View Single Post
  #1   (View Single Post)  
Old 11th January 2010
lumiwa lumiwa is offline
Package Pilot
 
Join Date: May 2008
Posts: 145
Default pf.conf examples (part 2)

I am a newbie too and I try to configure pf.conf for my standalone computer. I red many examples and I had long time:
Code:
# Macros
ext_if = "rl0"

# Options: tune the behavior of pf.
set optimization normal
set block-policy drop
set loginterface $ext_if
set skip on lo

# Normalization: reassemble fragments etc.
scrub in all

# Filtering
antispoof quick for $ext_if

# Nobody gets in from the outside!
block in log quick on $ext_if all label "inblock"

# Block by default. (pass rules dhould follow later).
block out log on $ext_if all label "outblock"

pass out on $ext_if inet proto tcp all
pass out on $ext_if inet proto udp all.
pass out on $ext_if inet proto icmp all icmp-type 8 code
Now I have:
Code:
#macro
ext_if = rl0
scrub in on $ext_if all fragment reassemble
block all
set skip on lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
### block probes that can possibly determine our operating system by disallowing
### certain combinations that are commonly used by nmap, queso and xprobe2, who
### are attempting to fingerprint the server.
### * F : FIN  ? Finish; end of session
### * S : SYN  ? Synchronize; indicates request to start session
### * R : RST  ? Reset; drop a connection
### * P : PUSH ? Push; packet is sent immediately
### * A : ACK  ? Acknowledgement
### * U : URG  ? Urgent
### * E : ECE  ? Explicit Congestion Notification Echo
### * W : CWR  ? Congestion Window Reduced
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### set a rule that allows inbound ssh traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state
table <ssh_abuse> persist
block in quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)
Thanks.
Reply With Quote