Quote:
Originally Posted by esilvaz1101
I want to build a PF for 1 network card to all SSH, PHP, Apache, SQL also log files for attempted attacks. can anyone help?
I'm not good with PF yet.
|
Sorry I just installed OpendBSD 5.3
here is what I created can you look and tell me if its ok
Code:
## our interface ##
ext_if="vr0"
## Private network IP goes in the EXT_IP
EXT_IP 172.22.106.146
# Block everything (inbound AND outbound on ALL interfaces) by default (catch-all)
block all
## do not block mysqld on ##
mysqld_ip="{ !172.22.106.146 }"
## Block everything for tcp port number 3306 except $mysqld_ip ###
block in on $ext_if proto tcp from any to $mysqld_ip port 3306
## apache rules need the ip address###
pass in on $ext_if proto tcp from any to 172.22.106.146 port 80 flags S/SA synproxy state
##also ssh port22/tcp, auth 22/tcp, ICMP pings####
# Default TCP policy
block return-rst in log on $ext_if proto TCP all
pass in log quick on $ext_if proto TCP from any to $EXT_IP port 22 flags $SYN_ONLY keep state
pass in log quick on $ext_if proto TCP from any to $EXT_IP port 113 flags $SYN_ONLY keep state
# Default UDP policy
block in log on $ext_if proto udp all
# It's rare to be hosting a service that requires UDP (unless you are hosting
# a dns server for example), so there typically won't be any entries here.
# Default ICMP policy
block in log on $ext_if proto icmp all
pass in log quick on $ext_if proto icmp from any to $EXT_IP echoreq keep state
block out log on $ext_if all
pass out log quick on $ext_if from $EXT_IP to any keep state
# Allow the local interface to talk unrestricted
pass in quick on lo0 all
pass out quick on lo0 all