# pf rule-set, your advice.



## costasBSD (Apr 25, 2014)

I am trying to compose a PF rule-set for my FreeBSD system.  FreeBSD is installed in a stand alone desktop and fully equipped PC which will replace a windows XP SP3 box.  The FreeBSD is just a personal workstation in a home network of a few Windows PCs and doesn't run any services.

The pf.conf that I am currently using is:

```
set block-policy return
scrub in all
tcp_services="{ssh, smtp, domain, www, pop3, auth, pop3s, http, https, imap, imaps imap3, telnet, ntp}"
udp_serices="{domain}"
trusted="{193.239.214.227 192.168.1.11}"
#193.239.214.227 is a time server; 192.168.1.11 is a win PC in the home network

block all
pass in  log proto tcp to $trusted keep state
pass out log proto tcp to $trusted keep state
pass log proto udp to $trusted keep state

pass out proto tcp to any port $tcp_services keep state
pass proto udp to any port $udp_services keep state

pass proto icmp from any to any   # I will remove this line later, doing some tests now.
```

Though I am (a little bit familiar) with the Windows firewalls I am not confident with the PF rule set that I came up with.  Could you please offer some advice on how to make safer? Am I missing something?


----------



## Melvyn (Apr 27, 2014)

You fail to mention your FreeBSD version. This is important. You can drop the keep state from rules if memory serves me right, from 8.0+, so it's very likely you can drop them.

Caveat: trusting a Windows machine makes the firewall largely obsolete.  :OOO 

I would put trusted in a table, they're made for this:


```
table <trusted> persist { 193.239.214.227, 192.168.1.11 }
```

Define interfaces and skip lo0:

```
ext_if="vtnet0" # check ifconfig for interface name
set skip on lo
```

Typo:

```
udp_serices => udp_services
```

Bind restrictions to the interface, don't log passes, since you'll be out of diskspace very soon, no need to restrict protocols on trusted machines:

```
block log all
pass in on on $ext_if to <trusted>
pass out on $ext_if from <trusted> # from, not to
```

If you're looking for a better rule for ICMP:

```
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex, echoreq }
```

And finally:

```
# Silence windows traffic and keep it from spamming the logs.
block in on $ext_if proto { tcp, udp } from any to ($ext_if) port { netbios-ns, netbios-dgm, netbios-ssn }
```
Hope this helps.


----------

