Hi
I come from linux so the firewall is very different. But I have made an attempt (suggestion) For a pf firewall for my desktop. I am running with ZFS file system. Is it set up correctly, otherwise correct me.
But first I would like to know what havd scrub in all means . From what I have been able to read, it has something to do with keeping the file system healthy and optimized?
Step 1:
Create /etc/pf.conf with following contents:
Step 2:
Add following code to /etc/rc.conf
Step 3. Add following content to /etc/pf.conf
I come from linux so the firewall is very different. But I have made an attempt (suggestion) For a pf firewall for my desktop. I am running with ZFS file system. Is it set up correctly, otherwise correct me.
But first I would like to know what havd scrub in all means . From what I have been able to read, it has something to do with keeping the file system healthy and optimized?
Step 1:
Create /etc/pf.conf with following contents:
Code:
set skip on lo0
scrub in all
block in all
pass out all keep state
Step 2:
Add following code to /etc/rc.conf
Code:
firewall_enable="YES"
firewall_type="workstation"
# log denied packets to /var/log/security
firewall_logdeny="YES"
pf_enable="YES"
pf_program="/sbin/pfctl"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
Step 3. Add following content to /etc/pf.conf
Code:
### Macro name for external interface
ext_if = "Network Interface Designation Goes Here"
### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble
### Default deny everything
block log all
### Pass loopback
set skip on lo0
### Block spoof
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
### Keep and modulate state of outbound traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state