Former Member
September 19th, 2003, 05:54
This is my first go at a pf so bare with me please :)

[code:1:fa05013086]
#interface(s)
ext_if = "r10" #box to router

#Addressing
#Trusted
host0 = "192.168.2.1" #Router
host1 = "192.168.2.4" #My box
Loopback = "127.0.0.1"
host2 = "192.168.2.5" #Moms box
host3 = "192.168.2.6" #Laura's box
host4 = "192.168.2.7" #Reserved for Vic
#Router
Broadcast = "192.168.2.255"
table <trusted> const {" $host1 $host2 $host3 $host4 $Loopback $Broadcast "}

#Private addresses RFC 1918
table <priv_nets> const { 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }

#Unwanted / mean folks
table <unwanted> persist file "/etc/spammers"

#Services
tcpsvcs = "{ 113 }"
udp = "{ }"
icmp_types = "echoreq"

#Options
set block-policy drop 23
set limit { frags 5000, states 2500 }
set loginterface $ext_if
set optimization high-latency
set timeout interval 15
set timeout frag 30

#ruleset
#default
block all
scrub in on r10 all fragment reassemble min-ttl 15 max-mss 1400

#loopback rules
pass quick on lo0 all #Allow all traffic on lo0
antispoof quick for r10 inet #Antispoof for $ext_if

#ext_if rules; allow all traffic leaving ext_if found in state table
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

#trusted rules
pass out on $ext_if from any to $trusted #Pass all traffic to and from $trusted

#priv_nets rules
block drop in log quick on $ext_if from <priv_nets> to ($ext_if)
block drop out log quick on $ext_if from ($ext_if) to <priv_nets>

#services rules; allow and log tcp specified port traffic from any address
pass in log on $ext_if inet proto tcp from any to ($ext_if) port $tcpsvcs flags S/SA keep state

#General
#Block and log pings from non-trusted
block drop in log on $ext_if inet proto icmp from !<trusted> to ($ext_if) icmp-type $icmp_types
[/code:1:fa05013086]

I'm sure there are other rules i can add.... I'm thinking about using anchors so there's the next update

v902
September 20th, 2003, 20:07
I'm no pf god but I've got 3 comments:

1.) Would it not be more comfortable (and quicker to the proccesor and eyes) to just do the table and not have variable entries within it? I can see why vars would be useful if you were going to use them individidually but you're not and even if you did you'd most likely use them only around 2 times...

2.) Why is loopback in trusted? It doesn't send outgoing traffic on ext_if (Am I right?), so pf doesn't even get to touch it so it's not needed

3.) Remove Broadcast from trusted or else a broadcast for example that your vic's comp made would get to your neighbors computer (Am I right here too?)

I'm currently writing my own pf.conf so yours was a good one to plagarize from ;)

Also, if you are doing NAT don't you have to have something like "nat on $ext_if [inet] from $int_if to any -> $ext_if" ?

Former Member
September 21st, 2003, 03:49
It's actually changed, I've defined each trusted as a var because i coudl use them on their own, and i would prefer to use $host0 instead of ($ext_if).

Loopback was placed there purely for conveniance, and as the first step to creating any pf.conf would be to know the interfaces and addresses, it was there for as part of the collective :)

The machine isn't currently a router, though i recieve packets from the router, it makes for ease of use in the future (i hope), I'm not doing NAT, reason above.

there were ogirinally a few errors, so once i re-read the faq and read through some of the v handy pf.conf's written by members here, I decided to add a few more rules, I'm still to incorporate anchors, im just trying to find a working example, solarflux here i come ;)

Updated :)

[code:1:11d3252d85]
#interface(s)
ext_if = "r10" #box to router
Loop_if = "lo0" #Loopback
sshrule="xxx.xxx.xxx.xxx" #ssh from specific host

#Addressing
#Trusted
host0 = "192.168.2.1" #Router
host1 = "192.168.2.4" #My box
host2 = "192.168.2.5" #Moms box
host3 = "192.168.2.6" #Laura's box
host4 = "192.168.2.7" #Reserved for Vic
Loopback = "127.0.0.1" #Loopback address
#Router
Broadcast = "192.168.2.255"
table <trusted> const {" $host1 $host2 $host3 $host4 $Loopback $Broadcast"}

#Private addresses RFC 1918
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

#Unwanted / mean folks
table <unwanted> persist file "/etc/spammers"

#Services
tcpsvcs = "{ 113 }"
udp = "{ }"
icmp_types = "echoreq"

#Options
set block-policy drop 23
set limit { frags 5000, states 2500 }
set loginterface $ext_if
set optimization high-latency
set timeout interval 15
set timeout frag 30

#ruleset
#Macros
binl = "block in log"
pout = "pass out on $ext_if"
#default
block all
scrub in on r10 all fragment reassemble min-ttl 15 max-mss 1400

#General
#Block and log all from unwanted
block drop in quick log on $ext_if from <unwanted> to any
#Pass and log pings from any
pass in quick log on $ext_if inet proto icmp from any to $host0 icmp-type $icmp_types
#Block and log various nmap shyte - ty elmore ;)
$binl quick on $ext_if inet proto tcp from any to any flags FUP/FUP
$binl quick on $ext_if inet proto tcp from any to any flags SF/SFRA
$binl quick on $ext_if inet proto tcp from any to any flags /SFRA
$binl quick on $ext_if inet proto tcp from any to any flags F/SFRA
$binl quick on $ext_if inet proto tcp from any to any flags U/SFRAU
$binl quick on $ext_if inet proto tcp from any to any flags P
$binl on $ext_if all

#loopback rules
antispoof quick for r10 inet #Antispoof for $ext_if
Pass quick on lo0 all #Allow all traffic on lo0

#ext_if rules; allow all traffic leaving ext_if found in state table
$pout proto tcp all modulate state flags S/SA
$pout proto { udp, icmp } all keep state

#trusted rules #Pass all traffic to and from $trusted
pass out quick log on $ext_if from $host0 to $trusted
pass in quick log on $ext_if from $trusted to $host0

#priv_nets rules
block drop in log quick on $ext_if from <priv_nets> to $host0
block drop out log quick on $ext_if from $host0 to <priv_nets>

#services rules; allow and log tcp specified port traffic from any address
pass in log on $ext_if inet proto tcp from any to $host0 port $tcpsvcs flags S/SA keep state
[/code:1:11d3252d85]

TY for the comments :) tis appreciated. Any tips on the logging? I'm goign to create a user as the faq suggests, write a few scripts to accompany ;)
You'll no doubt find it easy to write., its an ongoing process so remember to keep it quick n easy :) I have the syntax for the filter at the bottom of my conf just incase ;)

Former Member
October 29th, 2003, 15:26
Bringing this thread back to life for a second..not much of a life it has led though.

[code:1:5ea0f85d42]# pfctl -f /etc/pf.conf
pfctl: Syntax error in config file: pf rules not loaded
[/code:1:5ea0f85d42]

I had some syntax issues before, i believed they were resolved...

[code:1:5ea0f85d42]#interface(s)
ext_if = "rl0" #box to router
sshrule="xxx.xxx.xxx.xxx" #ssh from specific host

#Addressing
#Trusted
host0 = "192.168.2.1" #Router
host1 = "192.168.2.4" #My box
host2 = "192.168.2.5" #Moms box
host3 = "192.168.2.6" #Laura's box
host4 = "192.168.2.7" #Reserved for Vic
#Router
Broadcast = "192.168.2.255"
table <trusted> const "{" $host1, $host2, $host3, $host4, $Broadcast"}"

#Private addresses RFC 1918
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

#Unwanted / mean folks
# table <unwanted> persist file "/etc/spammers"

#Services
tcpsvcs = "{ 80,21,22 }"
udp = "{ 20 }"
icmp_types = "echoreq"

#Options
set timeout interval 15
set timeout frag 30
set limit { frags 5000, states 2500 }
set loginterface $ext_if
set optimization high-latency
set block-policy drop

#ruleset
#default
scrub in all
block all


#General
#Block and log all from unwanted
block drop in quick log on $ext_if from <unwanted> to any
#Pass and log pings from any
pass in quick log on $ext_if inet proto icmp from any to $host0 icmp-type $icmp_types

#loopback rules
antispoof quick for $ext_if inet #Antispoof for rl0
pass quick on lo0 #Allow all traffic lo0

#ext_if rules; allow all traffic leaving ext_if found in state table
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

#trusted rules #Pass all traffic to and from $trusted
pass out quick log on $ext_if from $host0 to <trusted>
pass in quick log on $ext_if from <trusted> to $host0

#priv_nets rules
block drop in log quick on $ext_if from <priv_nets> to $host0
block drop out log quick on $ext_if from $host0 to <priv_nets>

#services rules; allow and log tcp specified port traffic from any address
pass in log on $ext_if inet proto tcp from any to $host0 port $tcpsvcs flags S/SA keep state
[/code:1:5ea0f85d42]

can anyone shed some light on this plse

bsdjunkie
October 29th, 2003, 16:03
block drop in quick log on $ext_if from <unwanted> to any

Above you have <unwanted> commented out.

Also. you already set block poilicy to drop by default, so you can do the following to make it look cleaner:

block in log quick on $ext_if ......


antispoof quick for $ext_if inet
Not sure if you can have inet just trailing off at the end there or not....

Former Member
October 29th, 2003, 16:25
I believe you can have inet trailing, its in the docs I have printed off from a month or two back.

Ive made the changes you suggested and I still have the same message....maybe i should install release now eh :-P

thanks for the reply man, was starting to lose faith

bsdjunkie
October 29th, 2003, 16:32
"{" $host1, $host2, $host3, $host4, $Broadcast"}"


Are the " " needed inside the { } ?


table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

Are " " needed around the {} when defining tables?

Former Member
October 30th, 2003, 04:14
Ok, i've just finished loading the rulesets in one by one..

You pointed out a very good issue, I have two different syntax structures... ;-)

turns out there are no quotes in tables, thanks junkie, sorry for wasting your time.