I’m trying to BLOCK ALL. Could you check my rules and remove any other redundant lines. It works well but I been afraid to taper with it since breaking it down from my standard pf rules.
My goal is block all incoming and outgoing connections on my FreeBSD host; including PING and SSH. I don’t need to go into details that I use Virtualbox in bridge-mode for a few major FreeBSD guests that will be upgraded until the end of time, and such.
Question (1): What do I need to remove? I want to block ssh and ping as well. I don’t even want it to log a single packet because I know it looks great already. Do I really need to scrub or set skip? Do it really need sshguard? I don't think so but I need to be sure because there will be no turning back.
Some may say this idea is insufficient. Regardless, I don’t think it will hurt to BLOCK-ALL at system level. It should only prove that vBox in bridge-mode has nothing to do with the host, as far as INTERNET connection, the entire conversation.. It took me a life time to see most of this working.
This is all I know and use so far.
Question (2): what are ALL the sysctl commands to BLOCK-ALL ipv4, tcp, udp, ssh, ssl, ping and anything else I miss? Should I even disable /etc/ssh?
My goal is block all incoming and outgoing connections on my FreeBSD host; including PING and SSH. I don’t need to go into details that I use Virtualbox in bridge-mode for a few major FreeBSD guests that will be upgraded until the end of time, and such.
Question (1): What do I need to remove? I want to block ssh and ping as well. I don’t even want it to log a single packet because I know it looks great already. Do I really need to scrub or set skip? Do it really need sshguard? I don't think so but I need to be sure because there will be no turning back.
Code:
ext_if="re0"
### table <sshguard> persist
set skip on lo0
#### scrub in all
#### scrub reassemble tcp
block drop in quick inet6
#### antispoof log quick for { $ext_if } inet
block in all
block out all
#### block in quick on $ext_if from <sshguard> label "ssh bruteforce"
This is all I know and use so far.
Question (2): what are ALL the sysctl commands to BLOCK-ALL ipv4, tcp, udp, ssh, ssl, ping and anything else I miss? Should I even disable /etc/ssh?
Code:
net.inet6.ip6.auto_linklocal=0 # no ipv6