From c9d9b0601d859614324c304d7c3f7820f66d8094 Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Tue, 18 May 2021 18:12:44 +0200 Subject: Added freebsd docs article --- content/docs/freebsd/pf.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 content/docs/freebsd/pf.md (limited to 'content/docs') diff --git a/content/docs/freebsd/pf.md b/content/docs/freebsd/pf.md new file mode 100644 index 0000000..18c0458 --- /dev/null +++ b/content/docs/freebsd/pf.md @@ -0,0 +1,34 @@ +--- +title: pf.conf +description: The template I use on new installations +--- + +## pf.conf + +The open ports list is refined depending on the usage obviously... It is just a template : + +```conf +ext_if=vtnet0 + +scrub in all + +table persist +table const { self } +table const { 10/8, 172.16/12, 192.168/16, fd00::/8 fe80::/10 } +table const { 0.0.0.0/0, !10/8, !172.16/12, !192.168/16, ::/0, fe80::/10, !fd00::/8 } + +##### Basic rules ##### +nat pass on $ext_if from to -> ($ext_if:0) +rdr-anchor "rdr/*" +set skip on lo +block return log + +##### This firewall ##### +block drop in on $ext_if +pass inet proto icmp all icmp-type unreach code needfrag # MTU path discovery +pass inet proto icmp all icmp-type { echoreq, unreach } # echo reply +pass inet6 proto icmp6 all + +pass in on $ext_if proto tcp from to port { ssh, http, https, smtp, smtps, submission } +pass out from to any +``` -- cgit v1.2.3