For a desktop machine the simple ruleset suggested by Denta is a good start. It will keep the bad guys from connecting to your machine.
I would propose two small changes to those rules:
Code:
block log all
pass out
Loading this set:
Code:
# pfctl -vvf denta.pf
Loaded 710 passive OS fingerprints
@0 block drop log all
@1 pass out all flags S/SA
So I drop the
keep state because that is the default and add
log to the block rule. This will allow you to see the blocked packets with
tcpdump
Code:
# tcpdump -eni pflog0
tcpdump -eni pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
01:53:27.574962 rule 0/(match) block in on re0: 188.142.61.141 >
192.168.222.20: icmp: echo request
01:53:28.575951 rule 0/(match) block in on re0: 188.142.61.141 >
192.168.222.20: icmp: echo request
01:54:00.295763 rule 0/(match) block in on re0: 188.142.61.141.58361
> 192.168.222.20.80: S 282493765:282493765(0) win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 3475091480[|tcp]>
(DF)
01:57:24.229775 rule 0/(match) block in on re0: 192.168.222.241.138
> 192.168.222.255.138: udp 201
The first two packets are a blocked
ping(8), followed by a probe for a web server at port 80.
The last packet blocked is a NetBIOS broadcast from my wife's Windows machine.
If you are looking for a firewall box rule set you could have a look at
http://www.daemonforums.org/showthre...7366#post45234
It is a
pf.conf that I use for my OpenBSD firewall box at my home.