Home arrow Guides arrow Firewall for Web Server with PF
Firewall for Web Server with PF PDF
Saturday, 15 December 2007

Step 1. Create a file /etc/pf.conf (just rename the old one) and put the following content in it:
----------------------------------------------------------------------------------------------------------------------

/etc/pf.conf
wan_if="em0"
priv_nets="{10.0.0.0.8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/5, 127.0.0.0/8, 0.0.0.0}"
tcp_ports="{ 20, 21, 22, 25, 53, 80, 110, 143 }"
udp_ports="{ 53 }"
icmp_types="8"

table <rfc1918> const { 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 }
table <blocklist> persist file "/etc/blocklist.txt"

set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 15000, frags 30000 }
set optimization normal
set block-policy drop
set fingerprints "/etc/pf.os"
set loginterface $wan_if
set require-order yes

scrub in on $wan_if all no-df fragment reassemble min-ttl 15 max-mss 1460
scrub in on $wan_if all no-df
scrub    on $wan_if  all reassemble tcp

block in quick on $ext_if from $priv_nets

pass in all
pass out all

pass quick on lo0 all

block in log all
block out log all

block in quick on $wan_if from <blocklist> to any
block in quick on $wan_if from <rfc1918> to any

pass in on $wan_if proto tcp from any to $wan_if port $tcp_ports flags S/SA synproxy state
pass in on $wan_if proto udp from any to $wan_if port $udp_ports keep state
pass in on $wan_if inet proto icmp all icmp-type $icmp_types keep state
pass in inet proto icmp icmp-type 8 code 0 keep state



pass in quick on $wan_if proto tcp from any to any port > 49151  keep state

pass out on $wan_if proto tcp all modulate state flags S/SA
pass out on $wan_if proto { udp, icmp } all keep state


Step 2: Add the following line to /etc/rc.conf:
------------------------------------------------------------
  pf_enable="YES"


Step 3: Eenable PF firewall and load rules
----------------------------------------------------------
  pfctl -e
  pfctl -f /etc/pf.conf

(you will need to have /etc/blocklist.txt file created)

When using a GENERIC kernel, pf module will be loaded automatically if we enable PF from /etc/rc.conf. If you want to recompile the kernel with PF and also ALTQ (for traffic shaping) you can use the following kernel options:

kernel options for PF and ALTQ support
device pf
device pflog
device pfsync

# altq support
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ

# other optimizations
options HZ=1000
options DEVICE_POLLING


Tips to debug PF rules:
----------------------------


pfctl -vvsr       (see PF loaded rules)
pfctl -vvsq       (see PF queues in realtime)
pfctl -f /etc/pf.conf      (load pf.conf file)
pfctl -F state               (flush states)

Last Updated ( Wednesday, 06 July 2011 )
 
< Prev   Next >

Other BSD Systems

OpenBSD

Misc

Solaris

Polls

Best BSD firewall?