On Mon, May 28, 2007 at 11:27:46PM +0200, Lontronics Mailinglist account wrote:
> Okay, this should be it, any commends are appreciated.
> The >1023 is used for ftp;
That is not the proper solution; use ftp-proxy, as documented in the
FAQ.
> ###########################################################
>
> # $OpenBSD: PF firewall rules $
>
> tcp_pass = "{ 21 22 25 53 80 110 123 >1023}"
> udp_pass = "{ 53 110 }"
I'd recommend symbolic names for legibility:
tcp_pass = { ftp ssh smtp domain http pop3 }
udp_pass = { domain ntp }
I'm pretty certain you mean the above, by the way; NTP over TCP is about
as useful as POP3 over UDP...
> # scrub
> scrub in all
'scrub' is useful when using an OpenBSD machine as a firewall, as it
makes it far harder for attackers to get weird packets to machines with
badly-written TCP/IP stacks. However, the OpenBSD network stuff is
usually very good, and enabling scrub enables an attacker to attack far
more code (notably, the PF code as well). Plus it consumes some cycles.
Just skip it.
> # setup a default deny policy
> block in all
> block out all
'block all'
> antispoof for { bce0, wpi0 } inet
>
> pass out on { bce0, wpi0 } proto tcp to any port $tcp_pass
> pass out on { bce0, wpi0 } proto udp to any port $udp_pass
As noted, you should add icmp.
Also, if you are sure that you will never use IPv6, 'block inet6'.
You didn't post it, but you will want to add 'set skip lo0' at least.
Strange things happen when pf blocks everything on the loopback
interface...
Joachim
--
TFMotD: fingerd (8) - remote user information server
