*BSDThis forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a problem with pf.conf... I can't ssh my box... here's my pf.conf
Quote:
ext_if="rl0" # Untrusted (from WAN ISP) side
loop_if="lo0" # LoopBack Device
#### Bad IP Networks and Addresses
spoof_ip="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
bcast_ip="{ 255.255.255.255, 10.0.0.191 }"
#### Bad IP Networks and Addresses
spoof_ip="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
bcast_ip="{ 255.255.255.255, 10.0.0.191 }"
# -------------------------
# DNS : Public access resolvers
# -------------------------
dns_servers="{ 202.167.102.1, 202.167.102.2 }"
dns_ports="{ 53 }"
dns_proto="{ tcp, udp}"
# -------------------------
# SSH : Allow remote login
# Define which systems will have SSH login from the outside.
# -------------------------
ssh_servers="{ 202.164.102.82, 202.164.102.94 }"
ssh_ports="{ 22 }"
ssh_proto="{ tcp }"
#### Illegal Ports
#
# We define particular ports as "illegal". This means that no matter what,
# these ports should not be allowed, nor even attempted from the outside.
# This protects our network against DOS attacks, such as the one that affects
# Microsoft's SQL server, etc...
#
#
illegal_ports="{ 67, 68, 135, 137, 138, 139, 161, 427, 1433, 1434, 3389 }"
############################# START FILTER RULES #############################
#
#### Clean up fragmented and abnormal packets
#
scrub in all
#
#
#### Block (Deny) and LOG everything else IN by default
block in log on $ext_if all
#
#### Allow loopback address for the filter box
#
pass in quick on $loop_if from any to any
pass out quick on $loop_if from any to any
#
#
#### Don't allow anyone to spoof non-routeable addresses or broadcasts
#### also block traffic on restricted ports
#
block in quick on $ext_if inet from $spoof_ip to any
block in quick on $ext_if inet from $bcast_ip to any
block in quick on $ext_if inet from any to $bcast_ip
block in quick on $ext_if inet proto { tcp, udp } from any to any port $illegal_ports
block out quick on $ext_if inet from any to $spoof_ip
block out quick on $ext_if inet from $bcast_ip to any
block out quick on $ext_if inet proto { tcp, udp } from any to any port $illegal_ports
#
#
#### IN RULES
#
# These rules define what we want to allow INBOUND to our network.
# Primarily, what services are allowed on which machines.
#
#### DNS Traffic
pass in on $ext_if inet proto $dns_proto from any to $dns_servers port $dns_ports keep state
#### SSH Traffic
pass in on $ext_if inet proto $ssh_proto from any to $ssh_servers port $ssh_ports keep state
#### Allow ICMP (ping) IN
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
#
#
#### OUT RULES
#
# This defines what we want to allow OUTBOUND on our WAN.
# Of course allow established inbound requests to be fulfilled
# and then allow everything from our internal network to be allowed
#
#
#### Pass (Allow) all UDP/TCP OUT and keep state
pass out on $ext_if proto udp all keep state
pass out on $ext_if proto tcp all modulate state
#### Allow ICMP (ping) OUT
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
ext_if="rl0" # Untrusted (from WAN ISP) side
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0
Mar 12 17:57:26.672714 rule 0/0(match): block in on rl0: 202.164.102.94.1552 > 202.164.102.83.22: S 2085914847:2085914847(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
Mar 12 17:57:29.873223 rule 0/0(match): block in on rl0: 202.164.102.94.1552 > 202.164.102.83.22: S 2085914847:2085914847(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
Mar 12 17:57:36.435522 rule 0/0(match): block in on rl0: 202.164.102.94.1552 > 202.164.102.83.22: S 2085914847:2085914847(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.