[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Firewall rules for a stand-alone machine

Dear all,

I'm new to PF and I would have liked to have the opinion of more
experienced users of PF about my firewall rules. It's a box with one interface,
where only SSH is allowed from outside. After reading the PF documentation
and a few other resources, I came up with the rules below.
Thank you in advance for all comments!

# Set macros
ext_if                                 = "rl0"
tcp_flags                          = "S/SA"
tcp_services_in_proxy  = "{ 22 }"
tcp_services_out            = "{ 22, 80, 443 }"
udp_services_out          = "{ 53, 123 }"
icmp_types                      = "echoreq"

# Set options
set block-policy drop
set state-policy if-bound
set loginterface $ext_if

# Scrub all incoming packets
scrub in all

# Default policy (block all traffic on all interfaces in either direction)
block in log-all all
block out log all

# Pass traffic on the loopback interface in either direction
pass quick on lo0 all

# Activate anti-spoofing protections
antispoof quick for $ext_if

# Allowed traffic from outside
pass in log quick on $ext_if inet proto tcp from any to $ext_if port
	$tcp_services_in_proxy flags $tcp_flags synproxy state

# Allowed traffic from inside
pass out log quick on $ext_if inet proto tcp from $ext_if to any port
$tcp_services_out flags $tcp_flags modulate state
pass out log quick on $ext_if inet proto udp from $ext_if to any port
$udp_services_out modulate state
pass out log quick on $ext_if inet proto icmp from $ext_if to any icmp-type
$icmp_types keep state