LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices

Reply
 
Search this Thread
Old 01-13-2008, 10:53 AM   #1
Carpo
Member
 
Registered: Aug 2003
Location: Somewhere
Distribution: Gentoo (for now)
Posts: 364

Rep: Reputation: 30
Require a little help with pf


hi

i have recently moved to freebsd from slack (on the server) and pf looks a bit out of my depth, it looks easy enough, but not easy enough for me

[HTML]#!/bin/bash
iptables -F INPUT
iptables -P INPUT DROP
iptables -F OUTPUT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 2010 -j ACCEPT
#iptables -A INPUT -p tcp --dport 9000:9200 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.2 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.3 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.4 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.5 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 12.34.56.78 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 15.16.17.18 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 34.24.32.18 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 12.34.56.78 --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 15.16.17.18 --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 34.24.32.18 --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 12.34.56.78 --dport 2010 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 15.16.17.18 --dport 2010 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 34.24.32.18 --dport 2010 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 12.34.56.78 --dport 9000:9200 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 15.16.17.18 --dport 9000:9200 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 34.24.32.18 --dport 9000:9200 -j ACCEPT[/HTML]

is what iptables looks like on slackware, and it seems to work, what i am after is how i would need to convert this to pf, so that i would have the same security as i did on linux, i require pf to be able to allow ips and dns names for the rules above, i have googled for OpenBSD pf and the faq page i found is rather informative, but no matter how many times i re-read the pages i just cant seem to get it make sense.

Thanks for any help
 
Old 01-13-2008, 05:28 PM   #2
Zmyrgel
Senior Member
 
Registered: Dec 2005
Location: Finland
Distribution: Slackware, CentOS, RHEL, OpenBSD
Posts: 1,006

Rep: Reputation: 36
Here's what I came up with...

Code:
ext_if="em0"
addresses="{192.168.1.2, 192.168.1.3, 192.168.1.4, 192.168.1.5}"
addresses2="{12.34.56.78, 15.16.17.18,  34.24.32.18}"
ports="{443,80,2010,9000:9200}"

set block-policy drop
block all
pass out
pass quick on lo
pass in on $ext_if from $addresses to any
pass in on $ext_if from $addresses2 to $ports
Note that I don't know iptables that well and I'm still struggling on my own PF but it should give the idea.
 
Old 01-15-2008, 06:20 AM   #3
Carpo
Member
 
Registered: Aug 2003
Location: Somewhere
Distribution: Gentoo (for now)
Posts: 364

Original Poster
Rep: Reputation: 30
thanks, someone helped me sort it on irc, after i spent an hour reading the openbsd pf faq, and me using 10 times as many rules as i needed, i got it right just too many rules

ext_if = "re0"
int_if = "em0"

block in on $ext_if from any to any
pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
pass in on $ext_if from { 12.34.56.78, 15.16.17.18, 34.24.32.18 } to { 80, 443, 2010, 9000:9200 }

hope that helps you in some way also
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
require some help with lircd Carpo Slackware 19 10-15-2007 11:03 AM
require help with security Carpo Slackware 2 08-21-2007 04:24 PM
Password Require NautTboy Linux - Newbie 8 02-26-2007 04:59 PM
Help require in SSH manya Linux - Security 1 07-18-2006 08:39 AM
Does the crontab require.... Echo Kilo Linux - General 2 11-10-2004 07:01 AM


All times are GMT -5. The time now is 04:59 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration