Dear Sirs,
Would you be willing to discuss how to write pf.conf?
I'm using OpenBSD 7.5 AMD.
I want to limit the packets going in and out as follows
1. reject in principle : block all
2. when rejecting packets, do not log them.
3. there is only one interface (vio0) that goes in and out of the host.
Take necessary logs on this interface. 3.
4. do nothing on the local loopback (lo0) interface.
5. reject anti-spoofing packets on vio0.
6. Allow the following protocols to pass.
TCP ( http, https, domain, smtp, smtps, msa, imaps, 1522 )
* Port 1522 is SSH.
UDP ( domain, ntp )
I've written these rules (pf.conf) in my own way
I am having trouble because all packets are blocked.
Please see below for a description of the problem.
I would appreciate it if you could point out any problems.
Best regards,
---
WATANABE, Takeo
t...@kasaneiro.jp
pf.conf
----
tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
udp_services="{ domain, ntp }"
set block-policy drop
set loginterface vio0
# don't filter on loopback interface
set skip on lo0
# set up a default deny policy
block all
# Blocking Spoofed Packets
antispoof quick for vio0
# Allow packets
pass log quick on vio0 proto tcp to any port $tcp_services keep state
pass log quick on vio0 proto udp to any port $udp_services keep state
# Allow ICMP Packets
pass quick on vio0 proto icmp to any keep state
---
