PF, The OpenBSD Packet Filter: Building The Network You Need: BSDCan, Ottawa, June 10th 2015 | ||
---|---|---|
Prev | Next |
You may want to allow only what's needed:
pass in on $ext_if proto { tcp, udp } to $nameservers \ port domain pass in on $int_if proto { tcp, udp } from $localnet to $nameservers \ port domain pass out on $dmz_if proto { tcp, udp } to $nameservers \ port domain pass in on $ext_if proto tcp to $webserver port $webports pass in on $int_if proto tcp from $localnet to $webserver \ port $webports pass out on $dmz_if proto tcp to $webserver port $webports pass in log on $ext_if proto tcp to $mailserver port smtp pass in log on $int_if proto tcp from $localnet to $mailserver \ port $email pass out log on $dmz_if proto tcp to $mailserver port smtp pass in on $dmz_if from $mailserver to any port smtp pass out log on $ext_if proto tcp from $mailserver to port smtp