Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # NIC
- ext_if="re0"
- # Liste des services TCP/UDP ouverts sur le serveur:
- # 443: sslh, multiplexeur
- # 50666: transmission
- # 22: SSH (direct)
- # 2049: NFS
- # 6969: Free (reverse SSH or other temporary use)
- tcp_services="{80, 443 , 22, 2049, 6969}"
- udp_services="{53, 123, 2049, 50666}"
- # Liste des port ruliements scann ne pas logguer:
- dontlog_tcp_services="{445, 135, 139, 2121}"
- dontlog_udp_services="{67}"
- ##### Comportement global #######
- # Reponse par defaut pour le block
- set block-policy return
- # Active les logs
- set loginterface $ext_if
- # Desactive le filtarge sur l'interface loopback:
- set skip on lo0
- # Nettoyage du trafic entrant
- scrub in all
- ### Regles de filtrage #####
- #On commence par bloquer tout ce qui rentre par defaut:
- block in log all
- #On autorise les flux sortants (freebsd-update, etc...):
- pass out
- #On autorise les ICMP IPv4 et IPv6:
- pass proto { icmp icmp6 }
- #On autorise les flux entrants suivants:
- pass in proto tcp from any to any port $tcp_services keep state
- pass in proto udp from any to any port $udp_services keep state
- #On empeche de logguer les scans les plus courants
- block in proto tcp from any to any port $dontlog_tcp_services
- block in proto udp from any to any port $dontlog_udp_services
Advertisement
Add Comment
Please, Sign In to add comment
