opinion on this ruleset
Daniel
daniel at britishemail.co.uk
Thu Nov 30 09:35:16 PST 2006
I was wondering if I could get some opinions on this ruleset please -
Basically, I have FreeBSD6.1, running an IRC server on ports 6697, 7000,
6659 thorough to 6671, 9999, 27888. I am also running a nameserver, so have
opened TCP and UDP 53. I also want incoming on port 80 and 22.
I have about 15 IP addresses assigned to my external interface... would it
be better to make a table for these? Or is using the ext_if as a macro just
as effective?
ext_if="rl0"
tcp_services="{ 22, 80, 53, 6633, 6697, 7000, 6659 >< 6671, 9999, 27888 }"
udp_services="{ 53 }
icmp_types="echoreq"
set block-policy return
set loginterface $ext_if
set skip on lo
scrub in
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) \
port $udp_services keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
More information about the freebsd-pf
mailing list