Good Afternoon to All,
Jggimi,
I have read the PF FAQs that you suggested, thank you. I'm posting my pf.conf, please let me know how I can make it more efficient and more importantly that I'm interpreting everything correctly before I put my host on the net.
Code:
#================Macros======================
ext_if="bge0" # external interface
int_if="fxp0" # internal interface
dmz_if="xl0" # dmz interface
internal_network="192.168.2.0/24"
external_network="1xx.xx.xx.0/xx"
tcp_ports="{22, 80, 443}"
tcp_services="{22, 80, 443}"
udp_services="{domain, ntp}"
#================Tables======================
table <firewall> const { self }
#================Options=====================
set skip on lo0
set block-policy drop
set optimization normal
set loginterface ext_if
#================Queueing=====================
#=============Filter Rules====================
block log all
match in all scrub (no-df)
block in quick from urpf-failed
block in from no-route to any
antispoof quick for {lo0 $int_if $ext_if}
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from {10.0.0.0/8, 172.16.0.0/12, \
192.168.0.0/16, 255.255.255.255/32} to any
block return in quick on $int_if proto tcp from ! 192.168.2.1 \
to $int_if port ssh
pass in on $int_if from $internal_network
pass out on $int_if to $internal_network
pass out on $ext_if proto { tcp udp icmp } all modulate state
pass out on $ext_if from $int_if:network to any nat-to $ext_if
Does it matter in the order that I have place the filtering rules on?
I have set block policy to drop, is it more secure to have set to return instead? I have read somewhere it consumes more resources to have set to drop. Am I missing anything?
Your input is greatly appreciated.
Regards,...