[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf.conf feedback,critique...



On Tue, 21 Dec 2004, Kevin wrote:
> On Mon, 20 Dec 2004 18:42:58 +0100 (CET), J. <[email protected]> wrote:
> > # $OpenBSD: pf.conf,v 1.28 OpenBSD 3.5-current (GENERIC)
> 
> Why not upgrade to 3.6-stable,  before going production?
Yes I should really do that. When I installed openbsd for the first time I
installed per accident `-current'. Beginnersthingie I guess. Anyway I
found that out fairly quick using ldd when I try'd to install the wrong
vim version/package. Ehum.. Good thing christmiss is comming up, enough
time to upgrade.. ;-)
 
> > # 1. ftp clients [external,incomming]
> > rdr on $ext_if proto tcp from any to any port 21 -> $ftp_server port 21
> > rdr on $ext_if proto tcp from any to any port 49152:65535 -> $ftp_server port 49152:65535
> 
> You might consider this instead, if you just have  a single IP (static
> or dynamic) from your ISP:
> 
> rdr on $ext_if proto tcp from any to ($ext_if) port 21 -> $ftp_server port 21
> rdr on $ext_if proto tcp from any to ($ext_if) port 49152:65535 ->
> $ftp_server port 49152:65535
Ok, constant reevaluation on the $ext_if is needed then..
> > # block 192.168.1.40 to 224.0.0.22 , winXP IGMP-2 SPAM
> > # block in log quick on $int_if from $fam to 224.0.0.22
> 
> Personally, I do not use Multicast for anything, so I use the following:
> 
> block drop in quick from any to 224.0.0.0/4
First I thought everything to the 224.0.0.0/4 range was blocked with the
`antispoof' directive for both interfaces, however when checking the
logfile it wasn't, so I decided to block it explicitly. It still has me
puzzeld a bit why it isn't picked up with `antispoof'. But that is for
later prio at this moment.
 
> > # Traffic must also be passed to and from the internal network
> > pass in on $int_if from $int_if:network to any keep state
> 
> Are you sure about this?  Personally I'd restrict this policy,
> breaking this down into a number of 'quick' rules for specific
> destination ports/protocols.
Before I started with pf I read in one of the books that it's good to know
what actually passes trhu the firewall on a day to day bases before you 
start. I tcpdump'd all traffic for a couple of weeks from my previous
firewall and draw some stats from the logfiles. Since I have much control
of the hosts within my lan and nothing exciting showed up in the stats I
decided it was ok to let everything out for this moment.
Thank you for your reply. My pf.conf is certainly going to be updated..
J.