I thought I'd post my pf.conf rules, to see what others think of them. I'd appreciate pointers, if I'm doing something stupid.

The machine has 2 ethernet cards and acts as a NAT for a few internal machines, and has running visible ssh, web and mail services. I don't really want anything else externally visible or accessible. Except for the Unreal Tournament server I run for a few friends, of course. (I enable UT access in nat.conf, only when I want it available.)

Anyway, here's my pf.conf:

# External ethernet interface, from "ifconfig -a":
ext_if = "xl1"

# Default pf rules, made explicit:
pass in all
pass out all

# Don't filter any loopback interface traffic:
pass in quick on lo0 all
pass out quick on lo0 all


# Clean up any wierd external packets:
scrub in on $ext_if all

# Now filter stuff.

# *** TCP ***
# Stop everything inbound, then open up the ports we want seen:
block return-rst in on $ext_if proto tcp from any to any
pass in quick on $ext_if proto tcp from any to any \
port { ssh, smtp, http, pop3 } keep state

# Keep state on outgoing TCP connections:
pass out quick on $ext_if proto tcp from any to any keep state


# *** UDP ***
# Stop everything inbound. We want no externally visible UDP ports:
block return-icmp in on $ext_if proto udp from any to any

# Keep state for desired outbound UDP connections:
pass out quick on $ext_if proto udp from any to any \
port { domain, ntp } keep state

# Ok, allow UT access (enabled/disabled through nat.conf):
pass in quick on $ext_if proto udp from any to any port { 7777, 7778 }

It's definately different than the way I do most of mine. Hmmm.... If I were to redo your pf.conf file I would probably do something more like this.



# External ethernet interface, from "ifconfig -a":
ext_if = "xl1"
NoRouteIPs="{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# Clean up any wierd external packets:
scrub in on $ext_if all

#Don't allow anyone to spoof non-routable addrs.
block in log quick on $ext_if from $NoRouteIPs to any
block in out quick on $ext_if from $NoRouteIPs to any

# Now filter stuff.
#Specifically block IP Options.
block in log quick on $ext_if in proto tcp from any to any \
flags { FUP/FUP, SF/SFRA, /SFRA, F/SFRA, U/SFRAU, P }

#Default Deny
block in on $ext_if all

# *** TCP ***
pass in quick on $ext_if proto tcp from any to any \
port { ssh, smtp, http, pop3 } keep state

#Keep States Letting all outgoing traffic out and maintaining states on
#established connections including TCP,UDP, ICMP and create state.
block out on $ext_if all
pass out on $ext_if inet proto tcp all flags S/SA keep state
pass out on $ext_if inet proto udp all keep state
pass out on $ext_if inet proto icmp all keep state



Yes your UT will still work. Mine does. Care to play?

The set from elmore is what you want to be running, a full deafult deny rule set.

The UT client will work with elmore's rule set, no special ports required because of the outgoing keep state. But if your running a UT server inside your net that outside people will be playing, you will need to pass in the UT ports like before, as the default deny rule will quash any incomming connections, making your UT server un-contactable by outside people.

The rule that you had for this;

# Ok, allow UT access (enabled/disabled through nat.conf):
pass in quick on $ext_if proto udp from any to any port { 7777, 7778 }

That will work , but don't think you should pass it in to "any". Probably better to specfiy the UT server by IP, so if your internal UT server is at IP 192.168.0.10, I would do;

pass in quick on $ext_if proto udp from any to 192.168.0.10 port { 7777, 7778 }

That way you specificly get you traffic to the right box, blocking any other wierd attempts to spoof into those ports on computers that you don't want people at. Then you will need a matching rdr rule in the NAT.conf. Sounds like you have that under control.

Probably a little anal on my part, but anyway.

Hope it helps.

Thanks elmore, I like your rule set style much better. I did add the UT rule back in, as KrUsTy suggested, since my UT server is on my internal LAN only. To access it externally, I use the IP address of my OpenBSD box, and then use nat.conf to get the packets to the UT server like so:

rdr on xl1 proto udp from any to 0.0.0.0/0 port 7777 -> 10.0.0.34 port 7777
rdr on xl1 proto udp from any to 0.0.0.0/0 port 7778 -> 10.0.0.34 port 7778

And of course,

nat on xl1 from 10.0.0.0/24 to any -> $mygate

where $mygate is the IP of the router on the $ext_if side of things.

I *think* I'm safe from anyone using UT port packets to fish around my LAN with this config, but I'm open to suggestions.

The rdr rules are disabled except when playing, for what it's worth.

And I'd love to play, but I'm not going to have any time for a month at least. I don't even know why I bother maintaining the rules. Thanks for asking though.