Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th April 2012
whispersGhost's Avatar
whispersGhost whispersGhost is offline
Real Name: heather
Package Pilot
Join Date: May 2008
Location: ny
Posts: 168
Thanked 1 Time in 1 Post
Default Help with my pf rule please

i am not too happy how my rules are working.

What i would like is this

1) My web server to work

2) Block any other traffic in or out

3) My block ping ruleset to actually work

Can someone please fix this for me maybe the order is wrong i am not Sure.

i do know if i uncomment out my rules for my web server it still works from another networked machine, as long as (pass to keep state is enabled)
down below.

When i disable pass i cant access my server even if i uncommet my Web server rules.

Ok like i have like 3 wired machines at home
This is the Main one.

Modem----->Router---->(Vonage-Phone adapter)--->Networked machine

i have a little understanding about macros
but not too much with tables yet

Here is a copy of my ruleset
#	$OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
#- in /etc/sysctl.conf if packets are to be forwarded between interfaces.

server =
ext_if = "lo0"
int_if = "r10"

# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick inet proto tcp to port ftp divert-to port 8021

# Here is my web server this rule does not seem to work even if i comment it out when pass to establish state is on.
pass in on $ext_if proto tcp from any to $ext_if port 7008 \
rdr-to $server port 7008

# anchor for relayd(8)
#anchor "relayd/*"

set block-policy return
set loginterface $ext_if
set skip on lo0

# Supose to stop ping but from networked pc its not Blocking
block in on $ext_if inet proto icmp all

block in all

#to establish to keep state
pass 		# to establish keep-state

antispoof for $ext_if
antispoof for $int_if
set block-policy return

# rules for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
#    rdr-to port spamd
#pass in on egress proto tcp from <nospamd> to any port smtp
#pass in log on egress proto tcp from <spamd-white> to any port smtp
#pass out log on egress proto tcp to any port smtp

#block in quick from urpf-failed to any	# use with care

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
The journey is better then the destination

Last edited by ocicat; 19th April 2012 at 09:29 AM. Reason: Please use [code]/[/code] tags when posting code.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
most paranoiac pf rule set for OpenBSD desktop daemonfowl OpenBSD Security 19 27th February 2012 08:33 PM
PF rule to disable icmp? cyanide_christ OpenBSD Security 6 15th October 2009 05:35 AM
pf: why is that rule not working? ivanatora FreeBSD General 14 11th December 2008 09:32 AM
pf.conf brute force rule ijk FreeBSD Security 6 11th August 2008 04:54 PM

All times are GMT. The time now is 12:23 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick