pf firewall for a workstation (III)
And another update on the firewall script.
## /etc/pf.conf
if="dc0"
my_nets="{ 1.2.3.4, 4.3.2.1, 4.3.2.1/27, 5.6.7.8/28 }"
my_lan="{ 10.120.10.0/29 }"
tcp_pass_universe= "{ 80 }"
tcp_pass_nets= "{ 22 }"
tcp_pass_lan= "{ 22 53 113 123 }"
udp_pass_lan="{ 53 123 }"
icmp_types="echoreq"
set skip on lo0
set block-policy return
scrub in
block in
pass out
antispoof for lo0
antispoof for ($if) inet
pass in on $if inet proto tcp from $my_lan to ($if) port $tcp_pass_lan
pass in on $if inet proto udp from $my_lan to ($if) port $udp_pass_lan
pass in on $if inet proto tcp from $my_nets to ($if) port $tcp_pass_nets
pass in on $if inet proto tcp from any to ($if) port $tcp_pass_universe
pass in on $if inet proto icmp from any to ($if) icmp-type $icmp_types
# EoF #
## /etc/pf.conf
if="dc0"
my_nets="{ 1.2.3.4, 4.3.2.1, 4.3.2.1/27, 5.6.7.8/28 }"
my_lan="{ 10.120.10.0/29 }"
tcp_pass_universe= "{ 80 }"
tcp_pass_nets= "{ 22 }"
tcp_pass_lan= "{ 22 53 113 123 }"
udp_pass_lan="{ 53 123 }"
icmp_types="echoreq"
set skip on lo0
set block-policy return
scrub in
block in
pass out
antispoof for lo0
antispoof for ($if) inet
pass in on $if inet proto tcp from $my_lan to ($if) port $tcp_pass_lan
pass in on $if inet proto udp from $my_lan to ($if) port $udp_pass_lan
pass in on $if inet proto tcp from $my_nets to ($if) port $tcp_pass_nets
pass in on $if inet proto tcp from any to ($if) port $tcp_pass_universe
pass in on $if inet proto icmp from any to ($if) icmp-type $icmp_types
# EoF #
Labels: OpenBSD, pf firewall, Security
posted by hictio at 12:39 AM
0 Comments:
Post a Comment
<< Home