View Single Post
  #2   (View Single Post)  
Old 12th March 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Some tips:
  • Organize your rules by interface, direction, protocol.
  • Use log in your rules to trouble shoot. pf will make all the logged packets appear on the pflog0 interface.
    You can view these packets using tcpdump:
    Code:
    # tcpdump -eni pflog0
  • Keep in mind that pf uses a "last matching rule wins" strategy.
    The following rules will pass all traffic because it is the last matching rule:
    Code:
    block all
    pass all
    block all
    pass all
    Use the quick keyword to escape this "last matching rule wins" strategy.
  • If you are new to pf build your rule set incrementally.
    The father of Pascal and Modula, Niklaus Wirth called this approach "stepwise refinement".
  • Use interface groups and interface modifiers to get rid of those $ext_if and $IntNet macroes:
    Code:
    # ifconfig 
    
    xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            lladdr 00:10:4b:d1:ab:5d
            priority: 0
            groups: egress
            media: Ethernet autoselect (100baseTX full-duplex)
            status: active
    
    [snip]
    xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            lladdr 00:10:5a:14:52:a5
            priority: 0
            groups: internal
            media: Ethernet 100baseTX full-duplex
            status: active
            inet 192.168.222.10 netmask 0xffffff00 broadcast 192.168.222.255
    Now you can use rules like
    Code:
    pass in quick on internal inet proto tcp from internal:network .......
    pass out quick on egress inet proto tcp from any to any port = 80
    You can define the interface group in a hostname.if(5) file:
    Code:
    # cat /etc/hostname.xl1
    
    inet       192.168.222.10 255.255.255.0 NONE group internal
    inet alias 192.168.222.11 255.255.255.255
    !ifconfig xl1 media 100baseTX mediaopt full-duplex
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote