OpenBSD PF Firewall Script – /etc/pf.conf File   February 10th, 2010

Following script will protect collocated FreeBSD / OpenBSD / NetBSD server running PF firewall. My box has 2 interface one for VPN and other for public interface. I only run http, dns and ssh on public port. Read pf, rc.conf and pf.conf man page for details. Tested on FreeBSD and OpenBSD.

Sample /etc/pf.conf

#### First declare a couple of variables ####
### Outgoing tcp / udp port ####
### 43 - whois, 22 - ssh ###
tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}"
udp_services = "{ domain, ntp }"
### allow ping / pong ####
icmp_types = "{ echoreq, unreach }"
 
#### define tables. add all subnets and ips to block
table <blockedip> persist file "/etc/pf.block.ip.conf"
 
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
 
### admin server ranges ###
adminrange = "112.220.11.0/23"
 
# connected to internet
ext_if = "em1" Read the rest of this entry »

Tags: , , , , ,
Posted in fedora, Networking | No Comments »

BSD PF IPv6 and IPv4 /etc/pf.conf Firewall Script   February 10th, 2010

This is my working IPv6 and IPv4 dual stack script from FreeBSD 7.1 server. It should work with any latest PF version under OpenBSD / FreeBSD / NetBSD without a problem.

You need to add following lines to /etc/rc.conf under FreeBSD to turn on PF firewall:

pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pf_rules="/etc/pf.conf"

Next create /etc/pf.conf file as follows. Replace variable with appropriate values.

  1. By default firewall drops all incoming and outgoing connections for both IPv4 and IPv6.
  2. By default IPv4 and IPv6 outgoing allowed for ssh, smtp, domain / dns, www, https, ntp, ping and whois requests.
  3. By default IPv4 and IPv6 incoming allowed for ssh, smtp, domain / dns, www, https, and ping only.
#### S0.1 First declare a couple of variables ####
# Created by Vivek Gite <vivek@nixcraft.com>
# See more info @
# http://bash.cyberciti.biz/firewall/pf-ipv6-ipv4-firewall-for-freebsd-openbsd-netbsd/
tcp_services = "{ ssh, smtp, domain, www, https, 122, ntp, 43}"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
mail_ports = "{ smtp, imaps }"

### define tables
table <droplasso> persist file "/etc/pf.drop.lasso.conf"
table <blockedip> persist file "/etc/pf.block.ip.conf"

 Read the rest of this entry »

Tags: , , , , ,
Posted in fedora, Networking | No Comments »