pf : reorder some rules, more details on some comments
This commit is contained in:
parent
b220c1934d
commit
f4e07b4578
|
@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
- etc-git: add versioning for /usr/share/scripts
|
- etc-git: add versioning for /usr/share/scripts
|
||||||
- nagios-nrpe: add a wraper to check_dhcpd to define the number of dhcpd processes that must be running depending on the CARP state
|
- nagios-nrpe: add a wraper to check_dhcpd to define the number of dhcpd processes that must be running depending on the CARP state
|
||||||
- evocheck: renamed install.yml to main.yml and add evocheck cron at the beginning of the daily.local file
|
- evocheck: renamed install.yml to main.yml and add evocheck cron at the beginning of the daily.local file
|
||||||
|
- pf : reorder some rules, more details on some comments
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
# MANAGED BY ANSIBLE, MODIFICATIONS WILL BE LOST
|
|
||||||
|
|
||||||
######################
|
######################
|
||||||
##### INTERFACES #####
|
##### INTERFACES #####
|
||||||
######################
|
######################
|
||||||
|
@ -24,7 +22,6 @@ tcp_in = "{ http, https }"
|
||||||
#udp_in = "{ domain, ntp, 33433><33626 }"
|
#udp_in = "{ domain, ntp, 33433><33626 }"
|
||||||
udp_in = "{ 33433><33626 }"
|
udp_in = "{ 33433><33626 }"
|
||||||
|
|
||||||
|
|
||||||
###################
|
###################
|
||||||
##### OPTIONS #####
|
##### OPTIONS #####
|
||||||
###################
|
###################
|
||||||
|
@ -39,12 +36,15 @@ set optimization normal
|
||||||
set skip on lo
|
set skip on lo
|
||||||
match in all scrub (no-df)
|
match in all scrub (no-df)
|
||||||
|
|
||||||
####################
|
###########################
|
||||||
##### FILTRAGE #####
|
##### FILTRAGE GLOBAL #####
|
||||||
####################
|
###########################
|
||||||
|
|
||||||
# politiques par defaut
|
# politique par defaut : on autorise l'icmp en entrée puis on ne filtre que le WAN en entrée, tout le reste est autorisé
|
||||||
block log all
|
block log all
|
||||||
|
pass out quick on $ext_if
|
||||||
|
#pass on $lan_if
|
||||||
|
pass in proto { icmp, icmp6 }
|
||||||
|
|
||||||
# filter rules and anchor for ftp-proxy(8)
|
# filter rules and anchor for ftp-proxy(8)
|
||||||
#anchor "ftp-proxy/*"
|
#anchor "ftp-proxy/*"
|
||||||
|
@ -53,22 +53,21 @@ block log all
|
||||||
#pass quick proto carp
|
#pass quick proto carp
|
||||||
#pass quick on $pfsync_if proto pfsync
|
#pass quick on $pfsync_if proto pfsync
|
||||||
|
|
||||||
pass out
|
# Autorisations pour Evolix
|
||||||
# 5666 = nrpe
|
|
||||||
pass in on $ext_if proto tcp from <evolix> to (self) port { ssh, 5666 }
|
pass in on $ext_if proto tcp from <evolix> to (self) port { ssh, 5666 }
|
||||||
|
|
||||||
# Block Attack
|
# Block Attack
|
||||||
# China 144.0.0.0/16 --> SSH
|
# China 144.0.0.0/16 --> SSH
|
||||||
block in on $ext_if proto tcp from 144.0.0.0/16 to any port ssh
|
block in on $ext_if proto tcp from 144.0.0.0/16 to any port ssh
|
||||||
|
|
||||||
# Autorisation des protocoles
|
# Autorisation des protocoles en entrée
|
||||||
pass in on $ext_if proto tcp to !(self) port $tcp_in
|
pass in on $ext_if proto tcp to !(self) port $tcp_in
|
||||||
pass in on $ext_if proto udp to !(self) port $udp_in
|
pass in on $ext_if proto udp to !(self) port $udp_in
|
||||||
|
|
||||||
# FTP actif
|
# FTP actif
|
||||||
# pass in on $ext_if proto tcp from any port 20 to any port 1024:65535
|
# pass in on $ext_if proto tcp from any port 20 to any port 1024:65535
|
||||||
|
|
||||||
|
###############################
|
||||||
# Acces public
|
##### FILTRAGE SPECIFIQUE #####
|
||||||
pass in proto { icmp, icmp6 }
|
###############################
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue