|
|||
pf.conf examples (part 2)
I am a newbie too and I try to configure pf.conf for my standalone computer. I red many examples and I had long time:
Code:
# Macros ext_if = "rl0" # Options: tune the behavior of pf. set optimization normal set block-policy drop set loginterface $ext_if set skip on lo # Normalization: reassemble fragments etc. scrub in all # Filtering antispoof quick for $ext_if # Nobody gets in from the outside! block in log quick on $ext_if all label "inblock" # Block by default. (pass rules dhould follow later). block out log on $ext_if all label "outblock" pass out on $ext_if inet proto tcp all pass out on $ext_if inet proto udp all. pass out on $ext_if inet proto icmp all icmp-type 8 code Code:
#macro ext_if = rl0 scrub in on $ext_if all fragment reassemble block all set skip on lo0 antispoof for $ext_if inet block in from no-route to any block in from urpf-failed to any ### block probes that can possibly determine our operating system by disallowing ### certain combinations that are commonly used by nmap, queso and xprobe2, who ### are attempting to fingerprint the server. ### * F : FIN ? Finish; end of session ### * S : SYN ? Synchronize; indicates request to start session ### * R : RST ? Reset; drop a connection ### * P : PUSH ? Push; packet is sent immediately ### * A : ACK ? Acknowledgement ### * U : URG ? Urgent ### * E : ECE ? Explicit Congestion Notification Echo ### * W : CWR ? Congestion Window Reduced block in quick on $ext_if proto tcp flags FUP/WEUAPRSF block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF block in quick on $ext_if proto tcp flags /WEUAPRSF block in quick on $ext_if proto tcp flags SR/SR block in quick on $ext_if proto tcp flags SF/SF pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state ### set a rule that allows inbound ssh traffic with synproxy handshaking. pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state ### set a rule that allows inbound www traffic with synproxy handshaking. pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state table <ssh_abuse> persist block in quick from <ssh_abuse> pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush) |
|
||||||||
@luminwa
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
I also have a tun0 interface that i include in antispoof (and snort) Quote:
Quote:
__________________
The more you learn, the more you realize how little you know .... Last edited by There0; 12th January 2010 at 02:15 PM. |
|
|||
@There0
I hope that I did what you suggested me: Code:
# macro name for external interface. ext_if = sk0 # all incoming traffic on external interface is normalized and fragmented # packets are reassembled. scrub in all # match in log on $ext_if scrub (no-df) # set a default deny everything policy. block log all block log quick inet6 all # exercise antispoofing on the external interface, but add the local # loopback interface as an exception, to prevent services utilizing the # local loop from being blocked accidentally set skip on lo antispoof quick for $ext_if antispoof log quick for { lo $ext_if } inet # block anything coming from sources that we have no back routes for. block in from no-route to any # block packets that fail a reverse path check. we look up the routing # table, check to make sure that the outbound is the same as the source # it came in on. if not, it is probably source address spoofed. block in from urpf-failed to any # drop broadcast requests quietly. block in quick on $ext_if from any to 255.255.255.255 # block packets claiming to come from reserved internal address blocks, as # they are obviously forged and cannot be contacted from the outside world. block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any pass out log on $ext_if proto tcp from any modulate state flags S/SA pass out log on $ext_if proto { udp, icmp} from any Thanks for your help. |
|
|||
lumiwa, your initial post was made to a thread which was over six months old. Although there is some overlap on what you ask & the original thread, you should have started a new thread. In forum terminology, this is known as "hijacking" discussion.
I have separated out all posts relating to your discussion into a new thread, but in the future when you find a long-standing thread in which you want to continue discussion, please start a new thread. We try to honor the direction set by the initial poster. Thanks. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf.conf Examples | Oko | OpenBSD Security | 23 | 25th November 2012 03:22 PM |
shell: how to take part of the line... | graudeejs | Programming | 8 | 6th September 2008 11:13 PM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |
Trouble burning to dvdrw part 2 | whispersGhost | Solaris | 32 | 3rd June 2008 12:51 PM |