any port $p2ports $synState

# Allow pc #
pass in log quick on $extIF inet proto tcp from any to $pc port $pcports
pass out log quick on $extIF inet proto tcp from $pc to port $pcports

# Allow outgoing #
pass out log on $extIF inet proto tcp all $tcpState
pass out log on $extIF inet proto { udp, icmp } all $udpState

# Allow LAN #
pass in log on $intIF from $intIF:network to any keep state
pass out log on $intIF from any to $intIF:network keep state
I'm pretty sure I'm missing some bits now, as i've removed the old rdr rules etc.

Just need some advise on what rules I need to add to my pf.conf.

Regards

Scott
Reply With Quote