On Sun, Nov 26, 2006 at 01:35:57PM -0000, Daniel wrote:
> I was wondering if I could get some opinions on this ruleset please -
>
> Basically, I have FreeBSD6.1, running an IRC server on ports 6697, 7000,
> 6659 thorough to 6671, 9999, 27888. I am also running a nameserver, so have
> opened TCP and UDP 53. I also want incoming on port 80 and 22.
>
> I have about 15 IP addresses assigned to my external interface... would it
> be better to make a table for these? Or is using the ext_if as a macro just
> as effective?
>
>
> ext_if="rl0"
>
> tcp_services="{ 22, 80, 53, 6633, 6697, 7000, 6659 >< 6671, 9999, 27888 }"
> udp_services="{ 53 }
> icmp_types="echoreq"
>
> set block-policy return
> set loginterface $ext_if
>
> set skip on lo
> scrub in
>
> block in
>
> pass out keep state
>
> antispoof quick for { lo $int_if }
>
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state
here i'd suggest using synproxy state($ext_if) translates to an ip address of the interface, and not to all addresses on the interface. so you might get some unexpected behaviour from these rules, watch out. as DNA had said, "expect the unexpected" ;) > pass in on $ext_if inet proto udp from any to ($ext_if) \ > port $udp_services keep state > > > pass in inet proto icmp all icmp-type $icmp_types keep state wrong. use this: pass in on $ext_if proto icmp if you wonder why, read the openbsd's FAQ on pf. or just google for it Bye, Gergely Czuczy mailto: [EMAIL PROTECTED] -- Weenies test. Geniuses solve problems that arise.
pgpSfIOLPOgUa.pgp
Description: PGP signature
