New pf.conf

5 views
Skip to first unread message

Chris Moore

unread,
Apr 13, 2008, 11:04:43 PM4/13/08
to umkc-comp...@googlegroups.com
Here is the new pf.conf file I am thinking. I cut a lot of fat. I
haven't tried it yet but I think it should work. I took ssh out because
the pass in pass out on all local should cover ssh, and I don't need it
externally. The only thing I am concerned about is the pass in under the
bittorrent rules. I am not sure that all tcp traffic be allowed or just
that on port $PORT. Anyways take a look. I wrote a clean skeleton for
the pf file also, labeling with definitions given by openbsd. Also it
helps so the order isn't out of place in which the pf.conf won't load.
Oh I am using the antispoof from the pf guide. I am not sure if I should
add the antispoof line in also as a double check but I think it would be
redundant not more secure, but I am not sure how both operate.

#
# Macros: User-defined variables that can hold IP addresses, interface
names, etc.
#
ext_if ="em0"
int_if ="em1"
wifi_if="ral0"

# For Bittorrent
PORT="44049"
torrent_ip1="192.168.0.101"

# Publicly Accessible Services
pubserv="{ 22 }"

# internal network
lan_net = "{ 192.168.0.0/24, 192.168.1.0/24 }"

#
# Tables: A structure used to hold lists of IP addresses.
#

#
# Options: Various options to control how PF works.
#
set skip on lo

#
# Scrub: Reprocessing packets to normalize and defragment them.
#
scrub in all

#
# Queueing: Provides bandwidth control and packet prioritization.
#

#
# Translation: Controls Network Address Translation and packet redirection.
#
nat on $ext_if from $lan_net to any -> ($ext_if)

#Bittorrent Rules
rdr on $ext_if proto tcp from any to ($ext_if) port $PORT ->
$torrent_ip1 port $PORT
pass in quick on $ext_if proto tcp from any to $torrent_ip1 port $PORT

#
# Filter Rules: Allows the selective filtering or blocking of packets as
they pass through any of the interfaces.
#

#default deny policy
block in all

#antispoofing
block in quick from urpf-failed

#Don't bother the locals
pass in on {$int_if $wifi_if} from $lan_net to any
pass out on {$int_if $wifi_if} from any to $lan_net

# pass tcp, udp, and icmp out on the external (Internet) interface.
# tcp connections will be modulated, udp/icmp will be tracked
# statefully.
pass out on $ext_if proto { tcp udp icmp } all modulate state

Ryan Smith

unread,
Apr 16, 2008, 9:12:41 PM4/16/08
to umkc-comp...@googlegroups.com
Hey!!!! you can now add WPA or WPA2 support to your PF.

OpenBSD WPA & WPA2

http://undeadly.org/cgi?action=article&sid=20080416195151
--
--
Ryan Smith
816.456.9777
rs...@umkc.edu
r.smit...@gmail.com
www.ryan-smith.org

djgoku

unread,
Apr 17, 2008, 1:28:42 AM4/17/08
to umkc-comp...@googlegroups.com
On Wed, Apr 16, 2008 at 8:12 PM, Ryan Smith <r.smit...@gmail.com> wrote:
> Hey!!!! you can now add WPA or WPA2 support to your PF.
>
> OpenBSD WPA & WPA2
>
> http://undeadly.org/cgi?action=article&sid=20080416195151

OMG OMG, I am upgrading to 4.3-current when I get home!!!! That is
very very awesome. Thanks for the info.This also means I don't have to
use ipsec vpn solution. :)

Thanks,

Jonathan

Reply all
Reply to author
Forward
0 new messages