# pfctl -nf /etc/pf.conf (Syntax checking but not load the rule)
# pfctl -ef /etc/pf.conf (To enable PF and load the rule set)
# pfctl -f /etc/pf.conf (Load the rule set)
# pfctl -sr
# pfctl -sinfo
# pfctl -Fa (-F all)
# pfctl -e (/etc/rc.d/pf start)
# pfctl -d (/etc/rc.d/pf stop)
# Conventions Below
# int=internet if=interface net=network
#
#=== macros BEGIN ===
int_if="alc0"
net_local="192.168.1.0/24"
icmp_types="echoreq"
tcp_services="{ 22 }"
#=== macros END ===
#=== options BEGIN ===
set skip on lo0
#=== options END ===
#=== filter rules BEGIN ===
scrub in all
block in on $int_if
antispoof quick for { lo $int_if }
# use "block return" so that a TCP RST is sent to close blocked connections right away.return -a TCP RST packet is returned for blocked TCP packets and an ICMP Unreachable packet is returned for all others.
block return in on $int_if proto { tcp, udp} from ! $net_local to $int_if port 113
# allow SSH traffic from local network
pass in on $int_if proto tcp from $net_local to $int_if port 22
# allow outgoing traffic
pass out on $int_if proto { tcp, udp } all
# allow icmp from local network
pass out on $int_if inet proto icmp all icmp-type $icmp_types
#=== filter rules END ===
#=== About port 113 BEGIN ===
#The IDENT (AUTH) protocol is often necessary for the smooth performance and functioning of certain services such as mail, POP3, ftp, and IRC. Dropping IDENT packets on the firewall may result in failure of these services. This occurs when a IDENT request is made on TCP port 113 and IDENT is dropped. The server will wait fora SYN/ACK reply to the TCP 113 connection request until it times out. IDENT is a security concern so IDENT requests should normally not be answered, and yet they cannot be dropped if service is to function properly.
#The proper way to handle IDENT request is to create a REJECT rule instead of dropping IDENT requests at the firewall. This way the firewall will return a RESET/ACK back to the requesting server.
