My pf.conf
1 view
Skip to first unread message
Chris Moore
Apr 6, 2008, 1:13:19 PM4/6/08
to UMKC Computer Club
Here is my pf.conf, it seems to be working well, I got Bittorrent up
and running and I can ssh and use windows remote desktop server. I
can't print to my printer from the wireless to the wired network. But
I think that may have something to do with the printer. Anyone know
how to see everyone on all the networks in BSD. By the way, I am
running FreeBSD with wpa security. My thoughts on FreeBSD, it is
clunky and not was well thought out as OpenBSD. I just doesn't seem as
smooth ,but since I can't use openvpn for my setup and OBSD doesn't
use wpa, I think this is my best solution.
#################################################################
# Chris's pf.conf file
#################################################################
#################################################################
# MACROS
#################################################################
logopt="log"
# Interfaces
ext_if="em0"
int_if="em1"
wifi_if="ral0"
PORT="44049"
server_ip="192.168.0.199"
# Publicly Accessible Services
pubserv="{ 22 }"
# internal network
lan_net = "{ 192.168.0.0/24, 192.168.1.0/24 }"
#################################################################
# OPTIONS
#################################################################
# don't filter on the loopback interface
set skip on lo0
# scrub incoming packets
scrub in all
#################################################################
# REDIRECTION and NAT
#################################################################
# network address translation
nat on $ext_if from $lan_net to any -> ($ext_if)
# Bittorrent Rules
rdr on $ext_if proto tcp from any to ($ext_if) port $PORT ->
$server_ip port $PORT
pass in quick on $ext_if proto tcp from any to $server_ip port $PORT
keep state
#################################################################
# FIREWALL POLICY
#################################################################
# setup a default deny policy
block all
# antispoofing
block in quick from urpf-failed
antispoof for { $int_if, $wifi_if, $ext_if }
# only allow ssh connections from the local network. use "block
# return" so that a TCP RST is sent to close blocked connections
# right away. use "quick" so that this rule is not overridden by
#the "pass" rules below. Finally, only let my laptop ssh.
block return in quick on $int_if proto tcp from ! 192.168.1.102 to
$int_if port ssh
# allow permitted services
pass in on $ext_if inet proto tcp from any to any port $pubserv flags
S/SA keep state
# pass all traffic to and from the local network. these rules
# will create state entries due to the default "keep state"
# option which will automatically be applied.
pass in on {$int_if $wifi_if} from $lan_net to any
pass out on {$int_if $wifi_if} from any to $lan_net
# pass tcp, udp, and icmp out on the external (Internet)
# interface. tcp connections will be modulated, udp/icmp will be
#tracked statefully.
pass out on $ext_if proto { tcp udp icmp } all modulate state
and running and I can ssh and use windows remote desktop server. I
can't print to my printer from the wireless to the wired network. But
I think that may have something to do with the printer. Anyone know
how to see everyone on all the networks in BSD. By the way, I am
running FreeBSD with wpa security. My thoughts on FreeBSD, it is
clunky and not was well thought out as OpenBSD. I just doesn't seem as
smooth ,but since I can't use openvpn for my setup and OBSD doesn't
use wpa, I think this is my best solution.
#################################################################
# Chris's pf.conf file
#################################################################
#################################################################
# MACROS
#################################################################
logopt="log"
# Interfaces
ext_if="em0"
int_if="em1"
wifi_if="ral0"
PORT="44049"
server_ip="192.168.0.199"
# Publicly Accessible Services
pubserv="{ 22 }"
# internal network
lan_net = "{ 192.168.0.0/24, 192.168.1.0/24 }"
#################################################################
# OPTIONS
#################################################################
# don't filter on the loopback interface
set skip on lo0
# scrub incoming packets
scrub in all
#################################################################
# REDIRECTION and NAT
#################################################################
# network address translation
nat on $ext_if from $lan_net to any -> ($ext_if)
# Bittorrent Rules
rdr on $ext_if proto tcp from any to ($ext_if) port $PORT ->
$server_ip port $PORT
pass in quick on $ext_if proto tcp from any to $server_ip port $PORT
keep state
#################################################################
# FIREWALL POLICY
#################################################################
# setup a default deny policy
block all
# antispoofing
block in quick from urpf-failed
antispoof for { $int_if, $wifi_if, $ext_if }
# only allow ssh connections from the local network. use "block
# return" so that a TCP RST is sent to close blocked connections
# right away. use "quick" so that this rule is not overridden by
#the "pass" rules below. Finally, only let my laptop ssh.
block return in quick on $int_if proto tcp from ! 192.168.1.102 to
$int_if port ssh
# allow permitted services
pass in on $ext_if inet proto tcp from any to any port $pubserv flags
S/SA keep state
# pass all traffic to and from the local network. these rules
# will create state entries due to the default "keep state"
# option which will automatically be applied.
pass in on {$int_if $wifi_if} from $lan_net to any
pass out on {$int_if $wifi_if} from any to $lan_net
# pass tcp, udp, and icmp out on the external (Internet)
# interface. tcp connections will be modulated, udp/icmp will be
#tracked statefully.
pass out on $ext_if proto { tcp udp icmp } all modulate state
Reply all
Reply to author
Forward
0 new messages