This shows you the differences between two versions of the page.
openbsd:pf [2019/11/10 11:19] jrmu created |
openbsd:pf [2019/11/10 11:23] (current) jrmu |
||
---|---|---|---|
Line 9: | Line 9: | ||
block all # block all traffic by default | block all # block all traffic by default | ||
+ | pass in inet proto icmp icmp-type 8 code 0 # icmp packets | ||
+ | pass in inet proto icmp icmp-type 3 code 4 # icmp needfrag (MTU) | ||
+ | pass in inet6 proto ipv6-icmp icmp6-type {2 128} keep state | ||
pass out all # pass all outgoing traffic | pass out all # pass all outgoing traffic | ||
</code> | </code> | ||
- | As a general rule, the last matching rule determines the action. | + | This will allow the necessary ICMP traffic (useful for network diagnosis) while blocking all other incoming connections. |
+ | |||
+ | (As a general rule, the last matching rule determines the action.) | ||
I generally don't whitelist by IP addresses because I've had times where I needed to access a system from a different IP. I also avoid OS fingerprinting because, although it is available, it's not 100% accurate. | I generally don't whitelist by IP addresses because I've had times where I needed to access a system from a different IP. I also avoid OS fingerprinting because, although it is available, it's not 100% accurate. | ||
Line 44: | Line 49: | ||
pass in proto tcp from 192.168.1.1 to port ssh | pass in proto tcp from 192.168.1.1 to port ssh | ||
+ | pass in inet proto icmp icmp-type 8 code 0 # icmp packets | ||
+ | pass in inet proto icmp icmp-type 3 code 4 # icmp needfrag (MTU) | ||
+ | pass in inet6 proto ipv6-icmp icmp6-type {2 128} keep state | ||
pass out all # pass all outgoing traffic | pass out all # pass all outgoing traffic | ||
</code> | </code> | ||
Replace 192.168.1.1 with your IP. | Replace 192.168.1.1 with your IP. | ||
+ | |||
+ | As a general rule, your servers should also accept incoming http and https connections. This is necessary for running a web server and also for acquiring a properly signed SSL certificate. Here is the /etc/pf.conf: | ||
+ | |||
+ | <code> | ||
+ | set skip on lo0 # don't filter localhost packets | ||
+ | ext_if = "em0" # my external interface is em0 | ||
+ | |||
+ | set block-policy drop # by default, drop packets. You can also set block-policy reject | ||
+ | set loginterface $ext_if # log that interface | ||
+ | |||
+ | pass in proto tcp from 192.168.1.1 to port ssh | ||
+ | pass in inet proto icmp icmp-type 8 code 0 # icmp packets | ||
+ | pass in inet proto icmp icmp-type 3 code 4 # icmp needfrag (MTU) | ||
+ | pass in inet6 proto ipv6-icmp icmp6-type {2 128} keep state | ||
+ | pass in proto tcp to port {http https} | ||
+ | pass out all # pass all outgoing traffic | ||
+ | </code> |