I would not recommend allowing everyone under the sun ssh access to the box. Either restrict it by outside IP if possible and if that is not possible at least alter the port to prevent bots.
~Patrick -----Original Message----- From: owner-freebsd...@freebsd.org [mailto:owner-freebsd...@freebsd.org] On Behalf Of Kurt Turner Sent: Thursday, January 07, 2010 4:27 PM To: freebsd-pf@freebsd.org Subject: freebsd 8 Hello all In an effort not to create yet another insecure server on the www I'd like to ensure my pf.conf file is good and secure - will someone please review this configuration and let me know your thoughts? I only want to allow www and ssh inbound and have limited access also outbound - this is a remote web server I do not have access to at all. TIA #### First declare a couple of variables #### # outgoing services tcp_services = "{ ssh, smtp, domain, www, https, ntp, 43}" udp_services = "{ domain, ntp }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" ext_if = "re0" # Internet #### Normalization scrub in all #### Start filtering # Drop incoming everything block in all # Default connection refused message to client block return # keep stats of outging connections pass out keep state # activate spoofing protection for all interfaces block in quick from urpf-failed # Antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses antispoof log for $ext_if #Block RFC 1918 addresses block drop in log (all) quick on $ext_if from $martians to any block drop out log (all) quick on $ext_if from any to $martians # Allow outgoing via ssh, smtp, domain, www, https, whois etc pass out on $ext_if proto tcp to any port $tcp_services pass out on $ext_if proto udp to any port $udp_services # Allow outgoing Trace route pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state # Allow http traffic pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy modulate state # SSH pass in on $ext_if proto tcp from any to any port 22 flags S/SA synproxy modulate state _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
