View Single Post
  #2   (View Single Post)  
Old 29th January 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Having a macro named $ssh is unnecessary, service names listed in /etc/services are perfectly acceptable substitutes for port numbers.

pass quick on lo0 all is redundant, you already tell pf to ignore local traffic.

I like keeping the block and pass rules separate... block rules first, pass rules after.
Code:
# internet connected interface
ext_if="gem0"

table <ssh-violations> persist file "/etc/ssh-violations"
table <martians> const persist { 127/8, 192.168/16, 172.16/12, 10/8, 0/8, \
169.254/16, 192.0.2/24, 240/4 }

# options
set block-policy drop
set loginterface $ext_if
set skip on lo0

# scrub
scrub in on $ext_if all

# antispoof
antispoof for $ext_if

# catch-all
block in log all
block out all

# block evil people
block in log quick from <ssh-violations> to any
block in quick on $ext_if from <martians> to any
block out quick on $ext_if from any to <martians>

# allow ssh connections
pass in on $ext_if proto tcp from any to any port ssh

# AMule incoming
pass in on $ext_if proto tcp from any to any port 4662 user amule
pass in on $ext_if proto udp from any to any port 4665 user amule
pass in on $ext_if proto udp from any to any port 4672 user amule

# pass out all traffic
pass out on $ext_if inet all
Hope it helps, I do recommend reading the OpenBSD pf FAQ, and perhaps buying Peter NM Hansteen's new PF book.
Reply With Quote