diff options
| author | Julien Dessaux | 2021-05-18 18:12:44 +0200 |
|---|---|---|
| committer | Julien Dessaux | 2021-05-18 18:12:44 +0200 |
| commit | c9d9b0601d859614324c304d7c3f7820f66d8094 (patch) | |
| tree | a3eee3e7a2659885928aedfd4baf2a756d4fc271 /content/docs | |
| parent | Fixed previous tweaks (diff) | |
| download | www-c9d9b0601d859614324c304d7c3f7820f66d8094.tar.gz www-c9d9b0601d859614324c304d7c3f7820f66d8094.tar.bz2 www-c9d9b0601d859614324c304d7c3f7820f66d8094.zip | |
Added freebsd docs article
Diffstat (limited to 'content/docs')
| -rw-r--r-- | content/docs/freebsd/pf.md | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/content/docs/freebsd/pf.md b/content/docs/freebsd/pf.md new file mode 100644 index 0000000..18c0458 --- /dev/null +++ b/content/docs/freebsd/pf.md @@ -0,0 +1,34 @@ +--- +title: pf.conf +description: The template I use on new installations +--- + +## pf.conf + +The open ports list is refined depending on the usage obviously... It is just a template : + +```conf +ext_if=vtnet0 + +scrub in all + +table <jails> persist +table <myself> const { self } +table <private> const { 10/8, 172.16/12, 192.168/16, fd00::/8 fe80::/10 } +table <internet> const { 0.0.0.0/0, !10/8, !172.16/12, !192.168/16, ::/0, fe80::/10, !fd00::/8 } + +##### Basic rules ##### +nat pass on $ext_if from <jails> to <internet> -> ($ext_if:0) +rdr-anchor "rdr/*" +set skip on lo +block return log + +##### This firewall ##### +block drop in on $ext_if +pass inet proto icmp all icmp-type unreach code needfrag # MTU path discovery +pass inet proto icmp all icmp-type { echoreq, unreach } # echo reply +pass inet6 proto icmp6 all + +pass in on $ext_if proto tcp from <internet> to <myself> port { ssh, http, https, smtp, smtps, submission } +pass out from <myself> to any +``` |