[Dshield] OpenBSD 3.1/pf

Jan Johansson janj+dshield at wenf.org
Tue Aug 6 14:40:14 GMT 2002


I have tried th decrypt your pf.conf but it is over my head. As I
see it you have three options.
1> Make it easier so you can help yourself.
2) Ask misc at openbsd.org
3) Read even more about pf.conf so you can help yourself.

Here is my filter which does a good enough job for me.

--- Begin ---
# $Id: pf.conf,v 1.14 2002/07/12 10:47:40 janj Exp $

ext_if = "xl0"
int_if = "fxp0"

# Scrub
scrub in all

# Block and log by default.
block             in  log           all
block             out log           all
block return-rst  in  log proto tcp all
block return-rst  out log proto tcp all
block return-icmp in  log proto udp all
block return-icmp out log proto udp all

# Loopback
pass in  on lo0 all
pass out on lo0 all

# Local network
pass in  on $int_if from 192.168.???.0/24 to any
pass out on $int_if from any to 192.168.???.0/24

# ICMP
# ping
pass in  on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

# TCP
pass in  on $ext_if proto tcp from any to any port { auth, smtp, ssh }

pass out on $ext_if proto tcp all keep state

# UDP
pass in  on $ext_if proto udp from any port { afs3-fileserver } to any port { 4711 }

pass out on $ext_if proto udp all keep state

--- End ---

Maybe I should let some more ICMP pass. Also what you seem to
whish for is blocking "blacknets" out so add a block out from {
black-net }. This is basically the same filter I use on my laptop
(except it only has the ext_if).

The ground rule that is behind pf is "Keep it simple and you will
ha less bugs". I think that is a very good rule when makeing the
filter.





More information about the list mailing list