View Single Post
Old 25th November 2012
Trihexagonal's Avatar
Trihexagonal Trihexagonal is offline
Port Guard
 
Join Date: May 2012
Posts: 16
Default

Mine is basically the same as everyone else's:

Code:
### macro name for external interface.
ext_if = "fxp0"
netbios_tcp = "{ 13, 22, 23, 37, 107, 111, 113, 512, 513, 514 }"

### Pass loopback
set skip on lo

### Reassemble fragmented packets
match in all scrub (no-df)

### Default deny everything rule
block log all

### Block spoofy
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block specific ports
block in on ! lo0 proto tcp to port 6000:6010
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
I scanned my OpenBSD machine from my FreeBSD box on the lan and it showed TCP ports 13, 37, and 113 open by default on my installation so I added those to the ports I normally block. I didn't see where to disable those services so I just blocked the ports. I don't use SSH so I have TCP 22 blocked as well.

I'm behind a pfSense hardware firewall so running pf on my machines may be somewhat redundant but I wouldn't have it any other way. Unlike some people who claim a firewall isn't necessary if you don't have any open ports and don't see the benefits of not responding to ping or returning a stealth status when scanned.
Reply With Quote