SEO

This is my pf.conf

# New Firewall Config

# Als eerste de variables dan hoeven we niet 10 keer het zelfde te
tikken. :P
external="rl0"
internal="xl0"
loopback="lo0"
priv_lan="192.168.0.0/24"
everyone="any"
private="{ 10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/24, 255.255.255.255/32
}"
portrange="{ 21, 22, 80 }"

# Set de timeout van intervals en de state's van pakketten.
set timeout tcp.first 120
set timeout tcp.opening 30
set timeout tcp.established 86400
set timeout tcp.closing 900
set timeout tcp.finwait 45
set timeout tcp.closed 90
set timeout udp.first 60
set timeout udp.single 30
set timeout udp.multiple 60
set timeout icmp.first 10
set timeout icmp.error 20
set timeout other.first 60
set timeout other.single 30
set timeout other.multiple 60
set timeout frag 30
set timeout interval 10

# Zet de limits
set limit frags 5000
set limit states 5000

# Optimalisaties
set optimization normal

# Alle pakketten die gefragmenteerd zijn checken en doorsturen.
scrub in all fragment reassemble

# Network Address Translation toepassen
nat on $external from $priv_lan -> $external

# Redirect toepassen
rdr on $external proto tcp from any to any port 25 -> 192.168.0.7 port
25
rdr on $external proto tcp from any to any port 80 -> 192.168.0.7 port
80
rdr on $external proto tcp from any to any port 110 -> 192.168.0.7 port
110
rdr on $external proto tcp from any to any port 143 -> 192.168.0.7 port
143

# Eerst gaan we alles wat van buitenaf komt blokkeren:
block in on $external all
block out on $external all

# Dan alles van prive netwerken op de externe interface blokkeren
(spoofing)
# in dit geval geen prive addressen blokken op de interne interface -->
# you know wij zijn prive :P
block in log quick on $external from $private to any

# Blok en log alle pakketten die met een broadcast gesigneerd zijn
block in quick on $external from any to 255.255.255.255

# Blok het verkeer waar we geen route voor terug hebben (onnodig
dataverkeer )block in from no-route to any

# ICMP verkeer
#block in on $external inet proto icmp all
pass out on $external inet proto icmp all icmp-type 8 code 0 keep state

# UDP verkeer
# Al het verkeer naar buiten toelaten (en van binnen ook)
pass out on $external proto udp all keep state

# Verkeer voor domain ook toe laten
pass in on $external proto udp from any to any port 53 keep state

# TCP verkeer
# Het verkeer naar buiten toe laten en de implementatie van de tcp/ip
stack
# van windows beschermen.
pass out on $external proto tcp all flags S/SA modulate state

# Poorten openzetten zoals ssh voor intern en extern.
pass in on $external proto tcp from any to any port 22 flags S/SA keep
state
pass in on $external proto tcp from any to any port 25 flags S/SA keep
state
pass in on $external proto tcp from any to any port 80 flags S/SA keep
state
pass in on $external proto tcp from any to any port 110 flags S/SA keep
state
pass in on $external proto tcp from any to any port 113 flags S/SA keep
state
pass in on $external proto tcp from any to any port 143 flags S/SA keep
state

On Wed, 2003-08-20 at 11:26, Alexei G. Malinin wrote:
> Matthijs Mohlmann wrote:
>
> >If i'm right:
> >
> >block return-rst in inet proto tcp all
> >
> this rule is in my pf.conf (see the previous letter)
>
> >
> >You don't close the tcp connection at all and then nmap says it's a open
> >port.
> >
> The talk is about all protocols (not only tcp) and protocol scanning by
> nmap.
> If I have single rule such this "pass all" in pf.conf - my host sends
> icmp "proto-unr" but
> with the given configuration does not!!!
>
> >
> >I'm not sure but i think that rule it is.