Quote:
Originally Posted by s0xxx
Mine is actually quite extensive...
Code:
block in log
pass out all
|
SoXXX even though I advocate exactly the same pf.conf to novice users the truth is that the second rule you have is actually very dangerous. In the real world you have to filter outgoing traffic as well even if you are the only user of the computer. Now more sane pf.conf than the above proposed would be something like
Code:
ext_if="rl0"
tcp_services = "{ssh, imaps, smtp, 587, domain, ntp, www, https}"
udp_services= "{domain, ntp}"
set skip on lo
set loginterface $ext_if
scrub in all random-id fragment reassemble
block return in log all
block out all
antispoof quick for $ext_if
pass out quick on $ext_if proto tcp to any port $tcp_services
pass out quick on $ext_if proto udp to any port $udp_services
Quote:
Originally Posted by s0xxx
|
Very good reading indeed . I especially optimization article.