Ive decided to use pf , my firewall is to allow incomming traffic for http (so i can search the internet, download , upload) allow me to access ftp ( i guess that not my firewall rule), allow irc traffic in and out , bitorrent in and out, an everything else blocked.
I am hoping it is something like this , based of the openbsd home/small office example

ext_if="sis900" /// network interfaces that filtering will happen on (its a sis900 nc)
int_if="sis900"

set block-policy return
set loginterface $ext_if
///set the default response for block filter rules and turn statistics logging "on" for the external interface

set skip on lo ///disable all filtering on loopback interfaces

scrub in /// scrubbing of all incoming traffic

nat on $ext_if from !($ext_if) to any -> ($ext_if) //perform NAT for the entire internal network

nat-anchor "ftp-proxy/*" //FTP proxy working,so i can connect to ftps ?? i am slightly confused
with the next rule

rdr-anchor "ftp-proxy/*" // redirection to the ftp proxy , so i can access the ftp site
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 // so i can connect to ftps with only port 21

rdr on $ext_if proto tcp from any to any port 80 -> $comp3 // catches any attempts by someone on the Internet to connect to TCP port 80 on the firewall

block in // block all incomming traffic

pass out keep state // let incomming traffic leave

anchor "ftp-proxy/*" // something to with the previous ftp-proxy settings? this is where i don't understand yet

antispoof quick for { lo $int_if }// spoof address protection

pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state /// allow incomming internet traffic

pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
flags S/SA synproxy state // pass traffic through firewall

pass in inet proto icmp all icmp-type $icmp_types keep state // pass icmp traffic

pass in quick on $int_if // pass traffic in and out the box


thanks in advance

More than 40 views and not one reply

if my first post was not clear enough, i use on a linux box the following iptables rules, i would like a similar one for pf in freebsd

IPT="/usr/sbin/iptables"

echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc