Hi everyone,
Thanks for all your input so far. I have tried to implement all you
suggestions but have gotten stuck. I set up a test machine in the office
with the ip  and encountered the following problems:
when I enables antispoofing the firewall didn't work

when I tried allowing the subnet it worked ok but when i tried
connecting from machines on the 172.16 subnet I was unable to connect.

Can you please let me know what I'm doing wrong?

#interfaces #

#ports to be opened #

#tcp ports
good_port_tcp="{ 80, 110, 143, 161, 443, 873 }"
#udp ports
good_port_udp="{ 161, 873  }"

#block all other traffic #

# should be the first rule

block in on $ext_if all

#anti-spoofing #

#traffic can't come in on your IP's
#antispoof quick for { lo0 $ext_if $ext_if2 } inet

#allow all connections from and to loopback #

pass in quick on lo0 all keep state
pass out quick on lo0 all keep state

#allow all connections out through external interfaces #

pass out quick on $ext_if  all keep state

#Blocked ips #
#put ips or ip blocks as below
badguys="{,, }"

block in quick on $ext_if from $badguys

#smtp connections allowed  #

#European servers
pass in quick on $ext_if proto tcp from x.x.x.0/26 to port 25
keep state

pass in quick on $ext_if proto tcp from x.x.x.0/26 to port 25
keep state

#from the old iptables???
pass in quick on $ext_if proto tcp from x.x.x.0/27 to port 25
keep state

# pass traffic from allowed ports #

#pass traffic from allowed tcp ports
pass in on $ext_if inet proto tcp from any to port $good_port_tcp
keep state

#pass traffic from allowed udp ports
pass in on $ext_if inet proto tcp from any to port $good_port_tcp
keep state

# allow connections from NMC and servers #

#my ip
pass in quick on $ext_if inet proto { tcp, udp, icmp } from to keep state

# are the ips NMC access with
pass in on $ext_if inet proto { tcp, udp, icmp } from to keep state

# enable logging #

block in log on $ext_if

# to view log run command below
#tcpdump -n -e -ttt -i pflog0

#for any questions contact me#

On Tue, Mar 24, 2009 at 8:00 PM, Michael K. Smith - Adhost <
mksm...@adhost.com> wrote:

> I also forgot to mention:
> You should probably log your block rule so that you can see what's going on
> if things don't work as expected.
> So:
> block in log on $ext_if
> Note the lack of "quick" as well, as previously mentioned.
> With logging enabled, provided you have pflog running (which you should),
> you can use the following to see what's being blocked.
> tcpdump -n -e -ttt -i pflog0  (provided pflog0 is your pflog interface).
> Regards,
> Mike

Eric Magutu
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to