Greetings all,
I have a problem with allowing ping and ssh through the pf firewall. I was wondering if someone could review my pf.conf for an obvious error:
Also if there are any additional deficiencies, please let me know.
Kindest regards,
M
I have a problem with allowing ping and ssh through the pf firewall. I was wondering if someone could review my pf.conf for an obvious error:
Code:
#
# Macros
#
# External interface
ext_if = "em0"
# Services to be accessed on the Internet
TCP_services = "{ domain, ntp, ssh, smtp, smtps, imaps, http, https, ftp}"
UDP_services = "{ domain, ntp }"
# Services to be accessed on the machine
TCP_services_m = "{ ssh }"
# ICPM
ICMP_types = "{ echoreq, echorep, unreach }"
# Private addresses
broken="224.0.0.22 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.2
54.0.0/16, 192.0.2.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 169.254.
0.0/16, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32"
#
# Options
#
# Optimization
set optimization normal
# Silently drop packets
set block-policy drop
# Bypas local interface
set skip on lo0
#
# Traffic normalization and reassembly
#
scrub in on $ext_if no-df random-id
#
# Inbound traffic
#
# Discard private adresses, packet failing reverse path check, and no-route pack
ets
block in quick from { $broken, urpf-failed, no-route } to any
# Discard packets from spoofed or forged IP addresses
antispoof quick for { lo0, $ext_if } inet
# Discard packets from private adresses, packet failing reverse path check,and p
ackets with no back route
block in quick from { $broken, urpf-failed, no-route } to any
# Discard Microsoft netbios service.
#block in quick on $ext_if proto udp to port { 138, 139 }
#block in quick on $ext_if proto udp from any port 1900 to any port 1900
# Allow ICMP
pass in quick on $ext_if inet proto icmp all icmp-type $ICMP_types
# Allow SSH on TCP ports
pass in quick on $ext_if inet proto tcp to ($ext_if) port $TCP_services_m
# Block everything else
block in log on $ext_if all
#
# Outbound traffic
#
# Drop packets to non-routable addresses directly
block drop out quick on $ext_if from ($ext_if) to no-route
# Allow TCP services
pass out quick on $ext_if inet proto tcp from ($ext_if) to any port $TCP_service
s
# Allow UDP services
pass out quick on $ext_if inet proto udp from ($ext_if) to any port $UDP_service
s
# Allow ICMP
pass out quick on $ext_if inet proto icmp all icmp-type $ICMP_types
# Allow the default range for traceroute
# "base+nhops*nqueries-1" (33434+64*3-1)
pass out quick on $ext_if inet proto udp from ($ext_if) to any port 33433 >< 336
26
# Block everything else
block out log on $ext_if allAlso if there are any additional deficiencies, please let me know.
Kindest regards,
M