# My non working PF.conf



## empty (Jan 17, 2012)

Hello everyone!

Why does my pf.conf lock everything and stop sharing the internets?



```
ext_if="em0"
int_if="em1"
ext_ip="my external ip"

## Macros
SYN_ONLY="S/FSRA"


## TABLES

## TRAFFIC NORMALIZATION


## QUEUEING RULES


## TRANSLATION RULES (NAT)
nat on $ext_if from !($ext_if) -> ($ext_if:0)

## FILTER RULES

# Block everything (inbound AND outbound on ALL interfaces) by default (catch-all)
block all
pass out quick on $ext_if proto { tcp, udp, icmp } all keep state
# Default TCP policy
block return-rst in log on $ext_if proto TCP all
        pass in log quick on $ext_if proto TCP from any to $ext_ip port 22 flags $SYN_ONLY keep state
   pass in log quick on $ext_if proto TCP from any to $ext_ip port 49152:65535 flags $SYN_ONLY keep state
        

# Default UDP policy
block in log on $ext_if proto udp all
   # It's rare to be hosting a service that requires UDP (unless you are hosting
   # a dns server for example), so there typically won't be any entries here.

# Default ICMP policy
block in log on $ext_if proto icmp all

   pass in log quick on $ext_if proto icmp from any to $ext_ip icmp-type echoreq keep state

# Allow the local interface to talk unrestricted
pass in quick on lo0 all
pass out quick on lo0 all
```


----------



## halplus (Jan 18, 2012)

I do configure pf like this:


```
pass out all
block drop in on $ext_if from any to any
# slow down crackers
block quick from <bruteforce>

# leave outide traffic pass
pass out quick on $ext_if
```

then pass in quick for everything I need open.

for instance:


```
pass in quick on $ext_if proto tcp from any to $ext_if port 22 flags S/SA keep state
```

I then portscan the server from the outside to be 100% sure I didn't leave something open.

I don't recommend you to log dropped packets as if your server gets scanned (usually when you face the internet because of the robots/worms out there) the logs are going to fill up your harddrive (unless you trim them down with some cron job but then they become almost useless) and cause performance degradation.


----------



## halplus (Jan 18, 2012)

Nat should not be affected by blocking rules.


----------



## SirDice (Jan 18, 2012)

There's no rule to allow traffic coming in on $int_if, through the firewall, to the internet. The only traffic that's allowed to go to the internet originates on the firewall machine itself.

You'll want something like this to allow traffic _through_ the firewall:

```
pass in on $int_if proto { tcp, udp, icmp } all keep state
```


----------



## CoTones (Jan 18, 2012)

Sorry, but you have no idea how pf works, so no surprize...



```
ext_if="em0"
int_if="em1"
ext_ip="my external ip"

## Macros
SYN_ONLY="S/FSRA"

set block-policy return
set loginterface $ext_if
set skip on lo0

## TRANSLATION RULES (NAT)
nat on $ext_if from !($ext_if) -> ($ext_if:0)

## FILTER RULES

block log all

pass on $int_if all keep state
pass out on $ext_if all keep state

pass in log on $ext_if proto tcp from any to $ext_ip port 22 flags $SYN_ONLY keep state

pass in log on $ext_if proto tcp from any to $ext_ip port 49152:65535 flags $SYN_ONLY keep state
        
pass in log on $ext_if proto icmp from any to $ext_ip icmp-type echoreq keep state
```


----------

