DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 11th January 2010
lumiwa lumiwa is offline
Package Pilot
 
Join Date: May 2008
Posts: 145
Thanked 4 Times in 3 Posts
Default pf.conf examples (part 2)

I am a newbie too and I try to configure pf.conf for my standalone computer. I red many examples and I had long time:
Code:
# Macros
ext_if = "rl0"

# Options: tune the behavior of pf.
set optimization normal
set block-policy drop
set loginterface $ext_if
set skip on lo

# Normalization: reassemble fragments etc.
scrub in all

# Filtering
antispoof quick for $ext_if

# Nobody gets in from the outside!
block in log quick on $ext_if all label "inblock"

# Block by default. (pass rules dhould follow later).
block out log on $ext_if all label "outblock"

pass out on $ext_if inet proto tcp all
pass out on $ext_if inet proto udp all.
pass out on $ext_if inet proto icmp all icmp-type 8 code
Now I have:
Code:
#macro
ext_if = rl0
scrub in on $ext_if all fragment reassemble
block all
set skip on lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
### block probes that can possibly determine our operating system by disallowing
### certain combinations that are commonly used by nmap, queso and xprobe2, who
### are attempting to fingerprint the server.
### * F : FIN  ? Finish; end of session
### * S : SYN  ? Synchronize; indicates request to start session
### * R : RST  ? Reset; drop a connection
### * P : PUSH ? Push; packet is sent immediately
### * A : ACK  ? Acknowledgement
### * U : URG  ? Urgent
### * E : ECE  ? Explicit Congestion Notification Echo
### * W : CWR  ? Congestion Window Reduced
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### set a rule that allows inbound ssh traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state
table <ssh_abuse> persist
block in quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)
Thanks.
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf.conf Examples Oko OpenBSD Security 23 25th November 2012 03:22 PM
shell: how to take part of the line... graudeejs Programming 8 6th September 2008 11:13 PM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM
Trouble burning to dvdrw part 2 whispersGhost Solaris 32 3rd June 2008 12:51 PM


All times are GMT. The time now is 08:57 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick