Reply
 
Thread Tools Display Modes
  #1  
Old 01-11-2007, 05:44 PM
misstyck2 misstyck2 is offline
Senior Member
 
Join Date: Jan 2007
Location: none
Posts: 88
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via AIM to misstyck2 Send a message via MSN to misstyck2 Send a message via Yahoo to misstyck2
Default Firewall ipfilter to pf rules
Hi all,

how do that to pf rules ??? thank.

################################################## ##############
#[Default policy]
################################################## ##############
block in all
block out all
################################################## ##############
# No restrictions on Loopback Interface
pass in quick on lo0 all
pass out quick on lo0 all

################################################## ###############
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
################################################## ###############

#IPV6
block in quick proto ipv6 all
block in quick proto ipv6-icmp all

#IGMP
block in quick on sis0 proto igmp all

#ICMP
block in log quick on sis0 proto icmp all

# Prevent spoof of bogus/non-routable addresses
# May seem like overkill since we already block everything,
# but we really want to make sure these networks never reaches us

use a bogon list and rfc3330

# Prevent outside machines from initiating TCP connections to machines within our network
block in log quick on sis0 proto tcp all flags S/S
block in log quick on sis0 proto tcp all flags S/SA
block in log quick on sis0 proto tcp all flags SA/SA

# OTHER ODDITIES
block in quick on sis0 all with ipopts
block in quick on sis0 all with frag
block in quick on sis0 all with short

# Now we are blocking packets that are too short to
# contain a complete header, or with source routing
# options (most-likely setted to bypass our firewall)
block in quick on sis0 all with opt lsrr
block in quick on sis0 all with opt ssrr

#filtrage sur le TOS ou le TTL
block in log quick on sis0 ttl 1

#Deny everything coming from doubleclick
block in quick from 208.211.225.0/24 to any
block in quick from 204.253.104.0/16 to any
block in quick from 205.138.3.0/24 to any
block in quick from 204.176.177.0/24 to any
block in quick from 208.184.29.150/32 to any
block in quick from 208.184.29.170/32 to any
block in quick from 208.184.29.190/32 to any
block in quick from 209.67.38.101/32 to any
block in quick from 209.67.38.106/32 to any
block in quick from 208.32.211.230/32 to any

# this will also protect syslog
block in log first quick on sis0 from any to any port 511 >< 516

#Stop broadcast of X/VNC/NFS/had to be up top
block in log first quick on sis0 from any to any port 5999 >< 6064
block in log first quick on sis0 from any to any port 5899 >< 5911
block in log first quick on sis0 from any to any port = 2049

#traceroute
block in log first quick on sis0 from any to any port 33434 >< 33465

# Block nmap OS fingerprint attempts nmap outing
# Log first occurrence of these so I can get their IP address
block in log first quick on sis0 proto tcp all flags FUP
block in log quick on sis0 proto tcp all flags FUP/FUP
block in log quick on sis0 proto tcp all flags FS/FS
block in log quick on sis0 proto tcp all flags /FSRPAU
block in log quick on sis0 proto tcp all flags FSRPAU
block in log quick on sis0 proto tcp all flags SF/SFRA
block in log quick on sis0 proto tcp all flags /SFRA
block in log quick on sis0 proto tcp all flags F/SFRA
block in log quick on sis0 proto tcp all flags U/SFRAU
block in log quick on sis0 proto tcp all flags P
block in log quick on sis0 proto tcp all flags FUP/WEUAPRSF
block in log quick on sis0 proto tcp all flags WEUAPRSF/WEUAPRSF
block in log quick on sis0 proto tcp all flags SRAFU/WEUAPRSF
block in log quick on sis0 proto tcp all flags /WEUAPRSF
block in log quick on sis0 proto tcp all flags SR/SR
block in log quick on sis0 proto tcp all flags SF/SF
block in log quick on sis0 proto tcp all flags /S

#ALL THE REST
block in log first quick on sis0 all

################################################## ###############
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network
# or from this gateway server destine for the public Internet.
################################################## ###############

#IPV6
block out quick proto ipv6 all
block out quick proto ipv6-icmp all

#IGMP
block out quick on sis0 proto igmp all

#ICMP
block out log quick on sis0 proto icmp all

# Prevent spoof of bogus/non-routable addresses
# May seem like overkill since we already block everything,
# but we really want to make sure these networks never reaches us

use a bogon list and rfc3330 with ! for your ip

# Prevent outside machines from initiating TCP connections to machines within our network
block out log quick on sis0 proto tcp all flags SA/SA

#OTHER ODDITIES
block out quick on sis0 all with ipopts
block out quick on sis0 all with frag
block out quick on sis0 all with short

# Now we are blocking packets that are too short to
# contain a complete header, or with source routing
# options (most-likely setted to bypass our firewall)
block out quick on sis0 all with opt lsrr
block out quick on sis0 all with opt ssrr

#filtrage sur le TOS ou le TTL
block out log quick on sis0 ttl 1

# Block nmap OS fingerprint attempts nmap outing
# Log first occurrence of these so I can get their IP address
block out log first quick on sis0 proto tcp all flags FUP
block out log quick on sis0 proto tcp all flags FUP/FUP
block out log quick on sis0 proto tcp all flags FS/FS
block out log quick on sis0 proto tcp all flags /FSRPAU
block out log quick on sis0 proto tcp all flags FSRPAU
block out log quick on sis0 proto tcp all flags SF/SFRA
block out log quick on sis0 proto tcp all flags /SFRA
block out log quick on sis0 proto tcp all flags F/SFRA
block out log quick on sis0 proto tcp all flags U/SFRAU
block out log quick on sis0 proto tcp all flags P
block out log quick on sis0 proto tcp all flags FUP/WEUAPRSF
block out log quick on sis0 proto tcp all flags WEUAPRSF/WEUAPRSF
block out log quick on sis0 proto tcp all flags SRAFU/WEUAPRSF
block out log quick on sis0 proto tcp all flags /WEUAPRSF
block out log quick on sis0 proto tcp all flags SR/SR
block out log quick on sis0 proto tcp all flags SF/SF

# Deny everything coming from doubleclick
block out quick from 208.211.225.0/24 to any
block out quick from 204.253.104.0/16 to any
block out quick from 205.138.3.0/24 to any
block out quick from 204.176.177.0/24 to any
block out quick from 208.184.29.150/32 to any
block out quick from 208.184.29.170/32 to any
block out quick from 208.184.29.190/32 to any
block out quick from 209.67.38.101/32 to any
block out quick from 209.67.38.106/32 to any
block out quick from 208.32.211.230/32 to any

# Block rip
block out quick on sis0 proto tcp/udp from any to any port = 520

# Allow out access to my ISP's Domain name server.
# xxx must be the IP address of your ISP's DNS.
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
pass out quick on sis0 proto udp from 192.168.1.2 mask 255.255.255.0 port 1023 >< 5000 to 192.168.1.1 mask 255.255.255.0 port = 53 keep state

# Allow out non-secure standard www function
pass out quick on sis0 proto tcp from 192.168.1.2 mask 255.255.255.0 port 1023 >< 5000 to any port = 80 flags S keep state keep frags

# Allow out secure www function https over TLS SSL
pass out quick on sis0 proto tcp from 192.168.1.2 mask 255.255.255.0 port 1023 >< 5000 to any port = 443 flags S keep state keep frags

# Allow out ftp (never any , ip of ftp , use host ftp name in konsole )
pass out quick on sis0 proto tcp from 192.168.1.2 mask 255.255.255.0 port 1023 >< 5000 to 69.50.233.146 port = 21 flags S keep state keep frags

# Allow out for ftp passive mode (never any , ip of ftp , use host ftp name in konsole )
pass out quick on sis0 proto tcp from 192.168.1.2 mask 255.255.255.0 port 1023 >< 5000 to 69.50.233.146 port >1023 flags S keep state keep frags

# Block and log only the first occurrence of everything
# else that's trying to get out.
# This rule enforces the block all by default logic.
block out log first quick on sis0 all

################### End of rules file ###########################

Help me.
Reply With Quote
  #2  
Old 01-11-2007, 05:57 PM
dracheflieger dracheflieger is offline
Senior Member
 
Join Date: May 2006
Location: Greater State of Northern Kaliforneea
Posts: 2,880
Thanks: 0
Thanked 0 Times in 0 Posts
Default
This thread shows you how to manage your pf inports.
Reply With Quote
  #3  
Old 01-12-2007, 05:16 AM
misstyck2 misstyck2 is offline
Senior Member
 
Join Date: Jan 2007
Location: none
Posts: 88
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via AIM to misstyck2 Send a message via MSN to misstyck2 Send a message via Yahoo to misstyck2
Default
Hi,

pf inports is for open ports no ???

Reply With Quote
  #4  
Old 01-12-2007, 10:49 AM
antik antik is offline
Senior Member
 
Join Date: Jul 2005
Location: Estonia
Posts: 3,610
Thanks: 0
Thanked 0 Times in 0 Posts
Default
Originally Posted by misstyck2
Hi,

pf inports is for open ports no ???

Yes. Add your ports to /etc/pf.inports:

Code:
#SSH Support
tcp: 22
udp: 22
# HTTP
tcp: 80
udp: 80
and restart firewall:

Code:
# /usr/local/etc/rc.d/pf_rules restart
__________________
"All parts should go together without forcing. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer." -- IBM maintenance manual, 1975
Reply With Quote
  #5  
Old 01-12-2007, 01:22 PM
misstyck2 misstyck2 is offline
Senior Member
 
Join Date: Jan 2007
Location: none
Posts: 88
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via AIM to misstyck2 Send a message via MSN to misstyck2 Send a message via Yahoo to misstyck2
Default
Hi,

open port is for a server not a workstation ...no ???

pass out quick on sis0 proto tcp from 192.168.1.2 mask 255.255.255.0
port 1023 >< 5000 to any port = 443 flags S keep state keep frags

How do that in pf ???

Can you do exemple.Thank.
Reply With Quote
  #6  
Old 01-15-2007, 06:41 AM
misstyck2 misstyck2 is offline
Senior Member
 
Join Date: Jan 2007
Location: none
Posts: 88
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via AIM to misstyck2 Send a message via MSN to misstyck2 Send a message via Yahoo to misstyck2
Default
Hi,

Nobody to help me ???

For hhtp ,https,and ssh only tcp are require not udp.
Udp are only for dns (no tcp for that require).


Thanks.


UP
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cups and devfs.rules nicsar General Questions 3 08-20-2009 02:44 AM
Overriding Firewall Rules mr_pockets Networking 5 02-09-2008 04:18 PM
PF rules - newbie damatta FreeBSD Help 2 12-14-2007 02:08 PM
How to enable IPFW and IpFilter ? Peter_APIIT General Questions 2 08-25-2007 02:06 PM
PCBSD Firewall and rules BrainTiX General Questions 2 01-02-2007 09:29 PM


All times are GMT. The time now is 04:47 PM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.

Copyright 2005-2010, The PC-BSD Project. PC-BSD and the PC-BSD logo are registered trademarks of iXsystems.
All other content is freely available for sharing under the terms of the Creative Commons Attribution License.