Below is my pf.conf which I put together reading the man page and googling around.
It seems to work fine, I'm using it since quite a few months. I have a restricted user "amule" which I use to run amule (rarely, actually), do the lines in my pf.conf make sense (it seems they do, I remember trying to changing them and thus blocking amule traffic).
I use this computer basically as a desktop, but is on 24h/day, so, I need it to be safe.
In google I found this script to block brute-force attacks, which works very well:
Code:
pfctl -t ssh-violations -T flush
for ips in `cat /var/log/authlog | grep sshd | grep "Invalid" | awk '{print $10}' | uniq -d` ; do
pfctl -t ssh-violations -T add $ips
done
cat /var/log/authlog | grep sshd | grep "Failed" | rev | cut -d\ -f 4 | rev | sort | uniq -c | \
( while read num ips; do
if [ $num -gt 5 ]; then
if ! pfctl -s rules | grep -q $ips ; then
pfctl -t ssh-violations -T add $ips
fi
fi
done
)
Code:
ext_if="gem0"
ssh= "{ 22 }"
table <ssh-violations> persist file "/etc/ssh-violations"
# options
set block-policy drop
set state-policy if-bound
set loginterface $ext_if
set optimization normal
set skip on lo0
# scrub
scrub in on $ext_if all
pass quick on lo0 all
antispoof for $ext_if
block in log all
block out all
block in quick log from <ssh-violations> to any
pass on $ext_if proto tcp from any to any port $ssh
pass on $ext_if proto tcp from any to any port 4662 user amule
pass on $ext_if proto udp from any to any port 4665 user amule
pass on $ext_if proto udp from any to any port 4672 user amule
pass on $ext_if proto tcp from any to any port 4712 user amule
pass on $ext_if proto tcp from any to any port 4661 user amule
pass out quick on $ext_if inet
martians = "{ 127.0.0.0/8, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
Any comments or suggestions will be greatly appreciated