Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 10th November 2008
neurosis neurosis is offline
Fdisk Soldier
Join Date: Jul 2008
Posts: 69
Default Pf Nat getting started ??

I created a very very simple set of PF rules to try and get my idea for a simplified home network setup. I have some what of a question on this posted in another thread but it became a bit off topic and this is a little more specific. Ive created a very simple set of rules in PF for NAT and some redirecting and before I put this together would like some opinions/suggestions. This is not meant to be a secure set up as of yet although I would love some suggestions to help secure it without breaking it with my limited knowledge.

# Macros: define common values, so they can be referenced and changed easily.
ext_if="re0"                                            # The external interface to internet
int_if="rl0"                                            # The internal interface to Linksys wrt54gl

#external_addr=""                           # My external address is DHCP so this doesnt do me any good?
webserver=""                                   #jailed in host
ftpserver=""                    	         #jailed in host
webports="{80, 8080, 443, 22}"
ftpports="21, 22"
internal_ports="{55, 88}" #just entered some arbitrary numbers that will be forwarded to linksys to be changed later.

set block-policy return
set loginterface $ext_if
set skip on lo

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.

nat on $ext_if from !($ext_if) to any -> ($ext_if) 

# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.

rdr on $ext_if proto tcp from any to ($ext_if) port $webports -> $webserver
rdr on $ext_if proto tcp from any to ($ext_if) port $ftpports -> $ftpserver

# Make sure we don't block any traffic to test setup. 
# Rules
pass in all
pass out all
My goal is to allow anything coming from my int_if out to the internet and have few ports allowed to connect to it. I also eventually I want to start blocking what is allowed from int_if to my firewall but i dont have that figured out yet. I also eventually want to limit what is allowed in and out of the jails. does this look like something that would work or are my rules very bad?

Last edited by neurosis; 10th November 2008 at 09:03 PM.
Reply With Quote

ftpd, jail, nat, pf, routing

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
thinkpad x200 or similar owners pleas help getting started gosha General Hardware 1 14th July 2009 04:06 AM
Trying to get started translating OpenBSD Documentaion qmemo OpenBSD General 6 12th July 2009 12:50 PM
Apache : httpd could not be started lalebarde General software and network 13 13th November 2008 11:51 PM
Getting started with DTrace tanked FreeBSD General 2 25th June 2008 09:21 AM

All times are GMT. The time now is 07:07 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick