first firewall with pf

Eric Magutu emagutu at gmail.com
Tue Mar 24 08:16:25 PDT 2009 

Hi,
I am converting some systems from Linux to freeBSD and I'm new to pf. I
wanted to run this on a live system but I'm not sure if everything is
correct. Can you please advise me if it would work and if there is anything
I need to add or remove to make it work. I have written the following
pf.conf:


########
#Tests #
########

#check syntax of rules
# pfctl -vf /etc/pf.conf
#interpret rules but don't load
# pfctl -nf /etc/pf.conf

#############
#interfaces #
#############
ext_if="bce0"
ext_if2="bce1"

#####################
#ports to be opened #
#####################

#tcp ports
good_port_tcp="{ 22, 80, 110, 143, 161, 443, 873, 3306, 40555 }"
#udp ports
good_port_udp="{ 161, 873  }"

#############################################
#allow all connections from and to loopback #
#############################################

pass in quick on lo0 all keep state
pass out quick on lo0 all keep state

########################################################
#allow all connections out through external interfaces #
########################################################

pass out quick on $ext_if all keep state
pass out quick on $ext_if2 all keep state



##############
#Blocked ips #
##############
# 1.2.3.4 is the ip you want to block
block in quick on $ext_if inet 1.2.3.4

# 1.2.3.4/24 is the ip range you want to block
block in quick on $ext_if inet 1.2.3.4/24



############################
#smtp connections allowed  #
############################
#a.b.c.d is the server's ip
#Euro servers
pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep
state

#American servers
pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep
state

#from the old iptables???
pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22 keep
state


###################################
# pass traffic from allowed ports #
###################################


#pass traffic from allowed tcp ports
pass in quick on $ext_if inet proto tcp from any to a.b.c.d port
$good_port_tcp keep state

#pass traffic from allowed udp ports
pass in quick on $ext_if inet proto tcp from any to a.b.c.d port
$good_port_tcp keep state

##########################################
# allow connections from NMC and servers #
##########################################

#x.x.x.x/12 are the internal ips NMC access with
pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to
a.b.c.d keep state

#x.x.x.x/24 are the ips for the other European servers
pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to
a.b.c.d keep state

#x.x.x.x/24 are the ips for the American servers
pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to
a.b.c.d keep state


##########################
#block all other traffic #
##########################

# should be last rule

block in quick on $ext_if all



##################################################
#for any questions contact Eric#
##################################################

-- 
Regards,
Eric Magutu

More information about the freebsd-pf mailing list