pf : reorder some rules, more details on some comments
This commit is contained in:
parent
b220c1934d
commit
f4e07b4578
|
@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|||
- etc-git: add versioning for /usr/share/scripts
|
||||
- nagios-nrpe: add a wraper to check_dhcpd to define the number of dhcpd processes that must be running depending on the CARP state
|
||||
- evocheck: renamed install.yml to main.yml and add evocheck cron at the beginning of the daily.local file
|
||||
- pf : reorder some rules, more details on some comments
|
||||
|
||||
### Fixed
|
||||
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
# MANAGED BY ANSIBLE, MODIFICATIONS WILL BE LOST
|
||||
|
||||
######################
|
||||
##### INTERFACES #####
|
||||
######################
|
||||
|
@ -24,7 +22,6 @@ tcp_in = "{ http, https }"
|
|||
#udp_in = "{ domain, ntp, 33433><33626 }"
|
||||
udp_in = "{ 33433><33626 }"
|
||||
|
||||
|
||||
###################
|
||||
##### OPTIONS #####
|
||||
###################
|
||||
|
@ -39,12 +36,15 @@ set optimization normal
|
|||
set skip on lo
|
||||
match in all scrub (no-df)
|
||||
|
||||
####################
|
||||
##### FILTRAGE #####
|
||||
####################
|
||||
###########################
|
||||
##### FILTRAGE GLOBAL #####
|
||||
###########################
|
||||
|
||||
# politiques par defaut
|
||||
# politique par defaut : on autorise l'icmp en entrée puis on ne filtre que le WAN en entrée, tout le reste est autorisé
|
||||
block log all
|
||||
pass out quick on $ext_if
|
||||
#pass on $lan_if
|
||||
pass in proto { icmp, icmp6 }
|
||||
|
||||
# filter rules and anchor for ftp-proxy(8)
|
||||
#anchor "ftp-proxy/*"
|
||||
|
@ -53,22 +53,21 @@ block log all
|
|||
#pass quick proto carp
|
||||
#pass quick on $pfsync_if proto pfsync
|
||||
|
||||
pass out
|
||||
# 5666 = nrpe
|
||||
# Autorisations pour Evolix
|
||||
pass in on $ext_if proto tcp from <evolix> to (self) port { ssh, 5666 }
|
||||
|
||||
# Block Attack
|
||||
# China 144.0.0.0/16 --> SSH
|
||||
block in on $ext_if proto tcp from 144.0.0.0/16 to any port ssh
|
||||
|
||||
# Autorisation des protocoles
|
||||
# Autorisation des protocoles en entrée
|
||||
pass in on $ext_if proto tcp to !(self) port $tcp_in
|
||||
pass in on $ext_if proto udp to !(self) port $udp_in
|
||||
|
||||
# FTP actif
|
||||
# pass in on $ext_if proto tcp from any port 20 to any port 1024:65535
|
||||
|
||||
|
||||
# Acces public
|
||||
pass in proto { icmp, icmp6 }
|
||||
###############################
|
||||
##### FILTRAGE SPECIFIQUE #####
|
||||
###############################
|
||||
|
||||
|
|
Loading…
Reference in a new issue