Help with my pf rule please
i am not too happy how my rules are working.
What i would like is this
1) My web server to work
2) Block any other traffic in or out
3) My block ping ruleset to actually work
Can someone please fix this for me maybe the order is wrong i am not Sure.
i do know if i uncomment out my rules for my web server it still works from another networked machine, as long as (pass to keep state is enabled)
When i disable pass i cant access my server even if i uncommet my Web server rules.
Ok like i have like 3 wired machines at home
This is the Main one.
Modem----->Router---->(Vonage-Phone adapter)--->Networked machine 184.108.40.206----OpenBSD
i have a little understanding about macros
but not too much with tables yet
Here is a copy of my ruleset
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 #- in /etc/sysctl.conf if packets are to be forwarded between interfaces. server = 220.127.116.11 ext_if = "lo0" int_if = "r10" # filter rules and anchor for ftp-proxy(8) #anchor "ftp-proxy/*" #pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 # Here is my web server this rule does not seem to work even if i comment it out when pass to establish state is on. pass in on $ext_if proto tcp from any to $ext_if port 7008 \ rdr-to $server port 7008 # anchor for relayd(8) #anchor "relayd/*" set block-policy return set loginterface $ext_if set skip on lo0 # Supose to stop ping but from networked pc its not Blocking block in on $ext_if inet proto icmp all block in all #to establish to keep state pass # to establish keep-state antispoof for $ext_if antispoof for $int_if set block-policy return # rules for spamd(8) #table <spamd-white> persist #table <nospamd> persist file "/etc/mail/nospamd" #pass in on egress proto tcp from any to any port smtp \ # rdr-to 127.0.0.1 port spamd #pass in on egress proto tcp from <nospamd> to any port smtp #pass in log on egress proto tcp from <spamd-white> to any port smtp #pass out log on egress proto tcp to any port smtp #block in quick from urpf-failed to any # use with care # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010
The journey is better then the destination
Last edited by ocicat; 19th April 2012 at 09:29 AM. Reason: Please use [code]/[/code] tags when posting code.
|Thread||Thread Starter||Forum||Replies||Last Post|
|most paranoiac pf rule set for OpenBSD desktop||daemonfowl||OpenBSD Security||19||27th February 2012 08:33 PM|
|PF rule to disable icmp?||cyanide_christ||OpenBSD Security||6||15th October 2009 05:35 AM|
|pf: why is that rule not working?||ivanatora||FreeBSD General||14||11th December 2008 09:32 AM|
|pf.conf brute force rule||ijk||FreeBSD Security||6||11th August 2008 04:54 PM|