pf firewall for a workstation (II)
An update on the pf.conf firewall rules/ script.
I have modified it to allow everything on the loopback interface, as well as having a aggressive block, actually denying actively everything that is not specifically enabled.
Other than that, the file is basically the same.
## /etc/pf.conf
if="dc0"
universe="{ 0/0 }"
my_nets="{ 1.2.3.4, 4.3.2.1, 4.3.2.1/27, 5.6.7.8/28 }"
my_lan="{ 10.120.10.0/29 }"
tcp_pass_universe= "{ 80 }"
tcp_pass_nets= "{ 22 }"
tcp_pass_lan= "{ 22 53 113 123 }"
udp_pass_lan="{ 53 123 }"
icmp_types="echoreq"
set skip on lo
set block-policy return
block in
pass out
pass in on $if inet proto tcp from $my_lan to ($if) port $tcp_pass_lan
pass in on $if inet proto udp from $my_lan to ($if) port $udp_pass_lan
pass in on $if inet proto tcp from $my_nets to ($if) port $tcp_pass_nets
pass in on $if inet proto tcp from $universe to ($if) port $tcp_pass_universe
pass in on $if inet proto icmp from $universe to ($if) icmp-type $icmp_types
# EoF #
I have modified it to allow everything on the loopback interface, as well as having a aggressive block, actually denying actively everything that is not specifically enabled.
Other than that, the file is basically the same.
## /etc/pf.conf
if="dc0"
universe="{ 0/0 }"
my_nets="{ 1.2.3.4, 4.3.2.1, 4.3.2.1/27, 5.6.7.8/28 }"
my_lan="{ 10.120.10.0/29 }"
tcp_pass_universe= "{ 80 }"
tcp_pass_nets= "{ 22 }"
tcp_pass_lan= "{ 22 53 113 123 }"
udp_pass_lan="{ 53 123 }"
icmp_types="echoreq"
set skip on lo
set block-policy return
block in
pass out
pass in on $if inet proto tcp from $my_lan to ($if) port $tcp_pass_lan
pass in on $if inet proto udp from $my_lan to ($if) port $udp_pass_lan
pass in on $if inet proto tcp from $my_nets to ($if) port $tcp_pass_nets
pass in on $if inet proto tcp from $universe to ($if) port $tcp_pass_universe
pass in on $if inet proto icmp from $universe to ($if) icmp-type $icmp_types
# EoF #
Labels: OpenBSD, pf firewall, Security
posted by hictio at 5:05 PM
0 Comments:
Post a Comment
<< Home