|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|
||||
Things I can see:
|
|
||||
Heather .... I'm going to make a guess that what you have is an OpenBSD end-point server -- it does no routing of packets elsewhere, and all you want PF to do is block all traffic for anything except TCP traffic to port 7008. If so, then perhaps this silly little 3 line pf.conf will suffice:
Code:
interface = "rl0" block all pass in on $interface proto tcp from any to any port 7008 The first rule is a block all. All packets evaluate for true, in all directions, and all traffic is blocked. The second rule is a pass for all traffic from anywhere to anywhere that is destined for port 7008. Now, obviously, the only inbound traffic will be destined for this server, since it is not a router and does not forward anything. So all inbound traffic for destination port 7008 will match and be passed. TCP traffic is "stateful", and the default on TCP traffic is to "keep state" so PF will pass all outbound traffic back to the originator without needed any new rules, as long as the TCP session remains active. Once the state terminates, no outbound traffic will be permitted. Hope this helps. I recommend a careful review of the PF Users Guide, which is part of the OpenBSD FAQ. I also recommend Peter Hansteen's The Book of PF. |
|
||||
Hj
@Jiggimi
You are right about me using wrong ip The reason is I had forgotten that ismy vonage adapter use to be behind my modem then to my linkysys router. The Vonage adapter is also a router which uses 192.158 But I forgotten that I had recently reversed the routers to Cable Modem---:Linkysys---:Vonage adapter----:Pc My other problem is when I change my $ext_if and $_int_if as you sugested my terminal will hang when I appoly the commmands Code: sudo pfctl -f pf.conf it just sits the blinking cursor same thing at boot up starting the network it will hang till I break it thanks for the other help as well as for it hanging what should I do Thanks
__________________
The journey is better then the destination |
|
||||
Book of pf
I recommend a careful review of the PF Users Guide, which is part of the OpenBSD FAQ. I also recommend Peter Hansteen's The Book of PF.[/QUOTE]
JImmi I love to read,I still have my older books for FreeBSD and the OpenBSD 4.0 book Unfortunatly a lot of it does not apply to todays verions for some things. I do read the faqs a lot I get lost at tiimes reading t it as, I must admit for pf material ,i may neeed pf for dummies since I'm a little slow on that aspect. Would fwbnuilder help me also learn at all? I use to use it long ago with FreeBSD Now if I get the book you refered or read the faqs am I supose to look for the current verion I am using 5.0? Another question I have is this if I decide to install a package at any timne since I have my PKG_PATH and PKG_CACHE set how can I access the files if my pf rules are set the way you have them the way I prefred BY fowarding the port to ftp I imagine temporailry. Jimmi thank you so much for all thhe effort and patience for a slowbie like me heee if I ever learn to create my own Distro I should name it SlowbieBSD lol
__________________
The journey is better then the destination |
|
|||||
Quote:
I never mentioned $int_if, and you have neither explained nor shown what this means. As I tried to tell you, macros are only variables, that are used for keyword substitution. And perhaps you're confused between the terms "internal" and "external". Allow me to try to enlighten you. If this is review, please forgive me. Based on what you've posted, my perception is of a person who continues to be confused. A computer with more than one physical network interface can be used as a router -- to route packets between one network and another. If your computer has multiple network interfaces, and they are connected to separate networks, you can enable packet forwarding and route packets from one interface to the other. When a computer does this, we term it a "router." Your Linksys router does this, routing between your ISPs network and your private network. OpenBSD systems can do this, too, if they have more than one Network Interface Card (NIC).I believe you only have a single interface ... at least, I presume that from what you have posted. In this case, there is no concept of "internal" or "external" networks, since you only have the one. Quote:
Quote:
Quote:
Quote:
|
|
||||
Quote:
Quote:
|
|
||||
Hi
@jggimi
First im sorry if i mispelt your name in earlier posts i had jiggimi instead of Jggimi Thank you for the web site for the 3rd edition of tcp/ip.It looks like a good book. Also it is good that the faq are updated as i would have gotten lost for sure and would have went back to using 4.0 OpenBSD . i was using the rules you gave me for now and my site is unreachable Code: interface = "rl0" block all pass in on $interface proto tcp from any to any port 7008 When i decide that i want to install packages ill just add a ruleset for ftp Maybe you can find out why i cant access the site Thanks this has been a great help.
__________________
The journey is better then the destination |
|
||||
Not without more information, which I can only get from you.
If you are testing from the OpenBSD system itself, you aren't using the rl0 interface. Remember the loopback discussion? In this thread? If it's an external test, packets can be traced. |
|
||||
Typo
Jggimi
Wow all this mess i got myself into for typos. Like i got everything running the way it should be with your help. And like now what was wrong besides my other type was i had Code: r10 rather then rl0 They do tend to look almost like twins lol So my site works well now and everything you showed me is seems fine as well. Blocks all in and out but inside requests to 7008 Thanks a bunch Jggimi
__________________
The journey is better then the destination |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
6.3 > 7.2 kernel errors | carpman | FreeBSD Installation and Upgrading | 3 | 16th March 2010 10:58 PM |
pkgdb errors | maxrussell | FreeBSD Ports and Packages | 1 | 22nd May 2009 11:06 AM |
please check my pf.conf | gosha | OpenBSD Security | 10 | 30th January 2009 12:32 AM |
check for badblocks | ccc | FreeBSD General | 5 | 30th October 2008 07:00 PM |
apache log errors | ijk | FreeBSD Ports and Packages | 4 | 13th July 2008 03:56 PM |