Perhaps I should post my pf.conf here for some critique and improvement. To give you an idea of what I'm working with here I have seven jails on the system, each providing a service. Everything from mail, dns, dhcp, monitoring (nagios), git, etc. I've added comments for the sake of this thread regarding what I'm attempting to do with each set of rules. Perhaps I can get some feedback on the accuracy and efficiency of this ruleset:
Quote:
### MACROS
# defining the interface and each of the jails + host by hostname/address
interface=hme0
mohinder=192.168.0.10
parkman=192.168.0.11
peter=192.168.0.12
molly=192.168.0.13
mail=192.168.0.14
angela=192.168.0.99
claire=192.168.0.100
rebel=192.168.0.200
### TABLES
# defining my intranet/24 as secure, defining jails (which I realize is never called)
table <secure> { 192.168.0.0/24 }
table <jails> { $parkman, $peter, $molly, $mail, $angela, $claire, $rebel }
### GLOBAL OPTIONS
# skip anything on loopback, set policy to drop
set skip on lo0
set block-policy drop
### TRAFFIC NORMALIZATION
# normalize traffic (still a bit fuzzy on scrub)
scrub in all
### FILTER RULES
# allow all outbound tcp, udp and icmp traffic
pass out quick on $interface proto { tcp, udp, icmp } all keep state
# SSH
# $claire and $rebel should be available from anywhere.
# $parkman should be available from anywhere in the LAN
# $mohinder should only be accessible from $parkman
pass in on $interface proto tcp from any to $claire port = 22222 keep state
pass in on $interface proto tcp from any to $rebel port = 2200 keep state
pass in on $interface proto tcp from <secure> to $parkman port = 22 keep state
pass in on $interface proto tcp from $parkman to $mohinder port = 22 keep state
# MAIL
# smtp/imap(s) open to anyone
pass in on $interface proto tcp from any to $mail port = 25 keep state
pass in on $interface proto tcp from any to $mail port = 143 keep state
pass in on $interface proto tcp from any to $mail port = 993 keep state
# allow mail full connectivity to itself
pass in on $interface proto { tcp, udp } from $mail to $mail keep state
# HTTPD
# https available for webmail to anyone, $angela http only available in LAN
pass in on $interface proto tcp from any to $mail port = 443 keep state
pass in on $interface proto tcp from <secure> to $angela port = 80 keep state
# DNS
# allow tcp/udp to $molly for DNS from anyone
pass in on $interface proto { tcp, udp } from any to $molly port = 53 keep state
# DHCP
# do I need this if $molly is the DHCP server? or is it covered by the outbound?
pass in on $interface proto {tcp, udp } from <secure> to $molly port = 67 keep state
|
(yes my Jails are named after "Heroes" characters. I have another server + jails all named after BSG characters if that is any consolation)
Thanks