[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: newbie question
Nathan Fisher <firstname.lastname@example.org> wrote :
> I'm a newbie myself, isn't it best to lock out all
> inbound connections and then open up only the services you want to
> provide? Can anyone tell me if this would be an appropriate
> configuration for a trusted network w/ a 2 port router?
Yes : it's better to use this solution and a 2-port firewall. Block all inbound
connections and allow only connections for services with redirection.
> # BEGIN /etc/pf.conf
> #----- variables -----
> FlagsOSfinger="flags FUP/FUP"
> #----- end variables -----
Maybe, too many macros and the conf becomes more difficult to read : suppress
"Flags" and "Tcp" variables if you want.
> # immediate block of private IP's
> block in log quick on $ExtIF inet from $PrivateIPs to any
> block out log quick on $ExtIF inet from any to $PrivateIPs
You can replace these rules with 'antispoof' keyword : see pf.conf(5)
> #----- stateful services -----
> # Is this section correct?
Yes this section is correct : redirection of inbound HTTP and SMTP connections
to internal HTTP and SMTP servers.
Laurent Cheylus <email@example.com> OpenPGP ID 0x5B766EC2