hello. i'm a student and currently doing my internship. i need to configure pf firewall in free BSD server. i need help for my pf. i had configure this in my pf.conf. but i don't know if it's works well. because i thought it might not working. can somebody please help me with this?
i used zenmap with this command (intense scan all tcp ports),
but, it still can scan the open ports on my server.
here is my configuration for my pf.conf.
i used zenmap with this command (intense scan all tcp ports),
Code:
nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all 10.5.13.114
but, it still can scan the open ports on my server.
here is my configuration for my pf.conf.
Code:
ext_if="fxp0"
icmp_types="echoreq"
set fingerprints "/etc/pf.os"
scrub in on $ext_if all fragment reassemble
block all
set skip on lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in quick on $ext_if proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if from any os "NMAP" to any label ExtNMAPScan
pass out on $ext_if proto {tcp, udp, icmp} from any to any modulate state
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
table <ssh_abuse> persist
block in quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <shh_abuse> flush)