# Check pf.conf correctness please.



## Engraf (Jul 7, 2014)

Hello, 

I'm a newbie in FreeBSD (eternal). So, could you check my pf.conf for correctness, please. I have an obsession that it contains some redundant or missing expressions. Task is to have access by any from LAN to HTTP, by sysadmins from LAN to any. No routing. Plans in future to add rules to access several ports from the Internet.


```
int_if="bce0"
ext_if="bce1"
int_ip="192.168.x.x"
ext_ip="x.x.x.x"
sys_admins="{ 192.168.x.a 192.168.x.b }"
table <private> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }

set skip on lo0
scrub in all

no rdr on $int_if from any to $ext_if
no rdr on $ext_if from any to $int_if

block in  all
block out all

pass in quick on $int_if inet from $sys_admins to any
pass in on $int_if inet proto tcp from <private> to $int_if port = http

pass out quick on $int_if
pass out quick on $ext_if from $ext_ip to any
```


----------



## SirDice (Jul 7, 2014)

How about this?


```
int_if="bce0"
ext_if="bce1"
int_ip="192.168.x.x"
ext_ip="x.x.x.x"
sys_admins="{ 192.168.x.a 192.168.x.b }"
table <private> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }

set skip on lo0
scrub in all

block in  all
block out all

pass in on $int_if from $sys_admins to any
pass in on $int_if proto tcp from any to ($int_if) port = 80

pass out on $ext_if from $sys_admins to any
```

I have no idea why you have those rdr rules. There's no NAT involved.


----------



## Engraf (Jul 7, 2014)

Thanks for reply.

I tried your variant. Webapp (PHP) cannot connect to internal server (Zabbix) by localhost:10051 
In all other it's OK.

P.S. pass out quick on $int_if - this was added to Zabbix checks (Zabbix agents, SNMP, IPMI and other). If left it as is, it would vulnerable?

_Added: Hmm... It seems that FreeBSD try to resolve 'localhost' from DNS! (DNS not accessible by the way). I didn't know it, honestly. Added 'localhost' to /etc/hosts solved the problem._


----------



## SirDice (Jul 8, 2014)

Engraf said:
			
		

> Webapp (PHP) cannot connect to internal server (Zabbix) by localhost:10051


It should, that's what set skip on lo0 is for. 



> P.S. pass out quick on $int_if - this was added to Zabbix checks (Zabbix agents, SNMP, IPMI and other). If left it as is, it would vulnerable?


I'd use something like 

```
pass out on $int_if proto tcp from $zabbix_server to any port = 10050
```
Add specific rules for SNMP, IPMI and anything you may use. Try not to use the quick keyword.



> _Added: Hmm... It seems that FreeBSD try to resolve 'localhost' from DNS! (DNS not accessible by the way). I didn't know it, honestly. Added 'localhost' to /etc/hosts solved the problem._


Localhost should already be in /etc/hosts. The default is:

```
::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain
```


----------

