vi /etc/rc.conf
pf_enable="YES" <== enable pf
vi /etc/pf.conf
## Macros
SYN_ONLY="S/FSRA"
EXT_NIC="bge0"
INT_NIC="bge1"
ALLOWED_ICMP="echoreq"
ALLOWED_TCP="{ 22,80 }"
TRUSTED_IP="{ 10.0.0.0/24, 1.1.1.1 }"
# Your Internet IP goes in the EXT_IP variable
EXT_IP="1.2.3.4"
# Your private network IP goes in the INT_IP variable
# if you have two NICs on the machine
INT_IP="192.168.1.1"
## TABLES
## GLOBAL OPTIONS
set block-policy drop
## TRAFFIC NORMALIZATION
## QUEUEING RULES
## TRANSLATION RULES (NAT)
## FILTER RULES
# Block everything (inbound AND outbound on ALL interfaces) by default (catch-all)
block all
# Default TCP policy
block return-rst in log on $EXT_NIC proto TCP all
pass in log quick on $EXT_NIC proto TCP from any to $EXT_IP port $ALLOWED_TCP flags $SYN_ONLY keep state
# Default UDP policy
block in log on $EXT_NIC proto udp all
# It's rare to be hosting a service that requires UDP (unless you are hosting
# a dns server for example), so there typically won't be any entries here.
# Default ICMP policy
block in log on $EXT_NIC proto icmp all
pass in log quick on $EXT_NIC proto icmp from any to $EXT_IP icmp-type $ALLOWED_ICMP keep state
# Default IP Policy
block in log on $EXT_NIC all
pass in log quick on $EXT_NIC from $TRUSTED_IP to $EXT_IP keep state
block out on $EXT_NIC all
pass out quick on $EXT_NIC from $EXT_IP to any keep state
# Allow the local interface to talk unrestricted
pass in quick on lo0 all
pass out quick on lo0 all
Wednesday, August 12, 2009
[FreeBSD] Example /etc/pf.conf
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment