12th March 2013
|
Administrator
|
|
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,132
|
|
Some tips:
- Organize your rules by interface, direction, protocol.
- Use log in your rules to trouble shoot. pf will make all the logged packets appear on the pflog0 interface.
You can view these packets using tcpdump:
Code:
# tcpdump -eni pflog0
- Keep in mind that pf uses a "last matching rule wins" strategy.
The following rules will pass all traffic because it is the last matching rule:
Code:
block all
pass all
block all
pass all
Use the quick keyword to escape this "last matching rule wins" strategy.
- If you are new to pf build your rule set incrementally.
The father of Pascal and Modula, Niklaus Wirth called this approach "stepwise refinement".
- Use interface groups and interface modifiers to get rid of those $ext_if and $IntNet macroes:
Code:
# ifconfig
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:10:4b:d1:ab:5d
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
[snip]
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:10:5a:14:52:a5
priority: 0
groups: internal
media: Ethernet 100baseTX full-duplex
status: active
inet 192.168.222.10 netmask 0xffffff00 broadcast 192.168.222.255
Now you can use rules like
Code:
pass in quick on internal inet proto tcp from internal:network .......
pass out quick on egress inet proto tcp from any to any port = 80
You can define the interface group in a hostname.if(5) file:
Code:
# cat /etc/hostname.xl1
inet 192.168.222.10 255.255.255.0 NONE group internal
inet alias 192.168.222.11 255.255.255.255
!ifconfig xl1 media 100baseTX mediaopt full-duplex
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
|