View Single Post
Old 9th September 2009
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Default

Revised but haven't tested yet.

Code:
ext_if="re0"

tcp_services = "{ssh, ftp, sftp, imap, imaps, smtp, 587, pop3 \
                    domain, ntp, www, http, https}"
udp_services= "{domain, ntp}"
### allow ping / pong ####
icmp_types = "{ echoreq, unreach }"

set skip on lo
set loginterface $ext_if

scrub in all random-id fragment reassemble

block return in log all
block log out all

antispoof quick for $ext_if


pass out quick on $ext_if proto tcp to any port $tcp_services
pass out quick on $ext_if proto udp to any port $udp_services

# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep stat
e


pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state      
pass in on $ext_if proto tcp from any to any port smtp flags S/SA synproxy  state  
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state 
pass in on $ext_if proto tcp from any to any port https flags S/SA synproxy state  
pass in on $ext_if proto tcp from any to any port pop3 flags S/SA synproxy state 
pass in on $ext_if proto udp from any to any port domain     
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state 
pass inet proto icmp all icmp-type $icmp_types keep state
Reply With Quote