ljsdev-ssg

Source code for https://ljs.dev
Log | Files | Refs

commit 62336039ae24a808ec90ec4122d011426924ee23
parent 6d0fa85081a3f2e1e7b52cd5271b601cad05a87a
Author: Leon <leon@wp2static.com>
Date:   Sun,  1 Sep 2019 21:07:23 +0200

pf article

Diffstat:
Asrc/openbsd/pf-simple-configuration.html | 54++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 54 insertions(+), 0 deletions(-)

diff --git a/src/openbsd/pf-simple-configuration.html b/src/openbsd/pf-simple-configuration.html @@ -0,0 +1,54 @@ +<h1>pf(4) simple configuration</h1> + +<h3>September 2, 2019</h3> + +<p>The pf(4) packet filter in OpenBSD is prevalent throughout the world, having been adopted by network device manucaturers and big corps like Apple, to use in macOS and iOS. My first semi-awareness of it was when using pfSense in mainland China, to combine several WAN connections and share a VPN between them.<p> + +<p>When I started using OpenBSD, years after doing anything networking related, I was intimidated by the config files people often recommended and gave up on the man pages.</p> + +<p>I struggle to understand topics until I can simplify them and think in somple terms. Once over the jargon of pf(4), it is quite simple. Remember, most things are just inputs and outputs with some stuff in the middle!</p> + +<p>I won't try to teach you pf(4), for that, you have:<p> + +<ul> + <li><code>man pf</code></li> + <li><code>man pf.conf</code></li> + <li><code>man pfctl</code></li> + <li><code>man pflog</code></li> + <li><code>cat /etc/examples/pf.conf</code></li> +</ul> + +<p>What I will share, is as simple a config I use to block everything and just allow what I need. I have used more complex rulesets when using unbound(8) or vmm(4).</p> + +<p><i>Advice: be careful if you are adjusting pf rules for a server you only have remote access to. ie, apply changes temporarily while working, with a reboot script set in the not too distant future</i></p> + +<code> +#/etc/pf.conf + + +# define interface macros +ext_if = "vio0" + +# define macro/lists for applications +ssh_port = "22" +web_ports = "{ 80, 443 }" + +# don't do anything for local connections +set skip on lo + +# block and log everything by default +block return log + +# allow out any TCP/UDP +pass out on $ext_if proto tcp all +pass out on $ext_if proto udp all + +# allow in web and SSH +pass in on $ext_if proto tcp from any to any port $web_ports +pass in on $ext_if proto tcp from any to any port $ssh_port + +</code> + +<p>For logging, there is an example on how to use tcpdump(8) in the pflog(4) man page. Blocking everything and then monitoring while testing out applications has worked well for me.</p> + +