[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf.conf feedback,critique...



On Mon, 20 Dec 2004 18:42:58 +0100 (CET), J. <[email protected]> wrote:
> # $OpenBSD: pf.conf,v 1.28 OpenBSD 3.5-current (GENERIC)
Why not upgrade to 3.6-stable,  before going production?
> # 1. ftp clients [external,incomming]
> rdr on $ext_if proto tcp from any to any port 21 -> $ftp_server port 21
> rdr on $ext_if proto tcp from any to any port 49152:65535 -> $ftp_server port 49152:65535
You might consider this instead, if you just have  a single IP (static
or dynamic) from your ISP:
rdr on $ext_if proto tcp from any to ($ext_if) port 21 -> $ftp_server port 21
rdr on $ext_if proto tcp from any to ($ext_if) port 49152:65535 ->
$ftp_server port 49152:65535
> # block 192.168.1.40 to 224.0.0.22 , winXP IGMP-2 SPAM
> # block in log quick on $int_if from $fam to 224.0.0.22
Personally, I do not use Multicast for anything, so I use the following:
block drop in quick from any to 224.0.0.0/4
> # Traffic must also be passed to and from the internal network
> pass in on $int_if from $int_if:network to any keep state
Are you sure about this?  Personally I'd restrict this policy,
breaking this down into a number of 'quick' rules for specific
destination ports/protocols.