Hi. I'm running pf on a public-facing server. It has a couple of services running and I'd like to protect it as much as I can with a firewall. So, I'm looking for any ideas or changes I could apply to my configuration file. "IP1" is the main IP for the server, "IP2" is a jail. Here is what I'm using:
I realize security revolves around many other things, I'm just asking about my pf.conf. Thanks.
Code:
ext_if = "bge0"
set block-policy drop
scrub in all
block in all
block in quick on $ext_if from any to 255.255.255.255
pass out on $ext_if from any to any
pass out keep state
set skip on lo0
block in quick from urpf-failed
antispoof quick for $ext_if
block drop in log (all) quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32 } to any
block drop out log (all) quick on $ext_if from any to { 10.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32 }
block in from no-route to any
# ssh on host
pass in on $ext_if proto tcp from any to IP1 port 22
# lighttpd on jail
pass in on $ext_if proto tcp from any to IP2 port 80
pass in on $ext_if proto tcp from any to IP2 port 443
# vlc streaming on jail
pass in on $ext_if proto tcp from any to IP2 port 8080
# mumble server on jail
pass in on $ext_if proto tcp from any to IP2 port 25565
I realize security revolves around many other things, I'm just asking about my pf.conf. Thanks.