View Single Post
Old 21st June 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Well, for starters, change "pass in on $int_if" to "pass in log on $int_if" and run tcpdump -ttt -e /var/log/pflog on the firewall.

Then you can use your computers normally and watch tcpdump to see what ports and hosts are hit commonly.

More than likely, you'll need outbound dns, http, https, ftp, ssh, ntp (if you use it), whatever games you need, netflix, etc...

Set up "pass in on $int_if from any to any port { $port_list }", and nothing on your network will be allowed out unless it's in $port_list.

Gotchas: http that uses non-standard ports (same for https), alternatively you could setup something like squid and only allow squid outbound access (overkill, probably), then point your machines to squid or setup pf to redirect to squid (if it's running locally).

There's a lot you can do to increase security...the question is how much do you want to maintain?
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote