≡ Menu

OpenBSD PF Firewall Script – /etc/pf.conf File

Following script will protect collocated FreeBSD / OpenBSD / NetBSD server running PF firewall. My box has 2 interface one for VPN and other for public interface. I only run http, dns and ssh on public port. Read pf, rc.conf and pf.conf man page for details. Tested on FreeBSD and OpenBSD.

Sample /etc/pf.conf

{ 13 comments… add one }
  • Bruce May 14, 2012, 7:54 pm

    You probably don’t want to block all the other icmp types like fragmentation-needed – it breaks things in a subtle but annoying way!

  • Rani April 3, 2011, 11:04 am

    pass quick proto tcp from $table to $ext_if port 22 flags S/SA keep state

    and if you want ssh brute force options;

    table persist file “/etc/bruteforce.conf”
    pass quick proto tcp from $table to $ext_if port 22 flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global)

  • circus February 19, 2011, 7:29 pm

    And I think we should use

    block all
    
  • circus February 19, 2011, 7:27 pm

    Hi, CMIIW but this rule:

        pass out keep state
    

    just makes this rules:

        pass out on $ext_if proto tcp to any port $tcp_services
        pass out on $ext_if proto udp to any port $udp_services
    

    a bit pointless? I’m still able to connect to any ports.

  • bastian December 8, 2010, 11:07 pm

    How can i block port 22 to public and give permission to specific ip address

    • phaleon December 9, 2010, 10:22 pm

      here is what I have done
      ## ips ok for ssh
      table { 1.2.3.4, 5.6.7.8, 9.10.11.12 }

      # and then
      pass in on $ext_iface proto tcp from to any port 22 flags S/SA synproxy state

  • Amza Marian September 29, 2009, 1:49 am

    It is ok. Simple and great.

    Normally, a client connects to the server and we handshake with them, then proceed to exchange data. by telling pf to handshake proxy between the client and server, tcp syn flood attacts from ddos become uneffective because a spoofed client cannot complete a handshake.

    As Dirk Gently says: More comments are welcome.

  • Vivek Gite May 10, 2009, 11:01 pm

    Yes, it was a typo. Thanks for the heads-up!

  • Waitman Gobble May 9, 2009, 5:55 am

    oops, i think the problem might be
    pass in on $ext_if proto tcp from ant to any port ssh flags S/SA synproxy state

    “ant” should be “any” ?

  • Waitman Gobble May 9, 2009, 5:47 am

    freebsd 7.2-RELEASE – I believe it ships with pf @ OpenBSD 4.1

    notes:

    1) “$ext_if proto tcp from any to any port http flags S/SA synproxy modulate state”
    throws me a syntax error, I understand that using synproxy and modulate is redundant, ie synproxy includes modulate and keep.

    2) using synproxy with ssh ain’t happening for me, not yet sure – researching.

    3) in pf @ OpenBSD 4.1, default TCP flags are S/SA keep state

    thanks, keep up the great work.

    • Andrei June 23, 2009, 2:53 pm

      # synproxy state – proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state.

  • Dirk Gently February 4, 2009, 3:46 am

    Good work vivec. great help when pf.conf is lacking comments. ;)

  • Hekko November 29, 2008, 2:47 pm

    This was very helpful :) Thank You ;-)

    Regards
    http://hekko.eu

Security: Are you a robot or human?

Leave a Comment