Ik ben vast niet de enige die op dit moment aan het vogelen is met een OpenBSD pf-firewall. Is het een idee om hier je pf.conf's te posten, zodat we wat nieuwe ideeen opkunnen doen?
Als aftrap volgt hier mijn eigen laptopt (test) firewall config:
#
# firewall config ne3 192.168.1.12 17/3/3 GS
#
#
# options: limit nr. of fragments to 30000
#
set limit frags 30000
#
# options: limit nr. of state table entries to 25000
#
set limit states 25000
#
# options: name of interface pf collect stats:
#
set loginterface "ne3"
#
# options: timeout options: timeout of statefull connect to 20 secs
#
set timeout tcp.first 20
#
# options: timeout options: timeout of idle established connection to 300 secs
#
set timeout tcp.established 300
#
# options: timeout options: timeout after cloning state connection to 5 secs
#
set timeout tcp.closed 5
#
# normalize traffic
#
scrub in on ne3 all
#
# enable localhost traffic
#
pass in quick on lo0 all
pass out quick on lo0 all
#
# enable remote control from 192.168.1.10, (max concurrent connections: 3 label: ssh)
#
pass in quick on ne3 proto tcp from 192.168.1.10 to 192.168.1.12 port = 22 flags S keep state (max 3) label "ssh"
#
# block return-rst/return-icmp
#
block return-rst out log on ne3 proto tcp all
block return-rst in log on ne3 proto tcp all
block return-icmp out log on ne3 proto udp all
block return-icmp in log on ne3 proto udp all
#
# rfc1918 (anti-spoof)
#
block in log quick from 0.0.0.0/8 to any
block out log quick from 0.0.0.0/8 to any
block in log quick from 127.0.0.0/8 to any
block out log quick from 127.0.0.0/8 to any
block in log quick from 169.254.0.0/16 to any
block out log quick from 169.254.0.0/16 to any
block in log quick from 192.0.2.0/24 to any
block out log quick from 192.0.2.0/24 to any
block in log quick from 192.88.89.0/24 to any
block out log quick from 192.88.89.0/24 to any
block in log quick from 224.0.0.0/4 to any
block out log quick from 224.0.0.0/4 to any
block in log quick from 240.0.0.0/4 to any
block out log quick from 240.0.0.0/4 to any
#
# enable outgoing traffic (only from user ger)
#
pass out quick on ne3 from any to any user ger flags S keep state
#
# default rulez!
#
block in log all
block out log all
Als aftrap volgt hier mijn eigen laptopt (test) firewall config:
#
# firewall config ne3 192.168.1.12 17/3/3 GS
#
#
# options: limit nr. of fragments to 30000
#
set limit frags 30000
#
# options: limit nr. of state table entries to 25000
#
set limit states 25000
#
# options: name of interface pf collect stats:
#
set loginterface "ne3"
#
# options: timeout options: timeout of statefull connect to 20 secs
#
set timeout tcp.first 20
#
# options: timeout options: timeout of idle established connection to 300 secs
#
set timeout tcp.established 300
#
# options: timeout options: timeout after cloning state connection to 5 secs
#
set timeout tcp.closed 5
#
# normalize traffic
#
scrub in on ne3 all
#
# enable localhost traffic
#
pass in quick on lo0 all
pass out quick on lo0 all
#
# enable remote control from 192.168.1.10, (max concurrent connections: 3 label: ssh)
#
pass in quick on ne3 proto tcp from 192.168.1.10 to 192.168.1.12 port = 22 flags S keep state (max 3) label "ssh"
#
# block return-rst/return-icmp
#
block return-rst out log on ne3 proto tcp all
block return-rst in log on ne3 proto tcp all
block return-icmp out log on ne3 proto udp all
block return-icmp in log on ne3 proto udp all
#
# rfc1918 (anti-spoof)
#
block in log quick from 0.0.0.0/8 to any
block out log quick from 0.0.0.0/8 to any
block in log quick from 127.0.0.0/8 to any
block out log quick from 127.0.0.0/8 to any
block in log quick from 169.254.0.0/16 to any
block out log quick from 169.254.0.0/16 to any
block in log quick from 192.0.2.0/24 to any
block out log quick from 192.0.2.0/24 to any
block in log quick from 192.88.89.0/24 to any
block out log quick from 192.88.89.0/24 to any
block in log quick from 224.0.0.0/4 to any
block out log quick from 224.0.0.0/4 to any
block in log quick from 240.0.0.0/4 to any
block out log quick from 240.0.0.0/4 to any
#
# enable outgoing traffic (only from user ger)
#
pass out quick on ne3 from any to any user ger flags S keep state
#
# default rulez!
#
block in log all
block out log all
Dit topic is gesloten.