[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall rules for a stand-alone machine

Hi Jason,

Many thanks for your comments. It helps a lot and I have already modified some rules.

- Why create this unreadable $tcp_services_in_proxy when you can just say "port ssh"?
Actually, I did it in case I wanted to add additional service to be proxied. Anytime soon, I was planning to add
support for http and https, so I found it easier to put in a macro than duplicating the same line 3 times.

- In your rules, surround your interface with parentheses. This allows for the automatic updating of rules if your IP address changes.
Thanks. Nice tip!

- Why log passed outbound traffic? For that matter, why log passed traffic at all?
As I'm new to PF (and to writting fw rules by hand), I wanted to see if I was not droping some legitimate traffic. So for a short period
I'd like to have a terminal open showing all traffic that has been dropped.

- Also, the use of synproxy state is unnecessary since you're not passing packets anywhere. No need to proxy the handshake since you're the endpoint.
Is there no benefit at all to use synproxy state even I'm the end point? Doesn't that mean that sshd will not see packets until the handshake has been done
by PF, which is nice anyway even if PF and sshd are on the same box? (All my apologies if this question is naive but I would like to try to understand this, and,
as a web developer by profession, some things related to Unix or networking are not yet crystal-clear to me).

- Cannot use modulate state on UDP, it's only for TCP connections.
In the PF manual, in the Keep state section of the Packet filtering chapter, it's written that starting with OpenBSD 3.5, the modulate state option can
be used in rules that specify protocols other than TCP. That's why I put it that way. Now, as you said in your last comment about generation of ISN, there is no need
for me to use modulate state anyway so I replaced it by keep state.

Your ruleset should work fine (not tested),
Yes, it has been running for the last 3 weeks, but after reading the documentation for a 2nd time, I also wanted to have the precious opinion of more experienced
users of PF.

Once again, thank you very much for your time and your precious comments.