Hi all..
I'm finally looking into setting up PF on my server running FreeBSD 7.1... I've got an external firewall (Cisco router) that plugs into a gigabit switch. The server is plugged into the switch along with some other networked appliances (voip,etc). Anyway, the server has the bge0 interface that goes to the switch and the server has several jails running the following services with the following IP's :
The main server (10.0.1.1) and the jailed servers will need to handle VNC traffic. I've got no SSH traffic but do want the main server to accept telnet connections on the internal network (not available from outside the local net) for the occasional local connection. To that end, after reading some of the PF docs, I wrote up the following but it doesn't let anything through (telnet, VNC,etc) :
I'm sure I'm missing a lot of 'beef' to make this work -- but getting the basic telnet from being blocked would be a start.. I do not need any NAT or anything like that -- just simple firewalling...
I'm finally looking into setting up PF on my server running FreeBSD 7.1... I've got an external firewall (Cisco router) that plugs into a gigabit switch. The server is plugged into the switch along with some other networked appliances (voip,etc). Anyway, the server has the bge0 interface that goes to the switch and the server has several jails running the following services with the following IP's :
- server.example.com (10.0.1.1) -- runs Postgres database for use by webapps
- smtp.example.com (10.0.1.4) -- handles all mail for domain, imaps + smtp
- http://www.example.com (10.0.1.6) -- apache port 80
- http://www.otherdomain.com (10.0.1.7) -- apache port 80
The main server (10.0.1.1) and the jailed servers will need to handle VNC traffic. I've got no SSH traffic but do want the main server to accept telnet connections on the internal network (not available from outside the local net) for the occasional local connection. To that end, after reading some of the PF docs, I wrote up the following but it doesn't let anything through (telnet, VNC,etc) :
Code:
tcp_services = "{ 5900, 5901, 5902, 5903, telnet, smtp, domain, www, auth, pop3s imaps }"
udp_services = "{ domain }"
block all
pass out proto tcp to any port $tcp_services keep state
pass proto udp to any port $udp_services
I'm sure I'm missing a lot of 'beef' to make this work -- but getting the basic telnet from being blocked would be a start.. I do not need any NAT or anything like that -- just simple firewalling...