Hello! First of all i would like to say many many thanks to obsd comunity especially to obsd developers for realy great product i realy appreciate your work, now is a second time i pre-order cd-set just to support the project. but what i wrote this message is thath i would like to heard what you people think about the pf.conf i include in the mail those rules are on the gateway to protect machines on LAN. thanks to any comments and sorry for my english.
reggards -- Anze Povsic mailto: [EMAIL PROTECTED] GnuPG_ID: 49DA6FB5
# $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="tun0"
int_if="fxp0"
NoRoute="{0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23,
224.0.0.0/3, 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
255.255.255.255/32 }"
OutTCP="{1494, 5999, http, https, smtp, pop3, whois, domain, ssh, ftp,
ftp-data, auth, ntp, nntp}"
OutUDP="{1604, ntp, domain}"
Bad_ports="5,69,135,137,138,139,445,524,548,666,1080,1433,1434,2283,2535,3127,3128,3410,8866,9898,4899,6129,12345,6667,33270,60001,54321,65289,2407,1711,31337,10000,65506,2745"
set loginterface $ext_if
set optimization aggressive
set block-policy drop
set state-policy if-bound
scrub in on { lo $ext_if, $int_if } all fragment reassemble random-id
scrub out on { lo $ext_if, $int_if } all fragment reassemble random-id
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from $int_if:network to any -> ($ext_if:0) static-port
rdr on $ext_if proto tcp from any to any port smtp -> 127.0.0.1 port spamd
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr on $int_if proto tcp from any to any port www -> 127.0.0.1 port 3128
block in on $ext_if all
block out on $ext_if all
anchor "ftp-proxy/*"
block return-rst out log on $ext_if proto tcp all
block return-rst in log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in log on $ext_if proto udp all
antispoof for { lo, $ext_if, $int_if } inet
block in inet6 all
block out inet6 all
pass in on lo all
pass out on lo all
block in log on $ext_if inet proto tcp from any to any flags /WEUAPRS
block in log on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log on $ext_if inet proto tcp from any to any flags SR/SR
block in log on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log on $ext_if inet proto tcp from any to any flags UAPRSF/UAPRSF
block in log on $ext_if inet proto tcp from any to any flags WEUAPRS/WEUAPRS
block in log on $ext_if inet proto tcp from any to any flags F/SFRA
block in log on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log on $ext_if inet proto tcp from any to any flags FPU/SFRAUP
block in log on $ext_if from $NoRoute to any
block out log on $ext_if from any to $NoRoute
block in log proto { udp, tcp } from any to any port { = $Bad_ports }
block in on $ext_if from any to 255.255.255.255
pass out on $ext_if inet proto tcp from any to any port www keep state
pass out on $ext_if inet proto tcp from any to any port > 1023 flags S/SA
modulate state
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass out on $ext_if inet proto udp from any to any port $OutUDP keep state
pass out on $ext_if inet proto tcp from any to any port $OutTCP flags S/SA
modulate state
pass in log on $ext_if inet proto tcp from any to lo0 port spamd synproxy state
flags S/SA
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass in on $int_if from any to any
pass out on $int_if from any to any
#pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
#pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state
pgpuqRMd9QzzB.pgp
Description: PGP signature
