View Single Post
Old 17th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

My remarks

Code:
# --- Macro definitions

ethernet = "fxp0" 

# outside visible  services 
services = "{auth,ntp,rpc }"

set skip on lo0         # no bug on loopback device
set block-policy return # for TCP return RST and for the rest ICMP UNREACHABLE 

# --- fix packets

match in all scrub (no-df)

# --- INCOMING traffic

#  incoming ping and traceroute (ICMP)
pass in quick on $ethernet inet proto icmp from any to any icmp-type { \
     echorep, echoreq, timex, unreach }

# pass in quick on $external inet proto tcp from any to any port $services  

# --- OUTGOING traffic

pass out quick on $ethernet inet proto tcp  all
pass out quick on $ethernet inet proto udp  all 
pass out quick on $ethernet inet proto icmp all

# --- BLOCK policy

block in log quick on $ethernet inet proto icmp from any to any icmp-type redir 
block log  quick on $ethernet all
#
# End of file
For a different approach for a work-station-only-pf.conf see http://www.daemonforums.org/showthread.php?t=4367
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote