Quote:
Originally Posted by Oko
I am posting pf.conf file for my laptop in order to get some comments and feed back from more experienced users as well as encourage everybody to post the samples of their pf.conf files
|
I'm posting mine too as suggested because I would like comments and feedback from people more experienced with PF as well :
Code:
ethernet = "fxp0"
#outside visible services
services = "{auth,ntp,rpc }"
#fix packets
match in all scrub (no-df)
# no bug on loopback device
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any
#deal with bad packets
block in log quick on $ethernet inet proto icmp from any to any icmp-type redir
block in quick on $ethernet from any to any
#
# Now the regular filtering rules
#
# allow for incoming ping and traceroute only (ICMP)
#
pass in quick on $ethernet inet proto icmp from any to any icmp-type { \
echorep, echoreq, timex, unreach }
block in log quick on $ethernet inet proto icmp from any to any
# TCP: Allow ssh, smtp, http and https incoming. Only match
# SYN packets, and allow the state table to handle the rest of the
# connection. I'm not currently using these services on this machine so it #is commented out
#
#pass in quick on $external inet proto tcp from any to any port #$services flags #S/SA keep state
# Allow packets coming in as replies to my
# connections so Ie keep state. Strictly speaking, with packets
# coming from our network we don't have to only match SYN, but
# what the heck ?
#
pass out quick on $ethernet inet proto tcp from any to any flags S/SA keep state
pass out quick on $ethernet inet proto udp all keep state
pass out quick on $ethernet inet proto icmp from any to any keep state
# End of rules. Block everything to all ports, all protocols and return
# RST (TCP) or ICMP/port-unreachable (UDP).
#
block return-rst in log quick on $ethernet inet proto tcp from any to any
block return-icmp in log quick on $ethernet inet proto udp from any to any
block in quick on $ethernet all
#
# End of file