View Single Post
Old 3rd May 2014
bsdsource bsdsource is offline
Port Guard
 
Join Date: Apr 2014
Posts: 34
Default

Any suggestions on improving my ruleset? I just need to surf the internet, check email, and need access to shares on lan from computer within lan. Was trying to figure out how to allow host name lookups and ntp but with the rule below that I disabled, I was not longer able to surf the internet.

Code:
#########
## Macros
#########
wan = "em0"
lan = "em1"

#########
## Tables
#########
table <private_ips> const { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.1/8, 169.254.0.0/16,
172.16.0.0/12, 192.0.2.0/24, 192.88.99.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.
51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 }

##########
## Options
##########
set skip on lo0

########################
## Traffic normalization
########################

match in log on $wan scrub (no-df)

##############################
## Network address translation
##############################

pass out on $wan from $lan:network nat-to ($wan)

###################
## Packet filtering
###################

# block and log inbound traffic
block in log

# block IPv6 traffic
block quick inet6 all

# block spoofed or forged IP's
antispoof quick for $wan

# block non-routable addresses
block in quick from no-route to any

# check unicast reverse path forwarding
block in quick from urpf-failed to any

# block private address blocks outside network
block in quick on $wan from <private_ips> to any
block out quick on $wan from any to <private_ips>

# drop broadcasts
block in quick on $wan from any to 255.255.255.255

# UDP (allow DNS lookups and time keeping)
#pass out on $wan proto udp from any to ($wan) port { domain, ntp } keep state


pass in on $lan
Reply With Quote