d09e PF firewall rule for passing Echolink - The FreeBSD Forums
The FreeBSD Forums  

Go Back   The FreeBSD Forums > Server & Networking > Firewalls
Reload this Page PF firewall rule for passing Echolink
Register FAQ Calendar Search Today's Posts Mark Forums Read

Firewalls IPFW, PF, IPF (but not limited) related discussion

Reply
 
Thread Tools Display Modes
  #1  
Old April 29th, 2009, 05:38
johnblue johnblue is offline
Member
  
Join Date: Jan 2009
Location: O-o-o-o-o-o-o-klahoma
Posts: 176
Thanks: 11
Thanked 17 Times in 15 Posts
Default PF firewall rule for passing Echolink
I did some google searching trying to find if anyone else constructed a PF exception for Echolink before I tackled it and the results are fairly sparse.

I, by no means, have a handle on PF, but this pf.conf is working for me. Here is my contribution for anyone else that might be looking too:
Code:
# macros
#
ext_if          = "xl0"
int_if          = "xl1"
localnet        = $int_if:network

# options
#
set loginterface $ext_if

# tables - none
#

# normalization
#
scrub in  on $ext_if all           fragment reassemble
scrub out on $ext_if all random-id fragment reassemble

# Redirect for Echolink
#
rdr on $ext_if proto {tcp,udp} from any to any port 5198:5200 -> 192.168.1.54

# NAT
#
nat on $ext_if from $localnet to any -> $ext_if

pass from { lo0, $localnet } to any
Comments are welcomed.

Reply With Quote
  #2  
Old April 29th, 2009, 10:03
vivek's Avatar
vivek vivek is offline
Member
  
Join Date: Nov 2008
Location: Hyper Space
Posts: 809
Thanks: 3
Thanked 184 Times in 102 Posts
Default
Usually firewall should be set to block everything and allow only required ports. I do not see you are blocking anything at all...
__________________
Neither in this world nor elsewhere is there any happiness in store for him who always doubts. If you enjoyed my answer please consider donating some money to FreeBSD foundation @ http://www.freebsdfoundation.org/
Reply With Quote
  #3  
Old April 29th, 2009, 10:37
SirDice's Avatar
SirDice SirDice is offline
Moderator
  
Join Date: Nov 2008
Location: Rotterdam, Netherlands
Posts: 13,713
Thanks: 47
Thanked 2,022 Times in 1,861 Posts
Default
Quote:
Originally Posted by vivek View Post
Usually firewall should be set to block everything and allow only required ports. I do not see you are blocking anything at all...
PF, by default, blocks everything.
Reply With Quote
  #4  
Old April 29th, 2009, 11:36
vivek's Avatar
vivek vivek is offline
Member
  
Join Date: Nov 2008
Location: Hyper Space
Posts: 809
Thanks: 3
Thanked 184 Times in 102 Posts
Default
Quote:
Originally Posted by SirDice View Post
PF, by default, blocks everything.
I do not see any info regarding default block @ pf / pf.conf man page or openbsd.org pf faq page. If this is true than why all books and docs asks to put the following:
Code:
# setup a default deny policy
block all
__________________
Neither in this world nor elsewhere is there any happiness in store for him who always doubts. If you enjoyed my answer please consider donating some money to FreeBSD foundation @ http://www.freebsdfoundation.org/
Reply With Quote
  #5  
Old April 29th, 2009, 16:00
SirDice's Avatar
SirDice SirDice is offline
Moderator
  
Join Date: Nov 2008
Location: Rotterdam, Netherlands
Posts: 13,713
Thanks: 47
Thanked 2,022 Times in 1,861 Posts
Default
Hmm.. It seems I was confused with IPFilter. That has an pass all implicit rule but can be started with a block all implicit rule.

PF seems to have a "pass all" implicit rule:
Quote:
There is an implicit pass all at the beginning of a filtering ruleset meaning that if a packet does not match any filter rule the resulting action will be pass.
http://www.openbsd.org/faq/pf/filter.html

Implicit rules should never be counted on though. For one there's no accounting done on them and second it's pretty easy to get them the wrong way around (as I've just demonstrated ).
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Any benefit to running a firewall when I'm already behind one? osx-addict Firewalls 14 June 4th, 2009 23:29
pf firewall on virtual image? Mathurin Firewalls 0 April 4th, 2009 05:54
Temporarily disable ipfw during rule reload usdmatt Firewalls 6 March 26th, 2009 06:33
Dynamic firewall rules v0idnull Firewalls 1 December 4th, 2008 00:48


All times are GMT +1. The time now is 09:06.

Contact Us - FreeBSD - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.
The mark FreeBSD is a registered trademark of The FreeBSD Foundation and is used by The FreeBSD Project with the permission of The FreeBSD Foundation.
Web protection and acceleration provided by CloudFlare
0