View Single Post
  #9   (View Single Post)  
Old 29th April 2013
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Default

Good Afternoon to All,

Jggimi,

I have read the PF FAQs that you suggested, thank you. I'm posting my pf.conf, please let me know how I can make it more efficient and more importantly that I'm interpreting everything correctly before I put my host on the net.

Code:
#================Macros======================
ext_if="bge0" # external interface
int_if="fxp0"  # internal interface
dmz_if="xl0" # dmz interface

internal_network="192.168.2.0/24"
external_network="1xx.xx.xx.0/xx"

tcp_ports="{22, 80, 443}"
tcp_services="{22, 80, 443}"
udp_services="{domain, ntp}"

#================Tables======================
table <firewall> const { self }
#================Options=====================
set skip on lo0
set block-policy drop 
set optimization normal
set loginterface ext_if
#================Queueing=====================



#=============Filter Rules====================
block log all
match in all scrub (no-df)
block in quick from urpf-failed
block in from no-route to any
antispoof quick for {lo0 $int_if $ext_if}

block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from {10.0.0.0/8, 172.16.0.0/12, \
               192.168.0.0/16, 255.255.255.255/32} to any

block return in quick on $int_if proto tcp from ! 192.168.2.1 \
   to $int_if port ssh

pass in on $int_if from $internal_network
pass out on $int_if to $internal_network
pass out on $ext_if proto { tcp udp icmp } all modulate state

pass out on $ext_if from $int_if:network to any nat-to $ext_if
Does it matter in the order that I have place the filtering rules on?
I have set block policy to drop, is it more secure to have set to return instead? I have read somewhere it consumes more resources to have set to drop. Am I missing anything?

Your input is greatly appreciated.

Regards,...
__________________
Speak softly and carry BSD!
Reply With Quote