Thread: Help with my pf rule please
View Single Post
  #1   (View Single Post)  
Old 19th April 2012
whispersGhost's Avatar
whispersGhost whispersGhost is offline
Real Name: heather
Package Pilot
  
Join Date: May 2008
Location: ny
Posts: 168
Default Help with my pf rule please
i am not too happy how my rules are working.

What i would like is this

1) My web server to work

2) Block any other traffic in or out

3) My block ping ruleset to actually work

Can someone please fix this for me maybe the order is wrong i am not Sure.

i do know if i uncomment out my rules for my web server it still works from another networked machine, as long as (pass to keep state is enabled)
down below.

When i disable pass i cant access my server even if i uncommet my Web server rules.

Ok like i have like 3 wired machines at home
This is the Main one.

Modem----->Router---->(Vonage-Phone adapter)--->Networked machine 192.158.0.69----OpenBSD

i have a little understanding about macros
but not too much with tables yet

Here is a copy of my ruleset
Code:
#	$OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
#- in /etc/sysctl.conf if packets are to be forwarded between interfaces.


server = 192.158.0.69
ext_if = "lo0"
int_if = "r10"

# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

# Here is my web server this rule does not seem to work even if i comment it out when pass to establish state is on.
pass in on $ext_if proto tcp from any to $ext_if port 7008 \
rdr-to $server port 7008

# anchor for relayd(8)
#anchor "relayd/*"

set block-policy return
set loginterface $ext_if
set skip on lo0

# Supose to stop ping but from networked pc its not Blocking
block in on $ext_if inet proto icmp all

block in all

#to establish to keep state
pass 		# to establish keep-state

antispoof for $ext_if
antispoof for $int_if
set block-policy return

# rules for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
#    rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from <nospamd> to any port smtp
#pass in log on egress proto tcp from <spamd-white> to any port smtp
#pass out log on egress proto tcp to any port smtp

#block in quick from urpf-failed to any	# use with care

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
__________________
The journey is better then the destination
Last edited by ocicat; 19th April 2012 at 09:29 AM. Reason: Please use [code]/[/code] tags when posting code.
Reply With Quote