[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: newbie question

Nathan Fisher <natbobc@yahoo.ca> wrote :
> 	I'm a newbie myself, isn't it best to lock out all
>  inbound connections and then open up only the services you want to
>  provide?  Can anyone tell me if this would be an appropriate
>  configuration for a trusted network w/ a 2 port router? 
Yes : it's better to use this solution and a 2-port firewall. Block all inbound
connections and allow only connections for services with redirection.
> # BEGIN /etc/pf.conf
> #----- variables -----
> ExtIF="dc1"
> FlagsOSfinger="flags FUP/FUP"
> #----- end variables -----
Maybe, too many macros and the conf becomes more difficult to read : suppress
"Flags" and "Tcp" variables if you want. 
> # immediate block of private IP's
> block in log quick on $ExtIF inet from $PrivateIPs to any
> block out log quick on $ExtIF inet from any to $PrivateIPs
You can replace these rules with 'antispoof' keyword : see pf.conf(5)
> #----- stateful services -----
> # Is this section correct?
Yes this section is correct : redirection of inbound HTTP and SMTP connections
to internal HTTP and SMTP servers.
A++ Foxy.
Laurent Cheylus <foxy@free.fr> OpenPGP ID 0x5B766EC2