# Nothing is Being Blocked by PF



## tpar44 (Oct 9, 2011)

Hi,

I am trying to set up PF on a remote machine to be my primary firewall as an experiment.  I'm not too familiar with PF so I'd like to test it out before I deploy it.  The steps I use are:

1. *vi /etc/sysctl.conf* and I append "net.inet.ip.forwarding=1" to that file to enable packet forwarding.
2. *kldload pf*
3. create my pf.conf in /etc
4. */etc/rc.d/pf onestart* (this way i can reboot my box when I mess up the rules)

My pf.conf file is:


```
#block the inbound traffic from the server itself
block in log quick from webserver to any
block in log quick from imap to any
block in log quick from snortips to any
block in log quick from windows to any
block in log quick from NFS to any
block in log quick from FreeBSD to any

#allow ICMP traffic to get through the firewall
block in log quick proto icmp from any to any 
block out log quick proto icmp from any to any

#allow inbound traffic to ssh, http, NFS
	#webserver
	pass in log quick proto tcp to webserver port 80
	#NFS Server
	pass in log quick proto tcp to NFS port 2049
	#SSH Server
	pass in log quick proto tcp to webserver port 22

	pass in log quick proto tcp to imap port 22
	pass in log quick proto tcp to snortips port 22
	pass in log quick proto tcp to windows port 22
	pass in log quick proto tcp to nfs port 22
	 
#allow new outbound traffic to ssh and web servers
	pass out log quick proto tcp from any to any port 22
	pass out log quick proto tcp from any to any port 80

#pasively ignore all other traffic 
#block in all
#block out all
```

Any help that could be given as to why nothing is being blocked or that if I uncomment the block in all and block out all rules I lose contact with the box (since I work remotely).

Thank you!


----------



## SirDice (Oct 10, 2011)

1) is easier to set using *gateway_enable="YES"* in /etc/rc.conf.

Start off with a *block all* and add rules for traffic you want to allow.


----------



## Dies_Irae (Oct 10, 2011)

Just to be sure: if this is your real pf.conf I expect that in your /etc/hosts you have something like this:

```
windows   10.1.1.1
webserver 10.1.1.2
FreeBSD   10.1.1.3
...
```

Otherwise, pf knows nothing about "windows" and "webserver".


----------



## CoTones (Oct 11, 2011)

Hi,

First thing, you need define servers IP's and external/internal interfaces:


```
webserver="xxx.xxx.xxx.xxx"
imapserver="xxx.xxx.xxx.xxxâ€œ...

ext_if="your_interface_facing_internet_like_fx0"
int_if="interface_facing_servers_for_example_fx1"
```

Then you block and log blocked traffic:

```
block log all
```

And grant ssh connection (I guess you connect with ssh remotely):

```
pass in quick on $ext_if inet proto tcp from any to any port 22
```

Further you need allow traffic in to firewall and redirect it to servers (if needed-ssh too), for example to web server:

```
pass in on $ext_if inet proto tcp from any to any port 80 rdr-to $webserver
```

Of course, you should allow traffic from servers trough firewall and outbound traffic:

```
pass in on $int_if all
pass out all
```

This is not that hard, but you need some good reading with examples
http://home.nuug.no/~peter/pf/

CoTones


----------

