This shows you the differences between two versions of the page.
|
openbsd:pf [2019/11/10 11:19] jrmu created |
openbsd:pf [2019/11/10 11:23] (current) jrmu |
||
|---|---|---|---|
| Line 9: | Line 9: | ||
| block all # block all traffic by default | block all # block all traffic by default | ||
| + | pass in inet proto icmp icmp-type 8 code 0 # icmp packets | ||
| + | pass in inet proto icmp icmp-type 3 code 4 # icmp needfrag (MTU) | ||
| + | pass in inet6 proto ipv6-icmp icmp6-type {2 128} keep state | ||
| pass out all # pass all outgoing traffic | pass out all # pass all outgoing traffic | ||
| </code> | </code> | ||
| - | As a general rule, the last matching rule determines the action. | + | This will allow the necessary ICMP traffic (useful for network diagnosis) while blocking all other incoming connections. |
| + | |||
| + | (As a general rule, the last matching rule determines the action.) | ||
| I generally don't whitelist by IP addresses because I've had times where I needed to access a system from a different IP. I also avoid OS fingerprinting because, although it is available, it's not 100% accurate. | I generally don't whitelist by IP addresses because I've had times where I needed to access a system from a different IP. I also avoid OS fingerprinting because, although it is available, it's not 100% accurate. | ||
| Line 44: | Line 49: | ||
| pass in proto tcp from 192.168.1.1 to port ssh | pass in proto tcp from 192.168.1.1 to port ssh | ||
| + | pass in inet proto icmp icmp-type 8 code 0 # icmp packets | ||
| + | pass in inet proto icmp icmp-type 3 code 4 # icmp needfrag (MTU) | ||
| + | pass in inet6 proto ipv6-icmp icmp6-type {2 128} keep state | ||
| pass out all # pass all outgoing traffic | pass out all # pass all outgoing traffic | ||
| </code> | </code> | ||
| Replace 192.168.1.1 with your IP. | Replace 192.168.1.1 with your IP. | ||
| + | |||
| + | As a general rule, your servers should also accept incoming http and https connections. This is necessary for running a web server and also for acquiring a properly signed SSL certificate. Here is the /etc/pf.conf: | ||
| + | |||
| + | <code> | ||
| + | set skip on lo0 # don't filter localhost packets | ||
| + | ext_if = "em0" # my external interface is em0 | ||
| + | |||
| + | set block-policy drop # by default, drop packets. You can also set block-policy reject | ||
| + | set loginterface $ext_if # log that interface | ||
| + | |||
| + | pass in proto tcp from 192.168.1.1 to port ssh | ||
| + | pass in inet proto icmp icmp-type 8 code 0 # icmp packets | ||
| + | pass in inet proto icmp icmp-type 3 code 4 # icmp needfrag (MTU) | ||
| + | pass in inet6 proto ipv6-icmp icmp6-type {2 128} keep state | ||
| + | pass in proto tcp to port {http https} | ||
| + | pass out all # pass all outgoing traffic | ||
| + | </code> | ||