View Single Post
  #7   (View Single Post)  
Old 8th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I would not use your updated configuration, as it still does has things I dislike as an administrator. It still has syntax errors, such as a missing "=" in a macro definition, and missing proto tcp when port numbers are referenced.

But more important than transcription errors, you are still intermixing policy settings and macros with your pass/block filter rules. While allowed by the configuration grammar, this is something I would never do. Humans must manage and maintain these configurations. Please don't do this. Your professor can contact me if he or she takes issue with a configuration that is structured with policy settings, macro assignments, and general settings at the top, then is followed by general filtration rules, then specific rules.

Here is how I might define a terminal server PF configuration, where I block all but inbound traffic to TCP ports 22, 80, 113, and 3306. This is based on your application set you have defined in this thread, and based on the policy settings you have attempted in your sample configurations. Note that I do not reference your interface, nor your IP address. You have only one NIC, so the rules "from any to any" will appy to everything that crosses the NIC. I have also used symbolic names for the destination port numbers, these are pre-defined in /etc/services.
Code:
### General information
#
# This configuration is for a terminal server with a single NIC.  It blocks by
# by default, and passes inbound stateful traffic for SSH, web, auth, and SQL inbound

### policy section ###
#

# return TCP RST or ICMP UNREACHABLE for blocked traffic:
set block-policy return

# do not filter loopback traffic:
set skip lo0

### filter rules ###
#

# block by default:
block all

# pass stateful traffic for four applications on this terminal server:
pass in proto tcp from any to any port {ssh, www, auth, mysql}

Last edited by jggimi; 8th November 2013 at 06:55 PM. Reason: typo
Reply With Quote