|
FreeBSD Security Securing FreeBSD. |
|
Thread Tools | Display Modes |
|
|||
pf rule set for web server on dedicated .
I need a quick setup for PF .
Don't have the time now to learn all the rule sets. I need all protection to the web server possible + allow access from inside sysadmins. Do you know a good example? Thanks. |
|
|||
Found this on the net ,
Can't find any good example on the net.
Can you please help with making this a working PF file? Thanks. Code:
set skip on lo0 # Block everything by default block log all # In pass in quick on $EXT inet proto tcp from any to port {22, 80} # Out pass out quick on $EXT inet all # pfctl -vvnf test.pf EXT = "em0" set skip on { lo0 } @0 block drop log all @1 pass in quick on em0 inet proto tcp from any to any port = ssh flags S/SA keep state @2 pass in quick on em0 inet proto tcp from any to any port = www flags S/SA keep state @3 pass out quick on em0 inet all flags S/SA keep state # activate spoofing protection for all interfaces block in quick from urpf-failed pass in on $ext_if proto tcp from any to 202.4.2.1 port 80 flags S/SA synproxy state # catches any attempts to connect to TCP port 80 pass in on egress inet proto tcp to (egress) port 80 \ rdr-to $comp3 synproxy state pass in inet proto icmp all icmp-type $icmp_types # traffic must be passed to and from the internal network pass in on $int_if # Block PING to a server block return-icmp in quick on fxp0 proto icmp from any to 10.0.0.1 # block IPs with high connection rates block quick from <bad_hosts> pass in on $ext if proto tcp to $webserver port www flags S/SA keep state \ (max-src-conn-rate 100/10, overload <bad_hosts> flush global) Last edited by ocicat; 13th September 2012 at 06:11 PM. Reason: Please use [code] & [/code] tags when posting file contents. |
|
|||
|
|
|||
Quote:
|
|
|||
barti, one of the things this site attempts to promote is good practice done by sysadmins. Having no knowledge of what rules are being used is not a good practice.
One of things you may learn is that rulesets are specific to the network topology in which they are used. Even if someone wanted to do your work for you, without knowledge of the specifics of your network arrangement, they aren't going to get far. |
|
|||
the links are the sources of my example posts
I need only basic pf file.
One web server connected to the internet. -SSH -HTTP Nothing more. Thanks. |
|
|||
ok ok
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Help with my pf rule please | whispersGhost | OpenBSD Security | 0 | 19th April 2012 07:54 AM |
normal user for dedicated firewall? | unixjingleman | OpenBSD Security | 3 | 20th January 2011 08:47 PM |
PF rule to disable icmp? | cyanide_christ | OpenBSD Security | 6 | 15th October 2009 05:35 AM |
pf: why is that rule not working? | ivanatora | FreeBSD General | 14 | 11th December 2008 09:32 AM |
About Dedicated Servers | qmemo | Off-Topic | 7 | 4th September 2008 02:15 PM |