|Nethence – Next Door Labs – Laboratory – Webmail – Your IP – BBDock|
IPFilter & Packet Filter configuration
Edit the configuration file,
Note. I prefer returning the packets instead of dropping them so one immediately knows when the port is blocked instead of getting a timeout. Although it's preferable to drop them, as attackers' port scanners will need significantly more time to complete. Therefore it's recommended to use "return-*" on secure networks only.
Note. "keep frags" to prevent "flags S" to drop fragmented packets
Note. if a network interface is mixed for DMZ and internal network, you may want to secure services for internal network only,
Note. if you want logs,
add "log first" before "proto" or "on" e.g.,
you may also define a log priority (log level local1.notice).
Note. to secure even more, you may add those blocks in at the top,
Note. the "quick" string which comes before "on" permits to force the rule whatever comes next.
Note. it's recommended to pass only the ICMP REQUEST type. But if you want all ICMP,
Note. for a passive capable FTP server, you need to open port 21 (not 20, used for active FTP) and a port range,
this means port 6000 to 6010 (above 5999 and below 6011).
Note. on Solaris, lo0 cannot be filtered.
Note. NetBIOS ports,
Note. routing info,
On NetBSD, enable IP forwarding,
show ruleset that loaded,
Packet Filter configuration
The syntax is a little different for /etc/pf.conf. See http://www.openbsd.org/faq/pf/example1.html
Packet Filter usage