Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19
My pf.conf file
Results 1 to 10 of 10

Thread: My pf.conf file

  1. #1
    Guest

    My pf.conf file

    Enjoy guys:

    Code:
    # Externe -> dc0
    EXT="dc0"
    
    # Interne -> dc1
    INT="dc1"
    LAN="192.168.1.0/24"
    
    # Adresses
    MIRANDA="192.168.1.1/32"
    JEROME="192.168.1.7/32"
    VINCENT="192.168.1.8/32"
    LAURENT="192.168.1.9/32"
    
    # Spoofers
    SPOOF="{ 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32}"
    
    
    # Politique de base
    block in log all
    block out log all
    scrub in all
    pass out quick on $EXT from $LAN to any keep state
    
    
    # SSH
    pass in quick on $EXT proto tcp from any to any port 22 flags S/SA keep state
    
    # SMTP
    pass in quick on $EXT proto tcp from any to any port 25 flags S/SA keep state
    
    # HTTP
    pass in quick on $EXT proto tcp from any to any port 81 flags S/SA keep state
    
    # Bloquer les spoofers
    block out log quick on $EXT from $SPOOF to any
    block in log quick on $EXT from any to $SPOOF

  2. #2

    Re: My pf.conf file

    If there is one great thing about pf, it is that a small configuration can be pretty powerfull.

  3. #3

    Re: My pf.conf file

    Some comments:
    - you do not block spoofers when they try to access tcp 22, 25 and 81 (just change rule order)
    - you should return RST on the ident port if you run an SMTP server (many smtp servers will query that port, if you just block it they will wait for a long time out).
    - doesn't ssh use udp sometimes ?
    - you cannot access your LAN with these rules (but maybe it's a feature ?)
    - your machine is not pingable

  4. #4
    Guest

    Re: My pf.conf file


    Some comments:
    - you do not block spoofers when they try to access tcp 22, 25 and 81 (just change rule order)
    Yeah, I changed it right after I posted.

    - you should return RST on the ident port if you run an SMTP server (many smtp servers will query that port, if you just block it they will wait for a long time out).
    How would I do that?

    - you cannot access your LAN with these rules (but maybe it's a feature ?)
    What do you mean I can't access my LAN?

    - your machine is not pingable
    Added that.

  5. #5
    Guest

    Re: My pf.conf file

    Right now it looks like this. Is it better?

    Code:
    # Externe -> dc0
    EXT="dc0"
    
    # Interne -> dc1
    INT="dc1"
    LAN="192.168.1.0/24"
    
    # Adresses
    MIRANDA="192.168.1.1/32"
    JEROME="192.168.1.7/32"
    VINCENT="192.168.1.8/32"
    LAURENT="192.168.1.9/32"
    
    # Spoofers
    SPOOF="{ 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32 }"
    
    
    # Politique de base
    block in log all
    block out log all
    scrub in all
    pass out quick on $EXT from $LAN to any keep state
    
    # Bloquer les spoofers
    block out log quick on $EXT from $SPOOF to any
    block in log quick on $EXT from any to $SPOOF
    
    # Traceroute + Ping
    pass in quick on $EXT proto icmp from any to any icmp-type trace keep state
    pass in quick on $EXT proto icmp from any to any icmp-type echoreq keep state
    
    
    # SSH
    pass in quick on $EXT proto tcp from any to any port 22 flags S/SA keep state
    
    # SMTP
    pass in quick on $EXT proto tcp from any to any port 25 flags S/SA keep state
    
    # HTTP
    pass in quick on $EXT proto tcp from any to any port 81 flags S/SA keep state

  6. #6

    Re: My pf.conf file



    How would I do that?
    Don't know about pf, in IPFilter it would be

    Code:
    block return-rst in log on $EXT proto tcp from any to any port = 113
    You may also add a rule that will prevent the pf from responding with rst to broadcasts (I just drop all the broadcasts on the floor).


    What do you mean I can't access my LAN?
    Either I'm missing something or you block everything from the firewall to $LAN, except for NATed connections. There are no rules about $INT and $LAN therefore the default block policy is applied. I'm not saying that this is bad.


  7. #7
    Guest

    Re: My pf.conf file

    I'm not sure if I understand, but if I ssh to my firewall (I can do that, right?), you are saying that I will not be able to ssh to my box?

  8. #8

    Re: My pf.conf file


    I'm not sure if I understand, but if I ssh to my firewall (I can do that, right?), you are saying that I will not be able to ssh to my box?
    Try it. You'll know better then

  9. #9
    Guest

    Re: My pf.conf file



    Try it. You'll know better then
    This will be tonight or tomorrow. I don't know enough about networks and packet filters to tell exactly how it will work (but that's why I'm doing this )

    Thanks for you help by the way, it's very much appreciated!

  10. #10
    Guest

    Re: My pf.conf file

    Latest (I added some changes recommended by a friend of mine):

    Code:
    # Externe -> dc0
    EXT="dc0"
    
    # Interne -> dc1
    INT="dc1"
    LAN="192.168.1.0/24"
    
    # Adresses
    MIRANDA="192.168.1.1/32"
    JEROME ="192.168.1.7/32"
    VINCENT="192.168.1.8/32"
    LAURENT="192.168.1.9/32"
    
    # Spoofers
    SPOOF="{ 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 }"
    
    
    # Politique de base
    block in log on $EXT from any to any
    block out log on $EXT from any to any
    
    pass in on $INT from any to any
    pass out on $INT from any to any
    
    pass in quick on lo0 from any to any
    pass out quick on lo0 from any to any
    
    scrub in all
    pass out quick on $EXT from $EXT to any keep state
    
    # Bloquer les spoofers
    block out log quick on $EXT from $SPOOF to any
    block in log quick on $EXT from any to $SPOOF
    block out log quick on $EXT from any to $SPOOF
    block in log quick on $EXT from $SPOOF to any
    
    # Traceroute + Ping
    #pass in quick on $EXT proto icmp from any to any icmp-type trace keep state
    #pass in quick on $EXT proto icmp from any to any icmp-type echoreq keep state
    
    # SSH
    pass in quick on $EXT proto tcp from any to any port 22 flags S/SA keep state
    
    # SMTP
    pass in quick on $EXT proto tcp from any to any port 25 flags S/SA keep state
    
    # HTTP
    pass in quick on $EXT proto tcp from any to any port 81 flags S/SA keep state

Similar Threads

  1. test samba.conf file
    By cliff in forum Linux - Software, Applications & Programming
    Replies: 1
    Last Post: 10-13-2005, 03:12 AM
  2. HELP i wiped my ld.so.conf file out with cat.
    By comtux in forum Linux - General Topics
    Replies: 25
    Last Post: 01-07-2005, 03:29 AM
  3. smb.conf example
    By trickster in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 06-21-2004, 11:48 PM
  4. DNS /etc/host.conf
    By Rastar in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 09-20-2002, 11:48 PM
  5. vga=792 in /etc/lilo.conf
    By wing328 in forum Linux - General Topics
    Replies: 1
    Last Post: 06-03-2002, 03:11 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •