[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf ruleset review



Hi all,
Anyone can make a review of this ruleset?
Server with 2 network cards (both with public ip). This server its on a
network 1.1.1.X (example).
----
| |----- fxp0 (IP = 1.1.1.1)
| || |----- sis0 (IP = 1.1.1.2)
----
I what that every requests throw door 80 (web), 10000 (webmin
interface), 22 (ssh), 21 (ftp) goes to the ext_if.
And the samba (139,445), cups (631) goes only to the int_if.
And security options it is enough?
Thanks!
PF.CONF:
#INTERFACES
ext_if="fxp0"
int_if="sis0"
ip_ext="1.1.1.1"  #example ip
ip_int="1.1.1.2"  #example ip
#INFO
#SSH = 22
#WEB = 80
#FTP = 21
#WEBMIN = 10000
#SAMBA = 139, 445
#CUPS = 631
#UDP = 137, 138
#OPTIONS
set block-policy drop
block in log all label "blockin"
block out log all label "blockout"
scrub in all
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any
#SSH
pass in quick on $ext_if proto tcp from any to $ip_ext port 22 flags
S/SA keep state
#WEB+WEBMIN+FTP
pass in quick on $ext_if proto tcp from any to $ip_ext port
{80,10000,21} flags S/SA keep state
#PROFTPD
pass in quick on $ext_if proto tcp from any to $ip_ext port 49151 ><
52000
pass out quick on $ext_if proto tcp from $ip_ext 49151 >< 52000 to any
#SAMBA
#a.a.a.a => ips from a vlan
#b.b.b.b => ips in webserver lan
pass in quick on $int_if proto tcp from a.a.a.a/20 to $ip_int port
{139,445}
pass in quick on $int_if proto tcp from b.b.b.b/24 to $ip_int
port{139,445}
#CUPS
pass in quick on $int_if proto tcp from a.a.a.a/20 to $ip_int port 631
pass in quick on $int_if proto tcp from b.b.b.b/24 to $ip_int port 631
#ICMP
pass in quick on $ext_if inet proto icmp all icmp-type 3 keep state
pass in quick on $ext_if inet proto icmp all icmp-type 4 keep state
pass out on $ext_if proto tcp from $ip_ext to any flags S/SA keep state
pass out on $ext_if proto { icmp, udp } from $ip_ext to any keep state
pass out on $int_if proto tcp from $ip_int to any flags S/SA keep state
pass out on $int_if proto { icmp, udp } from $ip_int to any keep state